Computer scientists have discovered vulnerabilities in Samsung's Smart Home automation system that allowed them to carry out a host of remote attacks, including digitally picking connected door locks from anywhere in the world.

The attack, one of several proof-of-concept exploits devised by researchers from the University of Michigan, worked against Samsung's SmartThings, one of the leading Internet of Things (IoT) platforms for connecting electronic locks, thermostats, ovens, and security systems in homes. The researchers said the attacks were made possible by two intrinsic design flaws in the SmartThings framework that aren't easily fixed. They went on to say that consumers should think twice before using the system to connect door locks and other security-critical components.

"All of the above attacks expose a household to significant harm—break-ins, theft, misinformation, and vandalism," the researchers wrote in a paper scheduled to be presented later this month at the 2016 IEEE Symposium on Security and Privacy. "The attack vectors are not specific to a particular device and are broadly applicable."

Other attacks included a malicious app that was able to obtain the PIN code to a smart lock and send it in a text message to attackers, disable a preprogrammed vacation mode setting, and issue a fake fire alarm. The one posing the biggest threat was the remote lock-picking attack, which the researchers referred to as a "backdoor pin code injection attack." It exploited vulnerabilities in an existing app in the SmartThings app store that gives an attacker sustained and largely surreptitious access to users' homes.

The attack worked by obtaining the OAuth token that the app and SmartThings platform relied on to authenticate legitimate users. The only interaction it required was for targeted users to click on an attacker-supplied HTTPS link that looked much like this one that led to the authentic SmartThings login page. The user would then enter the username and password. A flaw in the app allowed the link to redirect the credentials away from the SmartThings page to an attacker-controlled address. From then on, the attackers had the same remote access over the lock that users had.

Like most of the other attacks, it was made possible by a design flaw in the SmartThings capability model that causes apps to receive privileges that were never explicitly requested. As a result, many apps are "overprivileged," often through no fault of the developer. A separate flaw in the way OAuth was implemented in the SmartThings app, which was written in the Groovy programming language, allowed the researchers to inject code that performed the redirection.

"This SmartApp, was only written with the intention of locking and unlocking door locks," Earlence Fernandes, a PhD student who co-wrote the paper, said in an e-mail. "However, due to overprivilege and due to being written in Groovy, we could send some instructions to get it to program a new PIN code into the door lock, giving us sustained access to the home. We were able to make it so that the redirection comes to a domain controlled by us. We reverse engineered the binary of the companion Android app of the third party developer, and retrieved the client_id and client_secret. At this point, we had everything we need[ed] to get our own OAuth token."

The researchers said 55 percent of the 499 SmartApps available during the time of their research qualified as being overprivileged, meaning they didn't use at least some of the device rights that were requested. The researchers further found that 42 percent of apps were granted privileges they never asked for. Such overly broad permissions violate a core security tenet known as the least privilege principle, which calls for apps and processes to be granted as minimal a level of access as needed to perform their specified tasks.

The researchers said they uncovered a second design flaw in the SmartThings framework that in many cases allowed unprivileged apps to read and even spoof commands running on a device. They exploited the weakness by creating a proof-of-concept app that requested only privileges to monitor the battery reserves of a given device. Behind the scenes, however, the app was able to snoop on the lock codes as they were being programmed into a device. The malicious app then sent the codes to an attacker in a text message.

In a statement, SmartThings officials wrote:

Protecting our customers’ privacy and data security is fundamental to everything we do at SmartThings. We are fully aware of the University of Michigan/Microsoft Research report and have been working with the authors of the report for the past several weeks on ways that we can continue to make the smart home more secure as the industry grows. The potential vulnerabilities disclosed in the report are primarily dependent on two scenarios - the installation of a malicious SmartApp or the failure of third party developers to follow SmartThings guidelines on how to keep their code secure. Regarding the malicious SmartApps described, these have not and would not ever impact our customers because of the certification and code review processes SmartThings has in place to ensure malicious SmartApps are not approved for publication. To further improve our SmartApp approval processes and ensure that the potential vulnerabilities described continue not to affect our customers, we have added additional security review requirements for the publication of any SmartApp. As an open platform with a growing and active developer community, SmartThings provides detailed guidelines on how to keep all code secure and determine what is a trusted source. If code is downloaded from an untrusted source, this can present a potential risk just like when a PC user installs software from an unknown third party website, there's a risk that software may contain malicious code. Following this report, we have updated our documented best practices to provide even better security guidance to developers.

Update: In this post, SmartThings officials also said the OAuth mechanism has recently been fixed

There are a few reasons to doubt the assurances. First, they make no mention of either of the underlying design flaws identified by the researchers. And second, they gloss over the fact that at least one app that passed review and was available in the SmartApps store already made attacks feasible. According to the researchers, the design of the SmartThings framework was a key contributor to that threat. So far, Samsung has provided no details on plans to fix it.