The Issue of Security
The Issue of Security
Last spring, a doctoral student at the University of Michigan named Earlence Fernandes exposed a series of design vulnerabilities in Samsung’s popular SmartThings platform. His team demonstrated that it could trigger fire alarms, disable vacation-mode settings, and, worse, retrieve pin codes for connected door locks, allowing unforced access. This after news of breached baby cams, thermostats, and garage-door openers. No wonder 71 percent of consumers surveyed by icontrol Networks said getting hacked is their No. 1 concern about smart homes.
Yet such attacks are rare. And the tech is here to stay—IT research firm Gartner, for one, predicts that a typical home might have 500 smart devices by 2022. Which is to say, the smart play is to learn how to make the most of it. Luckily, we’re here to help.
Q&A with white-hat hacker Earlence Fernandes:
Q: Why did you pick on SmartThings?
A: It had support for 132 devices and more than 500 apps in its app store at the time. The idea was, the lessons we learn from this relatively mature platform could be applied to more nascent systems, too.
Q: What did their developers miss?
A: There’s this thing called overprivilege. It means that third-party apps get more privilege to devices than they ask for or need.
Q: How did your research exploit that?
A: We wrote a malware app that reads battery levels of smart-home devices. Using just this battery permission, our app can also secretly listen to pin codes from an existing app as the user programs them for a connected door lock.
Q: It’s incredible that this was possible.
A: I think it comes down to a functionality-versus-security trade-off. Now, when users install an app, SmartThings asks if they want to give the app access to a device or not. That seems more usable than saying, “This app wants to unlock the door or do this specific function.” I think they’re taking the more usable approach. This tension is what we see again and again and again in computer security.
Q: So you won’t be installing a smart lock?
A: I have my old-fashioned keys, thank you very much.
Q: What do you think of the smart home?
A: We were trying to raise awareness of what can go wrong. But I think it’s exciting technology and it has a lot of potential for benefits.