What's new

Samsung Smart Home flaws let hackers make keys to front door

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

D

Dan Goodin

Guest
smartthings-attack-640x315.png


Computer scientists have discovered vulnerabilities in Samsung's Smart Home automation system that allowed them to carry out a host of remote attacks, including digitally picking connected door locks from anywhere in the world.

The attack, one of several proof-of-concept exploits devised by researchers from the University of Michigan, worked against Samsung's SmartThings, one of the leading Internet of Things (IoT) platforms for connecting electronic locks, thermostats, ovens, and security systems in homes. The researchers said the attacks were made possible by two intrinsic design flaws in the SmartThings framework that aren't easily fixed. They went on to say that consumers should think twice before using the system to connect door locks and other security-critical components.

Continue reading on ArsTechnica
 
when will people learn that even though you want more things networked you shouldnt be exposing them to the internet. Remote server connections, port forwarding and many other things just leave things exposed as it allows for communication. I've been talking about this flaw with smart home devices that before now there was no brand that wouldnt work without constant internet connection to some server.

Next time you want to "smart up" your home have a good firewall such as a configurable one or even a UTM, dont port forward, dont use smart devices that require or create a connection to an external server and use vpn whenever you want to access your stuff and make sure to secure your vpn. VPN needs to be hosted on your router and not some service or this.

This is quite bad for cars because some cars have constant internet connection to some server that makes them vulnerable and a non variable locking mechanism that allows thieves to just listen for your car signal and just repeat it. If your car is as important as your money in the bank it should receive the same amount of security a bank has. Cars dont even have the basic 2 way authentication that banks and SSL use.

Internet of things isnt a bad thing, its just the greed of having things always connected to some external service always leaves you vulnerable and violated. At the very least get a configurable router and use my example firewall of an automated blacklist which is meant to detect hack attempts and also block them on the forward chain. You should also secure your LAN with layer 2 authentication as well such as RADIUS and defining your network so only the addresses you set can communicate. With the current state of consumer routers IoT is hopeless with routers hanging or crashing.

Ofcourse samsung doesnt learn, they want to get as much info on you as they can just for their market research. Same can be said for many other big companies.

Yet no matter how good i am with programming, networking and security no one would bother to hire me.
 
VPNs need to become as common place as HTTPS IMHO. Anything that involves connecting back to home should be done through a VPN. Router manufacturers started to make some progress by adding VPN server support into home routers (and not just of the PPTP kind), next step would be to make it easier for someone to setup a VPN server, and configure a mobile device to connect to that server.

And I have more faith in the OpenVPN authors than I do in every router manufacturer's implementation of HTTP (or whatever other custom service they are exposing to the WAN).

Same would apply to anything else that needs WAN access, be it an home automation/security system or a NAS.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top