It seems that smart homes can be not that smart, according to an in-depth analysis by a group of researchers at the University of Michigan and Microsoft, which was reported on by Wired. The researchers performed tests on Samsung's SmartThings platform, which is used in hundreds of thousands of homes, based on the number of app downloads. They were able to use design flaws to their advantage, gaining access to connected devices, according to Wired.
Homeowners can be sent a phishing email, designed to look like it's coming from SmartThings support, and click on a link where they are asked to log in, giving their information to hacker, the publication said. Users can also be tricked into downloading malware, masquerading as an app designed to keep track of the battery life of the devices on a SmartThing's home network.
Once hackers have that information, they can disable vacation mode, a setting that turns lights on and off as if someone was at home, set off a smoke alarm, or find the PIN for a door lock and send it via text to the hacker.
A survey of 22 people conducted by the researchers found that 77 percent would be interested in downloading the battery monitor app, the Wired report said.
SmartThings has been working with the researchers to rectify the problems. However, it doesn't consider the threats to be all that severe. "Regarding the malicious SmartApps described, these have not and would not ever impact our customers because of the certification and code review processes SmartThings has in place to ensure malicious SmartApps are not approved for publication," said SmartThings in a statement to the publication.
The researchers don't think the problem is fixed, according to Wired. The study contended that the bigger issue is "overprivilege," meaning that apps have more access and capabilities than they need. The analysis of 499 SmartThings found that more than half had so-called overbroad privilege and 68 had capabilities that they weren't meant to have.
Despite their findings, the researchers aren't advocating for the discontinuation of smart devices.
"As a homeowner thinking of deploying them, you should consider the worst-case scenario, where a remote hacker has the same capabilities you do, and see if those risks are acceptable," said researcher Atul Prakash to Wired.