SecurityAnalysisofEmergingSmartHomeApplications

EarlenceFernandes,Jaeyeon Jung,Atul Prakash

IEEESecurityandPrivacy24May2016

2

COSensors ConnectedOvens

SmartTVs

SmartPlugsIPCameras

SmartDoorLocks

EmergingSmartHomeFrameworks

Potential SecurityRisks

3

Flooding[1]RemotelydetermineprimetimeforBurglary[1,2]

OR

[1]Denningetal.,ComputerSecurityandtheModernHome,CACM’13[2]FTCInternetofThingsReport’15

Devices Protocols

Current Vulnerabilities

Theseattacksaredevice-specific,andrequireproximity tothehome

4

Inwhatwaysaretheseemerging,programmablesmarthomesvulnerabletoattacks,and

whatdothoseattacksentail?

AnalysisofSmartThings

• WhySmartThings?• RelativelyMature(2012)• 521SmartApps• 132devicetypes• Sharesdesignprincipleswithotherexisting,nascentframeworks

5

AccessControl

Trigger-ActionProgramming

• Methodology• Examinesecurityfrom5perspectivesbyconstructingtestappstoexerciseSmartThingsAPI• Empiricalanalysisof499appstodeterminesecurityissueprevalence• Proofofconceptattacksthatcomposesecurityflaws

AnalysisofSmartThings– ResultsOverview

6

SecurityAnalysisArea FindingOverprivilege inApps TwoTypesofAutomaticOverprivilegeEventSystemSecurity EventSnoopingandSpoofing

Third-partyIntegration Safety IncorrectOAuth CanLeadtoAttacksExternal InputSanitization GroovyCommandInjection Attacks

APIAccessControl NoAccessControlaroundSMS/InternetAPI

EmpiricalAnalysisof499Apps >40%ofappsexhibitoverprivilege ofatleast onetype

ProofofConceptAttacks Pincode InjectionandSnooping,DisablingVacationMode,FakeFireAlarms

SmartThingsPrimer

7

WiFi

ZWave

SmartThingsCompanionApp

Configure

Control

SmartThingsCloudPlatform

SmartAppSmartDevice

Groovy-BasedSandbox

Groovy-BasedSandbox

CapabilitySystem

[Cmd/Attr][Events]

HTTPSGET/PUT

InternetAPISMSAPI

CapabilitySystem

8

UntrustedSmartApp

ZWave LockSmartDevice

capability.lockcapability.lockCodescapability.battery…

Sendcommands

Read/setattributesReceiveevents

Capability Commands Attributes

capability.lock lock(),unlock() lock(lock status)

capability.battery N/A battery (batterystatus)

UsabilitySimplerCoarserCapabilities

SecurityVeryGranularCapabilities

EaseofDevelopmentExpressiveFunctionality

SmartApps requestCapabilities

9DeviceEnumeration

definition(name:“DemoApp”,namespace:“com.testing”,category:“Utility”)

//querytheuserforcapabilitiespreferences {section(“Battery-PoweredDevices”){input “dev”,“capability.battery”,title:“Selectbatterypowereddevicesyouwishtoauthorize”,multiple:true

}}

…

10ZWave

WiFi

SmartThingsCompanionApp

Configure

Control

SmartThingsCloudPlatform

SmartAppSmartDevice

Groovy-BasedSandbox

Groovy-BasedSandbox

CapabilitySystem

[Cmd/Attr][Events]

HTTPSGET/PUT

InternetAPISMSAPI

OverprivilegeinSmartApps

OverprivilegeinSmartApps

11

Coarse-GrainedCapabilities CoarseSmartApp-SmartDevice BindingSmartApp

input“dev”,“capability.battery”

SmartDevice1[ZWave Lock]

capability.batterycapability.lock

capability.refresh

SmartDevice2[SmokeSensor]

capability.batterycapability.smokecapability.refresh

PhysicalLock PhysicalSmokeSensor

• “Auto-lock”appfromappstore

• Onlyneeds“lock”command,butcanalsoissue“unlock”

OverprivilegeIncreasesAttackSurfaceoftheHome

12ZWave

WiFi

SmartThingsCompanionApp

Configure

Control

SmartThingsCloudPlatform

SmartAppSmartDevice

CapabilitySystem

[Cmd/Attr][Events]

HTTPSGET/PUT

InternetAPISMSAPI

InsufficientEventDataProtection

Groovy-BasedSandbox

Groovy-BasedSandbox

InsufficientEventDataProtection

13

SmartApp ZWave DoorLock71c9344e-6bea-4ae8-993a-28a7817a7d9e

subscribedev,“door.unlock”,handler

handler(EventData:{unlocked,time:9AM})

• OnceaSmartApp gainsany capabilityforadevice,itcansubscribetoanyevent thatdevicegenerates

• IfaSmartApp acquiresthe128-bitID,thenitcanmonitoralleventsofthatdevicewithout gaininganyofthecapabilitiesthedevicesupports

• Usingthe128-bitID,aSmartApp canspoofphysicaldeviceevents

InsufficientEventDataProtection

14

SmartApp ZWave DoorLock71c9344e-6bea-4ae8-993a-28a7817a7d9e

subscribedev,“door.unlock”,handler

handler(EventData:{unlocked,time:9AM})

• Canleadtoleakage ofconfidentialinformation

• SpoofedEvents canleadtoApps/Devicestakingincorrect actions

15

SmartThingsCloudPlatform

SmartAppSmartDevice

CapabilitySystem

[Cmd/Attr][Events]

HTTPSGET/PUT

InternetAPISMSAPI

OtherPotentialSecurityIssues- OAuth

[1]Chenetal.,OAuthDemystifiedforMobileApplicationDevelopers,CCS’14

• InsecurityofThird-PartyIntegration:SmartApps exposeHTTPendpointsprotectedbyOAuth;Incorrectimplementation canleadtoremoteattacks[1]

Groovy-BasedSandbox

Groovy-BasedSandbox

16

SmartThingsCloudPlatform

SmartAppSmartDevice

CapabilitySystem

[Cmd/Attr][Events]

HTTPSGET/PUT

InternetAPISMSAPI

OtherPotentialSecurityIssues- OAuth

• UnsafeuseofGroovyDynamicMethodInvocation:Appscanbetricked intoperformingunintendedactions

def foo(){…}def str =“foo”“$str”()

Groovy-BasedSandbox

Groovy-BasedSandbox

17

SmartThingsCloudPlatform

SmartAppSmartDevice

CapabilitySystem

[Cmd/Attr][Events]

HTTPSGET/PUT

InternetAPISMSAPI

OtherPotentialSecurityIssues– UnrestrictedExternalCommunicationAPIs

• UnrestrictedCommunicationAbilities:SMSandInternet;Canbeusedtoleakdataarbitrarily

Groovy-BasedSandbox

Groovy-BasedSandbox

RequestedCmds/Attrs

ComputingOverprivilege

18

Coarse-GrainedCapabilities CoarseSmartApp-SmartDevice Binding

UsedCmds/Attrs

GrantedCapabilities

UsedCapabilities

MeasuringOverprivilegeinSmartApps

19

• Incompletecapabilitydetails(commands/attributes)

• SmartThingsisclosedsource;can’tdoinstrumentation

• Groovyisextremelydynamic;Bytecodeusesreflection(GroovyMetaObjectProtocol)

• DiscoveredanunpublishedRESTendpoint,which,ifgivenadeviceID,returnscapabilitydetails

• Studysourcecodeofappsfromopen-sourceappstoreinstead

• StaticanalysisonAST

Challenge Solution

EmpiricalAnalysisResults

20

Documented CompletedCommands 65 93Attributes 60 85

Reason forOverprivilege NumberofAppsCoarse-grainedCapability 276(55%)

CoarseSmartApp-SmartDeviceBinding 213(43%)

OverprivilegeUsagePrevalence(CoarseBinding) 68(14%)

ExploitingDesignFlawsinSmartThings

21

OverprivilegeCommandInjection

OAuthCompromise

EventSpoofing

UnrestrictedSMSAPI

PincodeInjection

PincodeSnooping

DisablingVacationMode

FakeCOAlarm

PopularExistingSmartAppwithAndroidcompanionapp;UnintendedactionofsetCode()onlock

StealthymalwareSmartApp;ONLYrequestscapability.battery

MalwareSmartApps withnocapabilities;MisuseslogicofexistingSmartApps withfakeevents

PotentialDefenseStrategies

• Achievingleast-privilegeinSmartApps• Riskasymmetry indeviceoperations,e.g.,oven.on andoven.off• Includenotionsofriskfrommultiplestakeholders,rank[1],andregroup

• Preventinginformationleakagefromevents• Provideanotionofstrongidentity forapps+accesscontrolonevents• Makeappsrequestaccesstocertaintypesofevents,e.g.,lockpincode ACKs

22

[1]Feltetal.,I’vegot99problems,butvibrationain’t one:Asurveyofsmartphoneusers’concerns,SPSM’12

Summary• Firstlookatthesecuritydesignofaprogrammablesmarthomeplatform:SamsungSmartThings;Challenge:Blackbox CloudSystem• Twosecuritydesignissues:

• Overprivilege:Coarsegrainedcapabilities,andCoarseSmartApp-SmartDeviceBinding

• InsecureEvents:Appsdonotneedspecialprivilegestoaccesssensitiveinfo• EmpiricalAnalysis:55% ofappsdonotusealloperationstheircapabilitiesimply;43% getcapabilitiestheydidnotexplicitlyrequest• FourPoC attacksthatcombinevarioussecuritydesignissues

• Theseattacksaredeviceindependent,andlong-range• SecurityImprovements:NotifiedSmartThingsinDec2015;Improvementsinvettingprocess anddeveloperbestpracticesforGroovyStrings(Apr2016);Discussiononimprovementstocapabilitysystem (May2016)

23

• Firstlookatthesecuritydesignofaprogrammablesmarthomeplatform:SamsungSmartThings;Challenge:Blackbox CloudSystem• Twosecuritydesignissues:

• Overprivilege:Coarsegrainedcapabilities,andCoarseSmartApp-SmartDeviceBinding

• InsecureEvents:Appsdonotneedspecialprivilegestoaccesssensitiveinfo• EmpiricalAnalysis:55% ofappsdonotusealloperationstheircapabilitiesimply;43% getcapabilitiestheydidnotexplicitlyrequest• FourPoC attacksthatcombinevarioussecuritydesignissues

• Theseattacksaredeviceindependent,andlong-range• SecurityImprovements:NotifiedSmartThingsinDec2015;Improvementsinvettingprocess anddeveloperbestpracticesforGroovyStrings(Apr2016);Discussiononimprovementstocapabilitysystem (May2016)

24

SecurityAnalysisofEmergingSmartHomeApplications

https://iotsecurity.eecs.umich.edu EarlenceFernandes

ConservativelyStaticallyEstimatingSmartApp-SmartDevice Overprivilege

25

SmartAppinput“dev”,“capability.battery”

SmartDevice1[ZWave Lock]

capability.batterycapability.lock

SmartDevice2[SmokeSensor]

capability.batterycapability.smokecapability.refresh

PhysicalLock PhysicalSmokeSensor

• Manydevicescanimplementagivencapability

• Statically,wedonotwhichdevicetheuserwouldassigntoanapp

• Useourdatasetof132devicehandlerstoestimate,conservatively

EmpiricalAnalysisofSmartThings

26

Totalnumberof SmartDevices 132Number ofSmartDevices raisingeventsusing

createEvent andsendEvent.SucheventscanbesnoopedonbySmartApps

111

TotalnumberofSmartApps 499

NumberofappsusingpotentiallyunsafeGroovydynamicmethodinvocation

26

NumberofOAuth-enabled apps,whosesecuritydependsoncorrectimplementationofOAuth

27

Numberofapps usingunrestrictedSMSAPIs 131

Numberofappsusingunrestricted InternetAPIs 36

ExploitingDesignFlawsinSmartThings

27

AttackDescription AttackVectors Physical WorldImpact

BackdoorPincode InjectionAttackCommandinjectionintoexistingWebService SmartApp;Overprivilege;OAuth impl.flaws

Enablingphysical entry;Theft

DoorLockPincode SnoopingAttackStealthy battery-levelmonitoringapp;Overprivilege;leakdatausingSMS

Enabling physicalentry;Theft

DisablingVacation ModeAttackAttackappwithnocapabilities;Misusinglogicofbenignapp;EventSpoofing

Theft; Vandalism

FakeAlarm AttackAttackappwithnocapabilities;Eventspoofing;Misusinglogicofbenignapp

Misinformation;Annoyance

BackdoorPincode InjectionAttack

28

WebServiceSmartApp

HTTPPUT

HTTPGET

client_idclient_secret

mappings {path(“/devices/:id”){action:[PUT:“updateDevice” ]

}

def updateDevice(){def cmd =request.JSON.commanddef args =request.JSON.arguments//codetruncateddevice.”$cmd”(*args)

}

{command:setCode,arguments:[3,‘5500’]

}

ExampleofStealinganOAuthBearerToken

• DecompileAPKbytecodetogettheclient_secret

• Sendemailtouseraskingto“reauthenticate”toSmartThings

29

https://graph.api.smartthings.com/oauth/authorize?responsetype=code&client_id=REDACTED&scope=app&redirect_uri=http%3A%2F%2Fssmartthings.appspot.com

OpenRedirector

30

DoorLockPincode SnoopingAttack

31

LockCodeManagerApp

ZWave LockDeviceHandler

SmartThingsHub

BatteryMonitorApp

subscribe(‘codeReport’)[Possibleduetooverprivilege]

setCode(‘5500’)

codeReport event

zwave.userCodeV1.userCodeSetzwave.userCodeV1.userCodeGet

ZWave commandsandreports

ResponsibleDisclosure

32

Dec17,2015WecontactedSmartThingswithdetailsonattacks.

Jan12,2016SmartThingsacknowledgedtheattacksandsaidtheyareworkingonsolutions.

Apr15,2016SmartThingsinformedusthatdocswereupdatedtorecommendfilteringGroovyStrings;Vettingprocesseswereupdatedtolookforourattacks.

May2,2016WehadacallwithSmartThingsteamtodiscusspotentialnewdesignforcapabilitysystem.

EmergingSmartHomeFrameworks

33

CurrentVulnerabilitiesinSmartHomes

34

Devices

Protocols

Theseattacksaredevice-specific,andrequireproximity tothehome

35

COSensors

IPCameras

SmartDoorLocks ConnectedOvensSmartTVs

SmartPlugs