SecurityAnalysisofEmergingSmartHomeApplications
EarlenceFernandes,Jaeyeon Jung,Atul Prakash
IEEESecurityandPrivacy24May2016
2
COSensors ConnectedOvens
SmartTVs
SmartPlugsIPCameras
SmartDoorLocks
EmergingSmartHomeFrameworks
Potential SecurityRisks
3
Flooding[1]RemotelydetermineprimetimeforBurglary[1,2]
OR
[1]Denningetal.,ComputerSecurityandtheModernHome,CACM’13[2]FTCInternetofThingsReport’15
Devices Protocols
Current Vulnerabilities
Theseattacksaredevice-specific,andrequireproximity tothehome
4
Inwhatwaysaretheseemerging,programmablesmarthomesvulnerabletoattacks,and
whatdothoseattacksentail?
AnalysisofSmartThings
• WhySmartThings?• RelativelyMature(2012)• 521SmartApps• 132devicetypes• Sharesdesignprincipleswithotherexisting,nascentframeworks
5
AccessControl
Trigger-ActionProgramming
• Methodology• Examinesecurityfrom5perspectivesbyconstructingtestappstoexerciseSmartThingsAPI• Empiricalanalysisof499appstodeterminesecurityissueprevalence• Proofofconceptattacksthatcomposesecurityflaws
AnalysisofSmartThings– ResultsOverview
6
SecurityAnalysisArea FindingOverprivilege inApps TwoTypesofAutomaticOverprivilegeEventSystemSecurity EventSnoopingandSpoofing
Third-partyIntegration Safety IncorrectOAuth CanLeadtoAttacksExternal InputSanitization GroovyCommandInjection Attacks
APIAccessControl NoAccessControlaroundSMS/InternetAPI
EmpiricalAnalysisof499Apps >40%ofappsexhibitoverprivilege ofatleast onetype
ProofofConceptAttacks Pincode InjectionandSnooping,DisablingVacationMode,FakeFireAlarms
SmartThingsPrimer
7
WiFi
ZWave
SmartThingsCompanionApp
Configure
Control
SmartThingsCloudPlatform
SmartAppSmartDevice
Groovy-BasedSandbox
Groovy-BasedSandbox
CapabilitySystem
[Cmd/Attr][Events]
HTTPSGET/PUT
InternetAPISMSAPI
CapabilitySystem
8
UntrustedSmartApp
ZWave LockSmartDevice
capability.lockcapability.lockCodescapability.battery…
Sendcommands
Read/setattributesReceiveevents
Capability Commands Attributes
capability.lock lock(),unlock() lock(lock status)
capability.battery N/A battery (batterystatus)
UsabilitySimplerCoarserCapabilities
SecurityVeryGranularCapabilities
EaseofDevelopmentExpressiveFunctionality
SmartApps requestCapabilities
9DeviceEnumeration
definition(name:“DemoApp”,namespace:“com.testing”,category:“Utility”)
//querytheuserforcapabilitiespreferences {section(“Battery-PoweredDevices”){input “dev”,“capability.battery”,title:“Selectbatterypowereddevicesyouwishtoauthorize”,multiple:true
}}
…
10ZWave
WiFi
SmartThingsCompanionApp
Configure
Control
SmartThingsCloudPlatform
SmartAppSmartDevice
Groovy-BasedSandbox
Groovy-BasedSandbox
CapabilitySystem
[Cmd/Attr][Events]
HTTPSGET/PUT
InternetAPISMSAPI
OverprivilegeinSmartApps
OverprivilegeinSmartApps
11
Coarse-GrainedCapabilities CoarseSmartApp-SmartDevice BindingSmartApp
input“dev”,“capability.battery”
SmartDevice1[ZWave Lock]
capability.batterycapability.lock
capability.refresh
SmartDevice2[SmokeSensor]
capability.batterycapability.smokecapability.refresh
PhysicalLock PhysicalSmokeSensor
• “Auto-lock”appfromappstore
• Onlyneeds“lock”command,butcanalsoissue“unlock”
OverprivilegeIncreasesAttackSurfaceoftheHome
12ZWave
WiFi
SmartThingsCompanionApp
Configure
Control
SmartThingsCloudPlatform
SmartAppSmartDevice
CapabilitySystem
[Cmd/Attr][Events]
HTTPSGET/PUT
InternetAPISMSAPI
InsufficientEventDataProtection
Groovy-BasedSandbox
Groovy-BasedSandbox
InsufficientEventDataProtection
13
SmartApp ZWave DoorLock71c9344e-6bea-4ae8-993a-28a7817a7d9e
subscribedev,“door.unlock”,handler
handler(EventData:{unlocked,time:9AM})
• OnceaSmartApp gainsany capabilityforadevice,itcansubscribetoanyevent thatdevicegenerates
• IfaSmartApp acquiresthe128-bitID,thenitcanmonitoralleventsofthatdevicewithout gaininganyofthecapabilitiesthedevicesupports
• Usingthe128-bitID,aSmartApp canspoofphysicaldeviceevents
InsufficientEventDataProtection
14
SmartApp ZWave DoorLock71c9344e-6bea-4ae8-993a-28a7817a7d9e
subscribedev,“door.unlock”,handler
handler(EventData:{unlocked,time:9AM})
• Canleadtoleakage ofconfidentialinformation
• SpoofedEvents canleadtoApps/Devicestakingincorrect actions
15
SmartThingsCloudPlatform
SmartAppSmartDevice
CapabilitySystem
[Cmd/Attr][Events]
HTTPSGET/PUT
InternetAPISMSAPI
OtherPotentialSecurityIssues- OAuth
[1]Chenetal.,OAuthDemystifiedforMobileApplicationDevelopers,CCS’14
• InsecurityofThird-PartyIntegration:SmartApps exposeHTTPendpointsprotectedbyOAuth;Incorrectimplementation canleadtoremoteattacks[1]
Groovy-BasedSandbox
Groovy-BasedSandbox
16
SmartThingsCloudPlatform
SmartAppSmartDevice
CapabilitySystem
[Cmd/Attr][Events]
HTTPSGET/PUT
InternetAPISMSAPI
OtherPotentialSecurityIssues- OAuth
• UnsafeuseofGroovyDynamicMethodInvocation:Appscanbetricked intoperformingunintendedactions
def foo(){…}def str =“foo”“$str”()
Groovy-BasedSandbox
Groovy-BasedSandbox
17
SmartThingsCloudPlatform
SmartAppSmartDevice
CapabilitySystem
[Cmd/Attr][Events]
HTTPSGET/PUT
InternetAPISMSAPI
OtherPotentialSecurityIssues– UnrestrictedExternalCommunicationAPIs
• UnrestrictedCommunicationAbilities:SMSandInternet;Canbeusedtoleakdataarbitrarily
Groovy-BasedSandbox
Groovy-BasedSandbox
RequestedCmds/Attrs
ComputingOverprivilege
18
Coarse-GrainedCapabilities CoarseSmartApp-SmartDevice Binding
UsedCmds/Attrs
GrantedCapabilities
UsedCapabilities
MeasuringOverprivilegeinSmartApps
19
• Incompletecapabilitydetails(commands/attributes)
• SmartThingsisclosedsource;can’tdoinstrumentation
• Groovyisextremelydynamic;Bytecodeusesreflection(GroovyMetaObjectProtocol)
• DiscoveredanunpublishedRESTendpoint,which,ifgivenadeviceID,returnscapabilitydetails
• Studysourcecodeofappsfromopen-sourceappstoreinstead
• StaticanalysisonAST
Challenge Solution
EmpiricalAnalysisResults
20
Documented CompletedCommands 65 93Attributes 60 85
Reason forOverprivilege NumberofAppsCoarse-grainedCapability 276(55%)
CoarseSmartApp-SmartDeviceBinding 213(43%)
OverprivilegeUsagePrevalence(CoarseBinding) 68(14%)
ExploitingDesignFlawsinSmartThings
21
OverprivilegeCommandInjection
OAuthCompromise
EventSpoofing
UnrestrictedSMSAPI
PincodeInjection
PincodeSnooping
DisablingVacationMode
FakeCOAlarm
PopularExistingSmartAppwithAndroidcompanionapp;UnintendedactionofsetCode()onlock
StealthymalwareSmartApp;ONLYrequestscapability.battery
MalwareSmartApps withnocapabilities;MisuseslogicofexistingSmartApps withfakeevents
PotentialDefenseStrategies
• Achievingleast-privilegeinSmartApps• Riskasymmetry indeviceoperations,e.g.,oven.on andoven.off• Includenotionsofriskfrommultiplestakeholders,rank[1],andregroup
• Preventinginformationleakagefromevents• Provideanotionofstrongidentity forapps+accesscontrolonevents• Makeappsrequestaccesstocertaintypesofevents,e.g.,lockpincode ACKs
22
[1]Feltetal.,I’vegot99problems,butvibrationain’t one:Asurveyofsmartphoneusers’concerns,SPSM’12
Summary• Firstlookatthesecuritydesignofaprogrammablesmarthomeplatform:SamsungSmartThings;Challenge:Blackbox CloudSystem• Twosecuritydesignissues:
• Overprivilege:Coarsegrainedcapabilities,andCoarseSmartApp-SmartDeviceBinding
• InsecureEvents:Appsdonotneedspecialprivilegestoaccesssensitiveinfo• EmpiricalAnalysis:55% ofappsdonotusealloperationstheircapabilitiesimply;43% getcapabilitiestheydidnotexplicitlyrequest• FourPoC attacksthatcombinevarioussecuritydesignissues
• Theseattacksaredeviceindependent,andlong-range• SecurityImprovements:NotifiedSmartThingsinDec2015;Improvementsinvettingprocess anddeveloperbestpracticesforGroovyStrings(Apr2016);Discussiononimprovementstocapabilitysystem (May2016)
23
• Firstlookatthesecuritydesignofaprogrammablesmarthomeplatform:SamsungSmartThings;Challenge:Blackbox CloudSystem• Twosecuritydesignissues:
• Overprivilege:Coarsegrainedcapabilities,andCoarseSmartApp-SmartDeviceBinding
• InsecureEvents:Appsdonotneedspecialprivilegestoaccesssensitiveinfo• EmpiricalAnalysis:55% ofappsdonotusealloperationstheircapabilitiesimply;43% getcapabilitiestheydidnotexplicitlyrequest• FourPoC attacksthatcombinevarioussecuritydesignissues
• Theseattacksaredeviceindependent,andlong-range• SecurityImprovements:NotifiedSmartThingsinDec2015;Improvementsinvettingprocess anddeveloperbestpracticesforGroovyStrings(Apr2016);Discussiononimprovementstocapabilitysystem (May2016)
24
SecurityAnalysisofEmergingSmartHomeApplications
https://iotsecurity.eecs.umich.edu EarlenceFernandes
ConservativelyStaticallyEstimatingSmartApp-SmartDevice Overprivilege
25
SmartAppinput“dev”,“capability.battery”
SmartDevice1[ZWave Lock]
capability.batterycapability.lock
SmartDevice2[SmokeSensor]
capability.batterycapability.smokecapability.refresh
PhysicalLock PhysicalSmokeSensor
• Manydevicescanimplementagivencapability
• Statically,wedonotwhichdevicetheuserwouldassigntoanapp
• Useourdatasetof132devicehandlerstoestimate,conservatively
EmpiricalAnalysisofSmartThings
26
Totalnumberof SmartDevices 132Number ofSmartDevices raisingeventsusing
createEvent andsendEvent.SucheventscanbesnoopedonbySmartApps
111
TotalnumberofSmartApps 499
NumberofappsusingpotentiallyunsafeGroovydynamicmethodinvocation
26
NumberofOAuth-enabled apps,whosesecuritydependsoncorrectimplementationofOAuth
27
Numberofapps usingunrestrictedSMSAPIs 131
Numberofappsusingunrestricted InternetAPIs 36
ExploitingDesignFlawsinSmartThings
27
AttackDescription AttackVectors Physical WorldImpact
BackdoorPincode InjectionAttackCommandinjectionintoexistingWebService SmartApp;Overprivilege;OAuth impl.flaws
Enablingphysical entry;Theft
DoorLockPincode SnoopingAttackStealthy battery-levelmonitoringapp;Overprivilege;leakdatausingSMS
Enabling physicalentry;Theft
DisablingVacation ModeAttackAttackappwithnocapabilities;Misusinglogicofbenignapp;EventSpoofing
Theft; Vandalism
FakeAlarm AttackAttackappwithnocapabilities;Eventspoofing;Misusinglogicofbenignapp
Misinformation;Annoyance
BackdoorPincode InjectionAttack
28
WebServiceSmartApp
HTTPPUT
HTTPGET
client_idclient_secret
mappings {path(“/devices/:id”){action:[PUT:“updateDevice” ]
}
def updateDevice(){def cmd =request.JSON.commanddef args =request.JSON.arguments//codetruncateddevice.”$cmd”(*args)
}
{command:setCode,arguments:[3,‘5500’]
}
ExampleofStealinganOAuthBearerToken
• DecompileAPKbytecodetogettheclient_secret
• Sendemailtouseraskingto“reauthenticate”toSmartThings
29
https://graph.api.smartthings.com/oauth/authorize?responsetype=code&client_id=REDACTED&scope=app&redirect_uri=http%3A%2F%2Fssmartthings.appspot.com
OpenRedirector
30
DoorLockPincode SnoopingAttack
31
LockCodeManagerApp
ZWave LockDeviceHandler
SmartThingsHub
BatteryMonitorApp
subscribe(‘codeReport’)[Possibleduetooverprivilege]
setCode(‘5500’)
codeReport event
zwave.userCodeV1.userCodeSetzwave.userCodeV1.userCodeGet
ZWave commandsandreports
ResponsibleDisclosure
32
Dec17,2015WecontactedSmartThingswithdetailsonattacks.
Jan12,2016SmartThingsacknowledgedtheattacksandsaidtheyareworkingonsolutions.
Apr15,2016SmartThingsinformedusthatdocswereupdatedtorecommendfilteringGroovyStrings;Vettingprocesseswereupdatedtolookforourattacks.
May2,2016WehadacallwithSmartThingsteamtodiscusspotentialnewdesignforcapabilitysystem.
EmergingSmartHomeFrameworks
33
CurrentVulnerabilitiesinSmartHomes
34
Devices
Protocols
Theseattacksaredevice-specific,andrequireproximity tothehome
35
COSensors
IPCameras
SmartDoorLocks ConnectedOvensSmartTVs
SmartPlugs