One of the researchers, PhD candidate Earlence Fernandes, told SCMagazine.com via email that an incorrect OAuth implementation in an Android remote control app made the attacks possible.
One attack used a malicious application placed on a phone to eavesdrops on a potential victim when he or she sets a new PIN code for a door lock, according to a video that Fernandes's team posted to YouTube on May 2.
Once the new code has been set, the attacker will receive a text message containing the new PIN that will allow them to unlock the door, researchers said in the video.
Another attack requires that researchers exploit vulnerabilities in the existing SmartApp, which controls the Samsung SmartThings connected home systems, by sending a message to the SmartApp from a separate computer that will enable them to program their own PIN codes for the door lock, the researchers said.
Fernandes explained that over-privilege was the core root of all the attacks.
“When this is combined (as we showed in our work) with other more common issue like use of unsanitized strings over HTTP, improper OAuth implementation, [and] users falling for phishing attacks, the overprivilege flaws become much more dangerous because they can be exploited using malware, or even remotely at that point,” Fernandes said.
Developers should limit app privileges to those who need them to carry out their assigned tasks, Fernandes said, adding other problems could be solved by using secure development practices and following established security practices.
The vulnerabilities were disclosed to SmartThings in December 2015 and as of April 29, 2016 these have not been fixed, Fernandes said. However, he noted Samsung has already improved its documentation and has made changes to look over its app review process.
Smart Things CEO and Founder Alex Hawkinson said in an emailed statement to SCMagazine.com that his company is fully aware of the vulnerability and is continuing to secure the platform.
“The potential vulnerabilities disclosed in the report are primarily dependent on two scenarios – the installation of a malicious SmartApp or the failure of third party developers to follow SmartThings guidelines on how to keep their code secure,” Hawkinson said.
He added that the malicious SmartApps have not and would not impact customers because of the company's review process that wouldn't approve the malicious apps for publication.
Tripwire Senior Security Researcher Craig Young, who studied similar vulnerabilities in Samsung and other connected home systems, speculated to SCMagazine.com that the vulnerability most likely exists within the SmartThings ecosystem.
“It doesn't sound like the flaws exist in the Samsung code or the SmartThings code,” but more like an issue with one of the outside developers with whom that the company, Young said.
Samsung is probably waiting on an outside developer, which may be a small business or even a single individual, to patch the vulnerable code, he said, and doesn't want to disrupt its end-users service while they wait.