08-220 Earlence Fernandes - Security Analysis of Emerging Smart … Conf/37th-IEEE... ·...
Transcript of 08-220 Earlence Fernandes - Security Analysis of Emerging Smart … Conf/37th-IEEE... ·...
![Page 1: 08-220 Earlence Fernandes - Security Analysis of Emerging Smart … Conf/37th-IEEE... · 2016-09-09 · Number of apps using potentially unsafe Groovy dynamic method invocation 26](https://reader033.fdocuments.in/reader033/viewer/2022043007/5f9531b45d2a9e2e6d2e29e6/html5/thumbnails/1.jpg)
SecurityAnalysisofEmergingSmartHomeApplications
EarlenceFernandes,Jaeyeon Jung,Atul Prakash
IEEESecurityandPrivacy24May2016
![Page 2: 08-220 Earlence Fernandes - Security Analysis of Emerging Smart … Conf/37th-IEEE... · 2016-09-09 · Number of apps using potentially unsafe Groovy dynamic method invocation 26](https://reader033.fdocuments.in/reader033/viewer/2022043007/5f9531b45d2a9e2e6d2e29e6/html5/thumbnails/2.jpg)
2
COSensors ConnectedOvens
SmartTVs
SmartPlugsIPCameras
SmartDoorLocks
EmergingSmartHomeFrameworks
![Page 3: 08-220 Earlence Fernandes - Security Analysis of Emerging Smart … Conf/37th-IEEE... · 2016-09-09 · Number of apps using potentially unsafe Groovy dynamic method invocation 26](https://reader033.fdocuments.in/reader033/viewer/2022043007/5f9531b45d2a9e2e6d2e29e6/html5/thumbnails/3.jpg)
Potential SecurityRisks
3
Flooding[1]RemotelydetermineprimetimeforBurglary[1,2]
OR
[1]Denningetal.,ComputerSecurityandtheModernHome,CACM’13[2]FTCInternetofThingsReport’15
Devices Protocols
Current Vulnerabilities
Theseattacksaredevice-specific,andrequireproximity tothehome
![Page 4: 08-220 Earlence Fernandes - Security Analysis of Emerging Smart … Conf/37th-IEEE... · 2016-09-09 · Number of apps using potentially unsafe Groovy dynamic method invocation 26](https://reader033.fdocuments.in/reader033/viewer/2022043007/5f9531b45d2a9e2e6d2e29e6/html5/thumbnails/4.jpg)
4
Inwhatwaysaretheseemerging,programmablesmarthomesvulnerabletoattacks,and
whatdothoseattacksentail?
![Page 5: 08-220 Earlence Fernandes - Security Analysis of Emerging Smart … Conf/37th-IEEE... · 2016-09-09 · Number of apps using potentially unsafe Groovy dynamic method invocation 26](https://reader033.fdocuments.in/reader033/viewer/2022043007/5f9531b45d2a9e2e6d2e29e6/html5/thumbnails/5.jpg)
AnalysisofSmartThings
• WhySmartThings?• RelativelyMature(2012)• 521SmartApps• 132devicetypes• Sharesdesignprincipleswithotherexisting,nascentframeworks
5
AccessControl
Trigger-ActionProgramming
• Methodology• Examinesecurityfrom5perspectivesbyconstructingtestappstoexerciseSmartThingsAPI• Empiricalanalysisof499appstodeterminesecurityissueprevalence• Proofofconceptattacksthatcomposesecurityflaws
![Page 6: 08-220 Earlence Fernandes - Security Analysis of Emerging Smart … Conf/37th-IEEE... · 2016-09-09 · Number of apps using potentially unsafe Groovy dynamic method invocation 26](https://reader033.fdocuments.in/reader033/viewer/2022043007/5f9531b45d2a9e2e6d2e29e6/html5/thumbnails/6.jpg)
AnalysisofSmartThings– ResultsOverview
6
SecurityAnalysisArea FindingOverprivilege inApps TwoTypesofAutomaticOverprivilegeEventSystemSecurity EventSnoopingandSpoofing
Third-partyIntegration Safety IncorrectOAuth CanLeadtoAttacksExternal InputSanitization GroovyCommandInjection Attacks
APIAccessControl NoAccessControlaroundSMS/InternetAPI
EmpiricalAnalysisof499Apps >40%ofappsexhibitoverprivilege ofatleast onetype
ProofofConceptAttacks Pincode InjectionandSnooping,DisablingVacationMode,FakeFireAlarms
![Page 7: 08-220 Earlence Fernandes - Security Analysis of Emerging Smart … Conf/37th-IEEE... · 2016-09-09 · Number of apps using potentially unsafe Groovy dynamic method invocation 26](https://reader033.fdocuments.in/reader033/viewer/2022043007/5f9531b45d2a9e2e6d2e29e6/html5/thumbnails/7.jpg)
SmartThingsPrimer
7
WiFi
ZWave
SmartThingsCompanionApp
Configure
Control
SmartThingsCloudPlatform
SmartAppSmartDevice
Groovy-BasedSandbox
Groovy-BasedSandbox
CapabilitySystem
[Cmd/Attr][Events]
HTTPSGET/PUT
InternetAPISMSAPI
![Page 8: 08-220 Earlence Fernandes - Security Analysis of Emerging Smart … Conf/37th-IEEE... · 2016-09-09 · Number of apps using potentially unsafe Groovy dynamic method invocation 26](https://reader033.fdocuments.in/reader033/viewer/2022043007/5f9531b45d2a9e2e6d2e29e6/html5/thumbnails/8.jpg)
CapabilitySystem
8
UntrustedSmartApp
ZWave LockSmartDevice
capability.lockcapability.lockCodescapability.battery…
Sendcommands
Read/setattributesReceiveevents
Capability Commands Attributes
capability.lock lock(),unlock() lock(lock status)
capability.battery N/A battery (batterystatus)
UsabilitySimplerCoarserCapabilities
SecurityVeryGranularCapabilities
EaseofDevelopmentExpressiveFunctionality
![Page 9: 08-220 Earlence Fernandes - Security Analysis of Emerging Smart … Conf/37th-IEEE... · 2016-09-09 · Number of apps using potentially unsafe Groovy dynamic method invocation 26](https://reader033.fdocuments.in/reader033/viewer/2022043007/5f9531b45d2a9e2e6d2e29e6/html5/thumbnails/9.jpg)
SmartApps requestCapabilities
9DeviceEnumeration
definition(name:“DemoApp”,namespace:“com.testing”,category:“Utility”)
//querytheuserforcapabilitiespreferences {section(“Battery-PoweredDevices”){input “dev”,“capability.battery”,title:“Selectbatterypowereddevicesyouwishtoauthorize”,multiple:true
}}
…
![Page 10: 08-220 Earlence Fernandes - Security Analysis of Emerging Smart … Conf/37th-IEEE... · 2016-09-09 · Number of apps using potentially unsafe Groovy dynamic method invocation 26](https://reader033.fdocuments.in/reader033/viewer/2022043007/5f9531b45d2a9e2e6d2e29e6/html5/thumbnails/10.jpg)
10ZWave
WiFi
SmartThingsCompanionApp
Configure
Control
SmartThingsCloudPlatform
SmartAppSmartDevice
Groovy-BasedSandbox
Groovy-BasedSandbox
CapabilitySystem
[Cmd/Attr][Events]
HTTPSGET/PUT
InternetAPISMSAPI
OverprivilegeinSmartApps
![Page 11: 08-220 Earlence Fernandes - Security Analysis of Emerging Smart … Conf/37th-IEEE... · 2016-09-09 · Number of apps using potentially unsafe Groovy dynamic method invocation 26](https://reader033.fdocuments.in/reader033/viewer/2022043007/5f9531b45d2a9e2e6d2e29e6/html5/thumbnails/11.jpg)
OverprivilegeinSmartApps
11
Coarse-GrainedCapabilities CoarseSmartApp-SmartDevice BindingSmartApp
input“dev”,“capability.battery”
SmartDevice1[ZWave Lock]
capability.batterycapability.lock
capability.refresh
SmartDevice2[SmokeSensor]
capability.batterycapability.smokecapability.refresh
PhysicalLock PhysicalSmokeSensor
• “Auto-lock”appfromappstore
• Onlyneeds“lock”command,butcanalsoissue“unlock”
OverprivilegeIncreasesAttackSurfaceoftheHome
![Page 12: 08-220 Earlence Fernandes - Security Analysis of Emerging Smart … Conf/37th-IEEE... · 2016-09-09 · Number of apps using potentially unsafe Groovy dynamic method invocation 26](https://reader033.fdocuments.in/reader033/viewer/2022043007/5f9531b45d2a9e2e6d2e29e6/html5/thumbnails/12.jpg)
12ZWave
WiFi
SmartThingsCompanionApp
Configure
Control
SmartThingsCloudPlatform
SmartAppSmartDevice
CapabilitySystem
[Cmd/Attr][Events]
HTTPSGET/PUT
InternetAPISMSAPI
InsufficientEventDataProtection
Groovy-BasedSandbox
Groovy-BasedSandbox
![Page 13: 08-220 Earlence Fernandes - Security Analysis of Emerging Smart … Conf/37th-IEEE... · 2016-09-09 · Number of apps using potentially unsafe Groovy dynamic method invocation 26](https://reader033.fdocuments.in/reader033/viewer/2022043007/5f9531b45d2a9e2e6d2e29e6/html5/thumbnails/13.jpg)
InsufficientEventDataProtection
13
SmartApp ZWave DoorLock71c9344e-6bea-4ae8-993a-28a7817a7d9e
subscribedev,“door.unlock”,handler
handler(EventData:{unlocked,time:9AM})
• OnceaSmartApp gainsany capabilityforadevice,itcansubscribetoanyevent thatdevicegenerates
• IfaSmartApp acquiresthe128-bitID,thenitcanmonitoralleventsofthatdevicewithout gaininganyofthecapabilitiesthedevicesupports
• Usingthe128-bitID,aSmartApp canspoofphysicaldeviceevents
![Page 14: 08-220 Earlence Fernandes - Security Analysis of Emerging Smart … Conf/37th-IEEE... · 2016-09-09 · Number of apps using potentially unsafe Groovy dynamic method invocation 26](https://reader033.fdocuments.in/reader033/viewer/2022043007/5f9531b45d2a9e2e6d2e29e6/html5/thumbnails/14.jpg)
InsufficientEventDataProtection
14
SmartApp ZWave DoorLock71c9344e-6bea-4ae8-993a-28a7817a7d9e
subscribedev,“door.unlock”,handler
handler(EventData:{unlocked,time:9AM})
• Canleadtoleakage ofconfidentialinformation
• SpoofedEvents canleadtoApps/Devicestakingincorrect actions
![Page 15: 08-220 Earlence Fernandes - Security Analysis of Emerging Smart … Conf/37th-IEEE... · 2016-09-09 · Number of apps using potentially unsafe Groovy dynamic method invocation 26](https://reader033.fdocuments.in/reader033/viewer/2022043007/5f9531b45d2a9e2e6d2e29e6/html5/thumbnails/15.jpg)
15
SmartThingsCloudPlatform
SmartAppSmartDevice
CapabilitySystem
[Cmd/Attr][Events]
HTTPSGET/PUT
InternetAPISMSAPI
OtherPotentialSecurityIssues- OAuth
[1]Chenetal.,OAuthDemystifiedforMobileApplicationDevelopers,CCS’14
• InsecurityofThird-PartyIntegration:SmartApps exposeHTTPendpointsprotectedbyOAuth;Incorrectimplementation canleadtoremoteattacks[1]
Groovy-BasedSandbox
Groovy-BasedSandbox
![Page 16: 08-220 Earlence Fernandes - Security Analysis of Emerging Smart … Conf/37th-IEEE... · 2016-09-09 · Number of apps using potentially unsafe Groovy dynamic method invocation 26](https://reader033.fdocuments.in/reader033/viewer/2022043007/5f9531b45d2a9e2e6d2e29e6/html5/thumbnails/16.jpg)
16
SmartThingsCloudPlatform
SmartAppSmartDevice
CapabilitySystem
[Cmd/Attr][Events]
HTTPSGET/PUT
InternetAPISMSAPI
OtherPotentialSecurityIssues- OAuth
• UnsafeuseofGroovyDynamicMethodInvocation:Appscanbetricked intoperformingunintendedactions
def foo(){…}def str =“foo”“$str”()
Groovy-BasedSandbox
Groovy-BasedSandbox
![Page 17: 08-220 Earlence Fernandes - Security Analysis of Emerging Smart … Conf/37th-IEEE... · 2016-09-09 · Number of apps using potentially unsafe Groovy dynamic method invocation 26](https://reader033.fdocuments.in/reader033/viewer/2022043007/5f9531b45d2a9e2e6d2e29e6/html5/thumbnails/17.jpg)
17
SmartThingsCloudPlatform
SmartAppSmartDevice
CapabilitySystem
[Cmd/Attr][Events]
HTTPSGET/PUT
InternetAPISMSAPI
OtherPotentialSecurityIssues– UnrestrictedExternalCommunicationAPIs
• UnrestrictedCommunicationAbilities:SMSandInternet;Canbeusedtoleakdataarbitrarily
Groovy-BasedSandbox
Groovy-BasedSandbox
![Page 18: 08-220 Earlence Fernandes - Security Analysis of Emerging Smart … Conf/37th-IEEE... · 2016-09-09 · Number of apps using potentially unsafe Groovy dynamic method invocation 26](https://reader033.fdocuments.in/reader033/viewer/2022043007/5f9531b45d2a9e2e6d2e29e6/html5/thumbnails/18.jpg)
RequestedCmds/Attrs
ComputingOverprivilege
18
Coarse-GrainedCapabilities CoarseSmartApp-SmartDevice Binding
UsedCmds/Attrs
GrantedCapabilities
UsedCapabilities
![Page 19: 08-220 Earlence Fernandes - Security Analysis of Emerging Smart … Conf/37th-IEEE... · 2016-09-09 · Number of apps using potentially unsafe Groovy dynamic method invocation 26](https://reader033.fdocuments.in/reader033/viewer/2022043007/5f9531b45d2a9e2e6d2e29e6/html5/thumbnails/19.jpg)
MeasuringOverprivilegeinSmartApps
19
• Incompletecapabilitydetails(commands/attributes)
• SmartThingsisclosedsource;can’tdoinstrumentation
• Groovyisextremelydynamic;Bytecodeusesreflection(GroovyMetaObjectProtocol)
• DiscoveredanunpublishedRESTendpoint,which,ifgivenadeviceID,returnscapabilitydetails
• Studysourcecodeofappsfromopen-sourceappstoreinstead
• StaticanalysisonAST
Challenge Solution
![Page 20: 08-220 Earlence Fernandes - Security Analysis of Emerging Smart … Conf/37th-IEEE... · 2016-09-09 · Number of apps using potentially unsafe Groovy dynamic method invocation 26](https://reader033.fdocuments.in/reader033/viewer/2022043007/5f9531b45d2a9e2e6d2e29e6/html5/thumbnails/20.jpg)
EmpiricalAnalysisResults
20
Documented CompletedCommands 65 93Attributes 60 85
Reason forOverprivilege NumberofAppsCoarse-grainedCapability 276(55%)
CoarseSmartApp-SmartDeviceBinding 213(43%)
OverprivilegeUsagePrevalence(CoarseBinding) 68(14%)
![Page 21: 08-220 Earlence Fernandes - Security Analysis of Emerging Smart … Conf/37th-IEEE... · 2016-09-09 · Number of apps using potentially unsafe Groovy dynamic method invocation 26](https://reader033.fdocuments.in/reader033/viewer/2022043007/5f9531b45d2a9e2e6d2e29e6/html5/thumbnails/21.jpg)
ExploitingDesignFlawsinSmartThings
21
OverprivilegeCommandInjection
OAuthCompromise
EventSpoofing
UnrestrictedSMSAPI
PincodeInjection
PincodeSnooping
DisablingVacationMode
FakeCOAlarm
PopularExistingSmartAppwithAndroidcompanionapp;UnintendedactionofsetCode()onlock
StealthymalwareSmartApp;ONLYrequestscapability.battery
MalwareSmartApps withnocapabilities;MisuseslogicofexistingSmartApps withfakeevents
![Page 22: 08-220 Earlence Fernandes - Security Analysis of Emerging Smart … Conf/37th-IEEE... · 2016-09-09 · Number of apps using potentially unsafe Groovy dynamic method invocation 26](https://reader033.fdocuments.in/reader033/viewer/2022043007/5f9531b45d2a9e2e6d2e29e6/html5/thumbnails/22.jpg)
PotentialDefenseStrategies
• Achievingleast-privilegeinSmartApps• Riskasymmetry indeviceoperations,e.g.,oven.on andoven.off• Includenotionsofriskfrommultiplestakeholders,rank[1],andregroup
• Preventinginformationleakagefromevents• Provideanotionofstrongidentity forapps+accesscontrolonevents• Makeappsrequestaccesstocertaintypesofevents,e.g.,lockpincode ACKs
22
[1]Feltetal.,I’vegot99problems,butvibrationain’t one:Asurveyofsmartphoneusers’concerns,SPSM’12
![Page 23: 08-220 Earlence Fernandes - Security Analysis of Emerging Smart … Conf/37th-IEEE... · 2016-09-09 · Number of apps using potentially unsafe Groovy dynamic method invocation 26](https://reader033.fdocuments.in/reader033/viewer/2022043007/5f9531b45d2a9e2e6d2e29e6/html5/thumbnails/23.jpg)
Summary• Firstlookatthesecuritydesignofaprogrammablesmarthomeplatform:SamsungSmartThings;Challenge:Blackbox CloudSystem• Twosecuritydesignissues:
• Overprivilege:Coarsegrainedcapabilities,andCoarseSmartApp-SmartDeviceBinding
• InsecureEvents:Appsdonotneedspecialprivilegestoaccesssensitiveinfo• EmpiricalAnalysis:55% ofappsdonotusealloperationstheircapabilitiesimply;43% getcapabilitiestheydidnotexplicitlyrequest• FourPoC attacksthatcombinevarioussecuritydesignissues
• Theseattacksaredeviceindependent,andlong-range• SecurityImprovements:NotifiedSmartThingsinDec2015;Improvementsinvettingprocess anddeveloperbestpracticesforGroovyStrings(Apr2016);Discussiononimprovementstocapabilitysystem (May2016)
23
![Page 24: 08-220 Earlence Fernandes - Security Analysis of Emerging Smart … Conf/37th-IEEE... · 2016-09-09 · Number of apps using potentially unsafe Groovy dynamic method invocation 26](https://reader033.fdocuments.in/reader033/viewer/2022043007/5f9531b45d2a9e2e6d2e29e6/html5/thumbnails/24.jpg)
• Firstlookatthesecuritydesignofaprogrammablesmarthomeplatform:SamsungSmartThings;Challenge:Blackbox CloudSystem• Twosecuritydesignissues:
• Overprivilege:Coarsegrainedcapabilities,andCoarseSmartApp-SmartDeviceBinding
• InsecureEvents:Appsdonotneedspecialprivilegestoaccesssensitiveinfo• EmpiricalAnalysis:55% ofappsdonotusealloperationstheircapabilitiesimply;43% getcapabilitiestheydidnotexplicitlyrequest• FourPoC attacksthatcombinevarioussecuritydesignissues
• Theseattacksaredeviceindependent,andlong-range• SecurityImprovements:NotifiedSmartThingsinDec2015;Improvementsinvettingprocess anddeveloperbestpracticesforGroovyStrings(Apr2016);Discussiononimprovementstocapabilitysystem (May2016)
24
SecurityAnalysisofEmergingSmartHomeApplications
https://iotsecurity.eecs.umich.edu EarlenceFernandes
![Page 25: 08-220 Earlence Fernandes - Security Analysis of Emerging Smart … Conf/37th-IEEE... · 2016-09-09 · Number of apps using potentially unsafe Groovy dynamic method invocation 26](https://reader033.fdocuments.in/reader033/viewer/2022043007/5f9531b45d2a9e2e6d2e29e6/html5/thumbnails/25.jpg)
ConservativelyStaticallyEstimatingSmartApp-SmartDevice Overprivilege
25
SmartAppinput“dev”,“capability.battery”
SmartDevice1[ZWave Lock]
capability.batterycapability.lock
SmartDevice2[SmokeSensor]
capability.batterycapability.smokecapability.refresh
PhysicalLock PhysicalSmokeSensor
• Manydevicescanimplementagivencapability
• Statically,wedonotwhichdevicetheuserwouldassigntoanapp
• Useourdatasetof132devicehandlerstoestimate,conservatively
![Page 26: 08-220 Earlence Fernandes - Security Analysis of Emerging Smart … Conf/37th-IEEE... · 2016-09-09 · Number of apps using potentially unsafe Groovy dynamic method invocation 26](https://reader033.fdocuments.in/reader033/viewer/2022043007/5f9531b45d2a9e2e6d2e29e6/html5/thumbnails/26.jpg)
EmpiricalAnalysisofSmartThings
26
Totalnumberof SmartDevices 132Number ofSmartDevices raisingeventsusing
createEvent andsendEvent.SucheventscanbesnoopedonbySmartApps
111
TotalnumberofSmartApps 499
NumberofappsusingpotentiallyunsafeGroovydynamicmethodinvocation
26
NumberofOAuth-enabled apps,whosesecuritydependsoncorrectimplementationofOAuth
27
Numberofapps usingunrestrictedSMSAPIs 131
Numberofappsusingunrestricted InternetAPIs 36
![Page 27: 08-220 Earlence Fernandes - Security Analysis of Emerging Smart … Conf/37th-IEEE... · 2016-09-09 · Number of apps using potentially unsafe Groovy dynamic method invocation 26](https://reader033.fdocuments.in/reader033/viewer/2022043007/5f9531b45d2a9e2e6d2e29e6/html5/thumbnails/27.jpg)
ExploitingDesignFlawsinSmartThings
27
AttackDescription AttackVectors Physical WorldImpact
BackdoorPincode InjectionAttackCommandinjectionintoexistingWebService SmartApp;Overprivilege;OAuth impl.flaws
Enablingphysical entry;Theft
DoorLockPincode SnoopingAttackStealthy battery-levelmonitoringapp;Overprivilege;leakdatausingSMS
Enabling physicalentry;Theft
DisablingVacation ModeAttackAttackappwithnocapabilities;Misusinglogicofbenignapp;EventSpoofing
Theft; Vandalism
FakeAlarm AttackAttackappwithnocapabilities;Eventspoofing;Misusinglogicofbenignapp
Misinformation;Annoyance
![Page 28: 08-220 Earlence Fernandes - Security Analysis of Emerging Smart … Conf/37th-IEEE... · 2016-09-09 · Number of apps using potentially unsafe Groovy dynamic method invocation 26](https://reader033.fdocuments.in/reader033/viewer/2022043007/5f9531b45d2a9e2e6d2e29e6/html5/thumbnails/28.jpg)
BackdoorPincode InjectionAttack
28
WebServiceSmartApp
HTTPPUT
HTTPGET
client_idclient_secret
mappings {path(“/devices/:id”){action:[PUT:“updateDevice” ]
}
def updateDevice(){def cmd =request.JSON.commanddef args =request.JSON.arguments//codetruncateddevice.”$cmd”(*args)
}
{command:setCode,arguments:[3,‘5500’]
}
![Page 29: 08-220 Earlence Fernandes - Security Analysis of Emerging Smart … Conf/37th-IEEE... · 2016-09-09 · Number of apps using potentially unsafe Groovy dynamic method invocation 26](https://reader033.fdocuments.in/reader033/viewer/2022043007/5f9531b45d2a9e2e6d2e29e6/html5/thumbnails/29.jpg)
ExampleofStealinganOAuthBearerToken
• DecompileAPKbytecodetogettheclient_secret
• Sendemailtouseraskingto“reauthenticate”toSmartThings
29
https://graph.api.smartthings.com/oauth/authorize?responsetype=code&client_id=REDACTED&scope=app&redirect_uri=http%3A%2F%2Fssmartthings.appspot.com
OpenRedirector
![Page 30: 08-220 Earlence Fernandes - Security Analysis of Emerging Smart … Conf/37th-IEEE... · 2016-09-09 · Number of apps using potentially unsafe Groovy dynamic method invocation 26](https://reader033.fdocuments.in/reader033/viewer/2022043007/5f9531b45d2a9e2e6d2e29e6/html5/thumbnails/30.jpg)
30
![Page 31: 08-220 Earlence Fernandes - Security Analysis of Emerging Smart … Conf/37th-IEEE... · 2016-09-09 · Number of apps using potentially unsafe Groovy dynamic method invocation 26](https://reader033.fdocuments.in/reader033/viewer/2022043007/5f9531b45d2a9e2e6d2e29e6/html5/thumbnails/31.jpg)
DoorLockPincode SnoopingAttack
31
LockCodeManagerApp
ZWave LockDeviceHandler
SmartThingsHub
BatteryMonitorApp
subscribe(‘codeReport’)[Possibleduetooverprivilege]
setCode(‘5500’)
codeReport event
zwave.userCodeV1.userCodeSetzwave.userCodeV1.userCodeGet
ZWave commandsandreports
![Page 32: 08-220 Earlence Fernandes - Security Analysis of Emerging Smart … Conf/37th-IEEE... · 2016-09-09 · Number of apps using potentially unsafe Groovy dynamic method invocation 26](https://reader033.fdocuments.in/reader033/viewer/2022043007/5f9531b45d2a9e2e6d2e29e6/html5/thumbnails/32.jpg)
ResponsibleDisclosure
32
Dec17,2015WecontactedSmartThingswithdetailsonattacks.
Jan12,2016SmartThingsacknowledgedtheattacksandsaidtheyareworkingonsolutions.
Apr15,2016SmartThingsinformedusthatdocswereupdatedtorecommendfilteringGroovyStrings;Vettingprocesseswereupdatedtolookforourattacks.
May2,2016WehadacallwithSmartThingsteamtodiscusspotentialnewdesignforcapabilitysystem.
![Page 33: 08-220 Earlence Fernandes - Security Analysis of Emerging Smart … Conf/37th-IEEE... · 2016-09-09 · Number of apps using potentially unsafe Groovy dynamic method invocation 26](https://reader033.fdocuments.in/reader033/viewer/2022043007/5f9531b45d2a9e2e6d2e29e6/html5/thumbnails/33.jpg)
EmergingSmartHomeFrameworks
33
![Page 34: 08-220 Earlence Fernandes - Security Analysis of Emerging Smart … Conf/37th-IEEE... · 2016-09-09 · Number of apps using potentially unsafe Groovy dynamic method invocation 26](https://reader033.fdocuments.in/reader033/viewer/2022043007/5f9531b45d2a9e2e6d2e29e6/html5/thumbnails/34.jpg)
CurrentVulnerabilitiesinSmartHomes
34
Devices
Protocols
Theseattacksaredevice-specific,andrequireproximity tothehome
![Page 35: 08-220 Earlence Fernandes - Security Analysis of Emerging Smart … Conf/37th-IEEE... · 2016-09-09 · Number of apps using potentially unsafe Groovy dynamic method invocation 26](https://reader033.fdocuments.in/reader033/viewer/2022043007/5f9531b45d2a9e2e6d2e29e6/html5/thumbnails/35.jpg)
35
COSensors
IPCameras
SmartDoorLocks ConnectedOvensSmartTVs
SmartPlugs