Hackers Unlock Doors of Samsung 'Smart' Home

smart home hackers smartphone lock samsung
Hackers were able to create a 'key' for an app-enabled lock. Yale

A major security flaw in Samsung's smart home system has allowed door locks and appliances to be hacked, a new study has revealed.

Researchers at the University of Michigan demonstrated how malicious apps could be used to take control of home appliances, set off alarms and unlock doors connected to Samsung's SmartThings ecosystem, in what they called "the first in-depth security analysis" of a smart home platform.

"All of the above attacks expose a household to significant harm—break-ins, theft, misinformation, and vandalism," the researcher's paper states. "The attack vectors are not specific to a particular device and are broadly applicable."

The researchers tested Samsung's SmartThings as it has the largest number of apps among currently available smart home platforms and supports a broad range of devices.

One attack method detailed describes how a malicious link sent to a SmartThings user can be used to access login credentials to the third-party app. This would allow hackers to "inject" a new code for the door lock.

Samsung responded to the study by claiming a malicious SmartApp would never make it into its SmartThings system.

"The potential vulnerabilities disclosed in the report are primarily dependent on two scenarios—the installation of a malicious SmartApp or the failure of third-party developers to follow SmartThings guidelines on how to keep their code secure," Samsung said in a statement.

"Regarding the malicious SmartApps described, these have not and would not ever impact our customers because of the certification and code review processes SmartThings has in place to ensure malicious SmartApps are not approved for publication."

Despite these claims, the South Korean electronics giant also said that it had added additional security review requirements for the publication of any SmartApp, as well as updated its documented best practices to give security guidance to developers.