Outdated Samsung SmartThings Hub could allow burglars in your home

The Internet of Things’ biggest promise is convenience, and devices like the Samsung SmartThings Hub aim to extend that promise even further – by putting the controls to every smart home device onto their handset. However, as researchers recently showed, such convenience sometimes comes at a cost.

A discovery made by Claudio Bozzato of Cisco Talos reveals that even IoT devices that promise to secure your house can turn against you if they fall into the wrong hands.

Bozzato found no less than 20 vulnerabilities in the device sold by Samsung, some of which could be “chained” together to create attack scenarios like:

• Unlock smart locks controlled by the SmartThings Hub, allowing for physical access to the home
• Remotely monitor occupants through cameras deployed within the home
• Disable motion detectors (which would aid a break-in)
• Control smart plugs to turn off or on different things, potentially causing physical damage to certain appliances connected to those plugs
• Control thermostats…

…and the list could continue. As Bozzato puts it, “Given the wide range of possible deployments of these devices, this is not a complete list of different scenarios.”

Cisco’s blog post offers a close look at all the vulnerabilities in question, including the ways they can be chained together to create attack vectors.

The good news is researchers disclosed the bugs to Samsung responsibly – i.e. before making the news public. Samsung has therefore had plenty of time to patch all the flaws. And because the SmartThings Hub supports over-the-air updates that it can fetch automatically whenever Samsung rolls them out, users should already be on the latest (and safest) firmware.

However, if for some reason your SmartThings Hub has been offline for a while, or if you’re just plain paranoid (which you should be, in this case), check and see if you are on version 0.22.13 of your tiny hub’s firmware. If your versioning is any lower, chances are your hardware is still vulnerable to the dangers described above. The SmartThings app or web module should allow you to fetch the necessary update.