Single-factor authentication
Systems that protect against physical threats should not rely upon single-factor authentication.
SmartThings markets its ability to secure and monitor the home as a primary feature. Even
though the system has implemented a complex password requirement, one-time access to the
owner’s email account can compromise the physical security promised by the system. It
might be overkill to protect your Pizza Hut account with anything more than a username and
password, since the cost of implementing extra measures might be higher than that caused by
nefarious pizza-ordering activity. But a system you rely upon to protect your home and loved
ones must offer greater security.
In the current situation, a malicious entity can use the password reset feature (Figure 4-9)
to reset a victim’s SmartThings password. All the attacker needs is temporary access to the
target’s email account, which can be gained by stealing a mobile device that belongs to the
SmartThings user. The attacker can then reset the password (Figure 4-11) just by using the
user’s preconfigured email client on the mobile device. Even without physical access to the
mobile device, the attacker could obtain access to the email account by launching a phishing
attack or successfully infecting the victim’s computer or phone with malware that captures
email credentials.
The point here is that products that advertise physical security should take security seri-
ously and implement tight controls. Millions of people have their email credentials compro-
mised every week. Users should not have to worry about an intruder being able to monitor
and influence the devices in their homes remotely just because they have fallen victim to a
simple phishing attack.
Companies such as Google and Apple have realized that it is becoming harder to guaran-
tee customer security by relying on a username and password mechanism alone. Google
offers two-factor authentication, which requires the use of a password (first factor) in addition
to the possession of a mobile device (second factor).
With two-factor authentication enabled, the user must first enter his credentials, after
which a randomly generated code is sent as a text message to the user’s phone. The user must
also enter this code to log into the account. This type of setup requires knowledge of some-
thing secret (the password), along with the possession of a physical object (the mobile device).
Apple has implemented a similar method to protect its users and has also opened up its
TouchID system to third-party app developers. This system could easily be leveraged by the
SmartThings app to verify the user’s fingerprint as the second factor.
Another issue of concern is the longevity (18,250 days!) of the access_token discussed
earlier. Since 18,250 days equals approximately 50 years, a potential attacker has five decades
to try to obtain the access_token and reuse it to launch commands using the graph.api.smart
things.com service.
We hope that SmartThings and other emerging IoT manufacturers will enhance their
designs to implement two-factor authentication, so that attackers won’t be able to disrupt
SMARTTHINGS 99