physical safety using traditional attack vectors such as phishing and infecting desktops with
malware.
Clear-text password reset link
The clear-text password reset link sent by the SmartThings app can be abused to hijack the
user’s credentials. As shown in Figure 4-10, a user who requests a password reset is sent a
password recovery email containing a link to click (Figure 4-9). This link (in the form of
http://mandrillapp.com/track/click/30028387/graph.api.smartthings.com, as discussed
earlier) does not use Transport Layer Security (TLS), but rather is sent across the local net-
work and the Internet in the clear.
The user is then redirected to a link that does use TLS (in the form of https://
graph.api.smartthings.com/register/resetPassword, also as discussed earlier). However,
anyone on the local WiFi network, such as a public wireless network in a cafe, can capture the
original link if the user clicks on it. Once this link has been captured, the attacker can reset
the password by submitting a new password before the victim does. Once the password is
reset, the password reset link expires and the user will have to submit a new request.
In this case, an argument could be made that it would be hard for a potential attacker to
wait around for the victim to forget her password and submit a reset request at a cafe. How-
ever, in the case of a targeted attack in which the attacker is on the same wireless network as
the victim, the attacker can initiate the password reset by submitting the request shown in
Figure 4-9 on behalf of the user. In that case, the victim would likely be surprised by the pass-
word reset email but might assume there is a glitch in the SmartThings system and go ahead
with the reset process anyway, allowing the attacker to capture the initial link and take over
the account. In addition to this scenario, individuals with access to the network devices
between the victim and mandrillapp.com can also capture the initial link and compromise the
user’s SmartThings account.
Abusing the Physical Graph
The upcoming age of the IoT is bound to connect our physical world with our online virtual
spaces. We have already witnessed this occurring throughout the previous chapters of this
book: being able to control lightbulbs based on triggers on Facebook using IFTTT, using our
mobile devices to send our companions electronic keys that can be used to open physical
doors, and storing information about our physical IoT objects on remote servers like
graph.api.smartthings.com.
The SmartThings team has published a vision of its notion of a “physical graph” that will
serve as a platform for IoT objects in the future:
At SmartThings, we believe the next and perhaps most life-altering evolution of the Internet will be
the creation of the physical graph; the digitization, connectivity and programmability of the physi-
cal world around us. Whether you call this the Internet of Things, sensor networks or home and lifeCHAPTER 4: BLURRED LINES—WHEN THE PHYSICAL SPACE MEETS THE VIRTUAL(^100) SPACE