Security Analysis of Smart Home Platform Interactions

While smart home brings unprecedented convenience and accessibility, it also introduces various security hazards to users. In this work, we conducted an in-depth analysis of five widely-used smart home platforms, and found that the complex interactions among the participating entities (i.e., devices, IoT clouds, and mobile apps), though not being systematically investigated in the literature, are vulnerable to a spectrum of new attacks, including remote device substitution, remote device hijacking, remote device DoS, illegal device occupation, and firmware theft. The discovered vulnerabilities are applicable to multiple widely- used smart home platforms, including Samsung SmartThings, TP-LINK KASA, XiaoMi MIJIA, etc. and more than hundreds of millions devices were affected. We also propose several defensive design suggestions to secure smart home platforms in the first place. We have reported our discoveries to the corresponding vendors, who have confirmed and awarded our disclosures.