Scientists, including one of Indian-origin, have been able to hack into the leading "smart home" automation system and obtain the PIN code to a home's front door.
Researchers levelled four attacks at an experimental set-up of Samsung's SmartThings, a top-selling Internet of Things platform for consumers.
The work is believed to be the first platform-wide study of a real-world connected home system.
"At least today, with the one public IoT software platform we looked at, which has been around for several years, there are significant design vulnerabilities from a security perspective," said Atul Prakash, professor at the University of Michigan in US.
"One way to think about it is if you'd hand over control of the connected devices in your home to someone you don't trust and then imagine the worst they could do with that and consider whether you're okay with someone having that level of control," said Earlence Fernandes, a doctoral student at UM.
Regardless of how safe individual devices are or claim to be, new vulnerabilities form when hardware like electronic locks, thermostats, ovens, sprinklers, lights and motion sensors are networked and set up to be controlled remotely.
As a testament to SmartThings' growing use, its Android companion app that lets you manage your connected home devices remotely has been downloaded more than 100,000 times.
SmartThings' app store, where third-party developers can contribute SmartApps that run in the platform's cloud and let users customise functions, holds more than 500 apps.
The researchers performed a security analysis of the SmartThings' programming framework and to show the impact of the flaws they found, they conducted four successful proof-of-concept attacks.
They demonstrated a SmartApp that eavesdropped on someone setting a new PIN code for a door lock, and then sent that PIN in a text message to a potential hacker.
The SmartApp, which they called a "lock-pick malware app" was disguised as a battery level monitor and only expressed the need for that capability in its code.
Researchers showed that an existing, highly rated SmartApp could be remotely exploited to virtually make a spare door key by programming an additional PIN into the electronic lock.
The exploited SmartApp was not originally designed to programme PIN codes into locks.
Researchers also showed that one SmartApp could turn off "vacation mode" in a separate app that lets you programme the timing of lights and blinds, while you are away to help secure the home.
They demonstrated that a fire alarm could be made to go off by any SmartApp injecting false messages.
One security loophole is that the platform grants its SmartApps too much access to devices and to the messages those devices generate, researchers said.
"As an analogy, say you give someone permission to change the lightbulb in your office, but the person also ends up getting access to your entire office, including the contents of your filing cabinets," Prakash said.
