To exploit this issue, an attacker would need to know the access code of the affected device. This can be discovered by observing the range of devices that are being controlled or by using the SmartThings mobile app or web interface to view the devices under their control.
Additionally, if the access code is changed, an attacker would need to change their code as well in order to gain access.
CVE-2017-8128 Improper access control vulnerability cloudNotificationManager.java in SmartThings prior to version 1.7.89.0 allows attackers to access sensitive information via implicit broadcasts.
CVE-2017-8127 Insecure handling of API keys in SmartThings prior to version 1.7.89.0 allows attackers to access sensitive information via API KEYs.
CVE-2017-8126 Insecure handling of API keys in SmartThings prior to version 1.7.89.0 allows attackers to access sensitive information via API KEYs.
CVE-2017-8125 Insecure handling of API keys in SmartThings prior to version 1.7.89.0 allows attackers to access sensitive information via API KEYs.
CVE-2017-8124 Insecure handling of API keys in SmartThings prior to version 1.7.89.0 allows attackers to access sensitive information via API KEYs.
CVE-2017-8123 Insecure handling of API keys in SmartThings prior to version 1.7.89.0
Mobile Device Management Vulnerability in SmartThings
In the case of CVE-2017-8123, an attacker could create a malicious mobile app which would use a CVE-2017-8123 vulnerability to get access to your account. This is because the attacker can control any mobile device that has been paired with their account.
With this in mind, you should be very careful of what apps are downloaded or installed on your phone. If you think someone has downloaded an unauthorized app onto your phone, then it is highly recommended that you contact support for your SmartThings account to have their security measures checked.
Timeline
Published on: 10/07/2022 15:15:00 UTC
Last modified on: 10/11/2022 19:08:00 UTC