Hardwear.io NL 2025: Hacking to the Gate(way): Take Over Samsung SmartThings with a Single API Call

Описание: Talk Title: Hacking to the Gate(way): Take Over Samsung SmartThings with a Single API Call
Speaker: TingYu Chen

Abstract:
Samsung SmartThings, rebranded by Aeotec as the Smart Home Hub, serves as the command center of a smart home and lets you control cameras, door locks, home audio systems, and other IoT devices through modern wireless protocols such as Z-Wave, Zigbee, Matter, Thread, and Wi-Fi — all from your smartphone. However, these conveniences come with their own set of security risks. What’s most terrifying is that once the hub is compromised, an attacker could unlock doors or turn off cameras, leaving you unaware of intruders. It is no exaggeration to say that the security of the hub is equivalent to the safety of your daily life.

To prove how easily this smart-home nightmare can become real, we showed how a single API request was enough to take over the Samsung SmartThings. Armed with nothing more than a tabletop lab, a handful of low-cost probes, and disciplined reverse-engineering, we hacked through its defenses layer by layer, starting from desoldering the eMMC to extract its firmware, moving on to bypassing Secure Boot to neutralize TrustZone, then decrypting the file system to retrieve the main binary, and finally reversing a thorny C/Rust executable whose critical function took IDA Pro four hours just to rename a single variable. Ultimately, we revealed a vulnerability residing in an obscure yet exposed service that allowed us to take control of the entire device with a single, precisely crafted API request. That also made us, DEVCORE, stand alone in the Home Automation category at Pwn2Own Ireland 2024.

In this talk, we will unpack our whole journey of exploiting the SmartThings and clarify the true definition of "pwn." You'll see how, despite those modern protections and a decompiled mess, we rapidly grasped the system architecture and located its most vulnerable points under tight time constraints. If the Samsung SmartThings is new to you, the step-by-step breach presented will keep you on the edge of your seat. But if you've already explored its internals before, you'll find yourself furious that such an absurd vulnerability slipped right under your nose. The takeaway is simple: never accept a "secure" label until you have ripped the product apart yourself.

Slides: https://hardwear.io/archives/netherla...
-----
Follow us on : https://hardwear.io/
X : https://x.com/hardwear_io
LinkedIn:   / hardwear-io-hardwaresecurityconferenceandt...  
Facebook:   / hardwear.io