The star is only about the size of Jupiter and much colder and redder than the Sun. Its luminosity is far less than 1 percent that of our star—so faint that, although the “ultracool” dwarf star called TRAPPIST-1 lies less than 40 light-years from Earth, it can only be seen via relatively powerful telescopes.

Yet it is a star worth looking for. Astronomers using a 60cm telescope designed especially to study such stars, and any planets around them, have found this system to contain some of the most habitable exoplanets discovered to date. As European astronomers looked at TRAPPIST-1 from September through December of last year, they discovered slight, periodic dimming that indicates the presence of three worlds which are close to or inside the system’s habitable zone. All have radii of between 1.05 and 1.17 that of Earth’s radius.

According to the observations published Monday in the journal Nature, the two inner planets orbit the star every 1.51 days and 2.42 days. The innermost planet, TRAPPIST-1b, likely receives about four times the solar radiation from its star than does Earth, and astronomers estimate its surface temperature is probably closer to the higher end of a range between 11 degrees and 127 degrees Celsius. The next planet, TRAPPIST-1c, receives a little more than two times the solar radiation as does Earth and has a surface temperature likely between -30 degrees and 69 degrees Celsius. The researchers speculate these worlds are likely tidally locked and, therefore, even if they have extreme average temperatures, they may have habitable regions along the terminator or poles.

A third planet, TRAPPIST-1c, is more intriguing still. Although astronomers have fewer confirmed observations of this world, they estimate its orbital period is between 4 and 70 days, and it is quite a bit farther out, perhaps 0.146 astronomical units (the Earth-Sun distance) from its star. Nevertheless, between the star’s warmth and likely presence of interior tidal heating, they speculate this world probably lies within or just beyond the habitable zone of the star.

Much uncertainty about the nature of these three worlds remains, however, as only so much information can be deduced from the star’s light. One big question concerns the masses of the three planets, which cannot be determined from existing observations. An analysis of Kepler spacecraft data found that most Earth-sized worlds in close orbit around Sun-like stars are rocky. However much less is known about early conditions of a system forming around ultracool dwarfs, and so it is not clear whether these are icy, rocky, or gassy planets.

Nonetheless the finding is significant for at least a couple of reasons. First, it provides some observational backing to the theory that small, cool stars could be reservoirs of planets. Astronomers estimate that about 15 percent of stars in the “neighborhood” around the Sun are these ultracool dwarf stars. Second, the proximity of the TRAPPIST system opens the door to observations with existing large telescopes.

“Why are we trying to detect Earth-like planets around the smallest and coolest stars in the solar neighborhood? The reason is simple: systems around these tiny stars are the only places where we can detect life on an Earth-sized exoplanet with our current technology, said Michaël Gillon, lead author of the Nature paper. “So if we want to find life elsewhere in the Universe, this is where we should start to look.”

Indeed, observations with the Hubble Space Telescope could provide some initial constraints on the atmospheres of these three worlds. Then the James Webb Space Telescope, scheduled to launch in late 2018, could provide critical information about the abundance of molecules in the atmosphere, including the biologically interesting water, carbon dioxide, methane, and ozone. This information would also allow astronomers to put constraints around the surface temperatures of these worlds. Other, much larger ground-based telescopes, such as the Giant Magellan Telescope, due to come online in the 2020s, will provide further details.

Nature, 2016. DOI: 10.1038/nature17448  (About DOIs).

Computer scientists have discovered vulnerabilities in Samsung’s smart home automation system that allowed them to carry out a host of remote attacks, including digitally picking connected door locks from anywhere in the world.

The attack, one of several proof-of-concept exploits devised by researchers from the University of Michigan, worked against Samsung’s SmartThings, one of the leading Internet of Things (IoT) platforms for connecting electronic locks, thermostats, ovens, security systems in homes. The researchers said the attacks were made possible by two intrinsic design flaws in the SmartThings framework that aren’t easily fixed. They went on to say that consumers should think twice before using the system to connect door locks and other security-critical components.

“All of the above attacks expose a household to significant harm—break-ins, theft, misinformation, and vandalism,” the researchers wrote in a paper scheduled to be presented later this month at the 2016 IEEE Symposium on Security and Privacy. “The attack vectors are not specific to a particular device and are broadly applicable.”

Other attacks included a malicious app that was able to obtain the PIN code to a smart lock and send it in a text message to to attackers, the disabling of a preprogrammed vacation mode setting, and the issuance of a fake fire alarm. The one posing the biggest threat was the remote lock-picking attack, which the researchers referred to as a “backdoor pin code injection attack.” It exploited vulnerabilities in an existing app in the the SmartThings app store that gives an attacker sustained and largely surreptitious access to users’ homes.

The attack worked by obtaining the OAuth token the app and SmartThings platform relied on to authenticate legitimate users. The only interaction it required was for targeted users to click on an attacker-supplied HTTPS link that looked much like this one that led to the authentic SmartThings login page. The user would then enter the username and password. A flaw in the app allowed link to redirect the credentials away from the SmartThings page to an attacker-controlled address. From then on, the attackers had the same remote access over the lock that users had.

Like most of the other attacks, it was made possible by a design flaw in the SmartThings capability model that causes apps to receive privileges that were never explicitly requested. As a result, many apps are “overprivileged,” often through no fault of the developer. A separate flaw in the way OAuth was implemented in the SmartThings app, which was written in the Groovy programming language, allowed the researchers to inject code that performed the redirection.

“This SmartApp, was only written with the intention of locking and unlocking door locks,” Earlence Fernandes, a PhD student who co-wrote the paper, said in an e-mail. “However, due to overprivilege and due to being written in Groovy, we could send some instructions to get it to program a new PIN code into the door lock, giving us sustained access to the home. We were able to make it so that the redirection comes to a domain controlled by us. We reverse engineered the binary of the companion Android app of the third party developer, and retrieved the client_id and client_secret. At this point, we had everything we need[ed] to get our own OAuth token.”

The researchers said 55 percent of the 499 SmartApps available during the time of their research qualified as being overprivileged, meaning they didn’t use at least some of the device rights that were requested. The researchers further found that 42 percent of apps were granted privileges they never asked for. Such overly broad permissions violate a core security tenant known as the least privilege principle, which calls for apps and processes to be granted as minimal a level of access as needed to perform their specified tasks.

The researchers said they uncovered a second design flaw in the SmartThings framework that in many cases allowed unprivileged apps to read and even spoof commands running on a device. They exploited the weakness by creating a proof-of-concept app that requested only privileges to monitor the battery reserves of a given device. Behind the scenes, however, the app was able to snoop on the lock codes as they were being programmed into a device. The malicious app then sent the codes to an attacker in a text message.

In a statement, SmartThings officials wrote:

Protecting our customers’ privacy and data security is fundamental to everything we do at SmartThings. We are fully aware of the University of Michigan/Microsoft Research report and have been working with the authors of the report for the past several weeks on ways that we can continue to make the smart home more secure as the industry grows.

The potential vulnerabilities disclosed in the report are primarily dependent on two scenarios – the installation of a malicious SmartApp or the failure of third party developers to follow SmartThings guidelines on how to keep their code secure.

Regarding the malicious SmartApps described, these have not and would not ever impact our customers because of the certification and code review processes SmartThings has in place to ensure malicious SmartApps are not approved for publication. To further improve our SmartApp approval processes and ensure that the potential vulnerabilities described continue not to affect our customers, we have added additional security review requirements for the publication of any SmartApp.

As an open platform with a growing and active developer community, SmartThings provides detailed guidelines on how to keep all code secure and determine what is a trusted source. If code is downloaded from an untrusted source, this can present a potential risk just like when a PC user installs software from an unknown third party website, there’s a risk that software may contain malicious code. Following this report, we have updated our documented best practices to provide even better security guidance to developers.

There are a few reasons to doubt the assurances. First, they make no mention of either of the underlying design flaws identified by the researchers. And second, they gloss over the fact that at least one app that passed review and was available in the SmartApps store already made attacks feasible. According to the researchers, the design of the SmartThings framework was a key contributor to that threat. So far, Samsung has provided no details on plans to fix it.