Extremely Scary Bug! (Lost internet causes away/arrival sequence to fire)

presence

#1

Hi all,

I woke up today to a notification saying SmartThings had unlocked my connected door lock at ~3:55am. After momentarily panicking and checking the house, I came to realize what had happened. Somehow, either the internet had gone offline, my router had restarted, or the SmartThings hub itself had. Whenever it came back online, it ‘detected’ the presence of my SmartThings arrival sensor and unlocked the door per my automation rule.

I’m still investigating, but if it was the internet, this means that all somebody has to do is unplug your uplink to the internet and plug it back in (often the ISP cables are just sitting outside your house), and if you have an arrival sensor, the door would unlock. Similarly, if it was the router/hub, if an attacker can temporarily cut your power, they can open the door. Obviously, this is a huge security risk. I believe my setup is correct also - I basically took the arrival sensor out of the box and set it up per the instructions.

Has anybody else experienced this? Any ideas on how to fix? I’m disabling the arrival sensor automation until I figure out what to do.

Thanks for reading.
PS Sorry if this is a known issue, I wanted to get it out there before I forgot.


SmartThings Arrival Sensor accidentally unlock all my doors at 1 a.m
(ActionTiles.com co-founder Terry @ActionTiles; GitHub: @cosmicpuppy) #2

This is a “well-known” issue. :rolling_eyes:

###Arrival of ZigBee Presense Tags must never be used to unlock doors or open garage doors!!!


(Steve ) #3

Agree I wouldn’t use the arrival sensor.
But if you really have to you could add a restriction so they aren’t used at certain hours or when in night mode etc.


#4

Thanks for the prompt replies!

I didn’t realize these shouldn’t be used for unlocking doors, I thought that’s what these suckers were for! Especially since they give you a nice keyring hole on it and all…

What can/should be used for door automation? From what I understand, phone geofencing can be pretty unreliable (and that’s been my experience with Tasker automation). I have some NFC tags, I can set up one of those to trigger sending an unlock command (via IFTTT). It would be secure as there’s no info on the tag itself, it would just trigger a web request on the phone, but it’s a bit cumbersome, needing to tap something with my phone to get in if my hands are full.

Any ideas?


(Robin) #5

This is true if you are at home, luckily not a problem if you are out as the sensor won’t report it’s arrived until you actually arrive… so at least a thief would have to be very brazen (but certainly not unheard of!)

I use webCoRE to reduce the risk somewhat whilst I’m home. Basically my locks won’t release unless the triggering arrival sensor has been away for at least 10 minutes, so a brief internet drop out or other glitch won’t trigger an unlock.

I also have the locks programmed to re-lock 1 minute after arrival just in case a longer drop-out occurs overnight.


(DavidK) #6

Not sure if this makes it any more reliable, but you can change the timeout period for the presence sensor. My default was 2 minutes.

I have a screenshot.


#7

Many people use the presence sensors for controlling doors, the trick is just to put other conditions around it. Some people use time of day, a lot of people use mode, some people use other conditions.

Personally I used to have a lot of problems with false detection of the arrival sensor. :disappointed_relieved: The issue has been discussed in detail in the forums, with different people taking different approaches.

In my case, i now use two different types of devices in combination when I am leaving or arriving before I allow the mode change that would then trigger anything else. This is detailed in the following thread (this is a clickable link).

So it’s definitely an issue you need to understand if you are going to use any kind of presence indicator. But it’s also quite easy to work around if you want to. :sunglasses:


(Jimmy) #8

as others have said, Add a mode or time restriction. for example, non of my unlocking/opening rule can run in Night or Away mode.


(Glen King) #9

Once again, taking it somewhat outside ST comes to the rescue.

The solution I arrived at is this: create “person_home” variables in Tasker, one for each arrival sensor.
Set each variable to ‘home’.

[If a sensor leaves, ST reports it to Tasker via Sharptools. Tasker then sets the “person_home” variable to ‘away’.]
NOTE that the bracketed sequence can only occur if ST is operational!! If ST is not operational, the Tasker “person_home” variable remains ‘home’.

Now… when a sensor arrives in ST, it reports that to Tasker via Sharptools. Tasker ONLY sends the command to open the lock if it senses a variable has changed from ‘away’ to ‘home’.

The OP’s scenario has the person’s sensor “arriving home” with the variable already at ‘home’ - hence, the lock open command will not be sent.


(Glen King) #10

As my first foray into webcore variables, I’m going to see if I can’t somehow replicate the above in a piston.

But then again, the issue is mitigated by my 2-minute door lock piston; the odds on a burglar trying to walk in the front door between the exact moment that ST comes up after being down and my presence sensor unlocks the door, and those two minutes expire, are almost astronomical.


(John) #11

Likely because you were pinging off cell towers.


(Jason) #12

I use Tasker, created a Virtual Presence and tied that to my phone. When I come home and my phone connects to my wireless network it tells the virtual presence I am home and opens the door. I also have it set so that no matter what it will not open when the alarm is in Armed mode, and It has a restriction that it will not work between 9pm and 6am. I have used this for about 6 months now, it has its quirks, but is much more reliable than the native android presence from ST.


#13

Sounds nice, do you mind sharing the pistons you made for this? This happened to me this night, and your solution seems much better…


(Robin) #14

#15

@RobinWinbourne
thank you for sharing.

@JDRoberts
Was thinking about what you wrote, “put other conditions around it”.
After sticking a flicbutton to my front door earlier today to use for doorbell button, I just realised.
What if, instead of having the door auto unlock with presence sensor only.
On the flic button I can choose between click, double-click & hold.

if presence changes to present, within 2 minutes after presence changed to present, if flicbutton is hold, locks open.
is it possible to have a “within timeframe” like that in webCoRE? If so, please tell how.
Would this be a decent solution? if its even possible? or am I missing something?


(Robin) #16

I would do this as follows:

If Flick button’s button IS held
AND
age([presence_name:Presence]) IS less than 120000
THEN
With lock
Unlock


#17

Nice, but I cant seem to find that «age» is less then setting?


(Robin) #18

It’s an expression… you have to type it in manually.

When setting up the IF block, open the drop down list that defaults to ‘physical device’ and change it to ‘expression’.

Type in age([device_name:presence])

Then fill out the rest of the window as usual.


(Zachary Evans) #19

I came across this thread and it got me thinking so I made my own CoRe pistons using presence and time to run my “Im Back” routine. I never thought of doing the presence stuff like this until I read everyone’s posts; great ideas. I actually gave up on presence because of unreliability and switched to using a keypad that would run routines with an entry and exit delay for the alarm. Anyway I created some test presence sensors and a test door so I could do this without actually having to go in and out of my house and leave. So the idea is once I pull up into my driveway my phone will be detected and mark me as a present. If my phone changes to present it will set a variable to the time of arrival. Once either the garage motion sensor trips or the back door is open it will look at the current time and the set variable time and if they are within 5 minutes it will run my I’m back routine. If it is false it will do nothing and my 60 second entry delay will trigger and the alarm will go off if it is not disarmed from the keypad within that time.

03 AM
24 AM

so my biggest issue with using my phone prior to this was it would Mark me away when I was actually home and it would run routines when it wasn’t supposed to. So I’m hoping this will prevent that from happening. I’m going to have it only work whenever the current mode is away


(Zachary Evans) #20

So I finally left this house this weekend and returned about an hour later and this worked perfectly. It detected my presence when I was about 50 feet from my driveway (i have the smallest geo fence possible). 3 minutes later I opened my door and a soon as it hit I heard the alarm go off and my lights (part of the im back routine) came on.

I am glad I set this up; I have only had presence turned back on for about a day and it already has several errors. Apparently I left at 11pm last night for 20 minutes…and this is with my gps left on.