Forbes article on SmartThings security issues


(Michael Hess) #1

http://www.forbes.com/sites/thomasbrewster/2016/02/17/samsung-smartthings-vulnerabilities/#6fecc5af4e59


(Michael Hess) #2

Obviously anything relying on radio is susceptible to interference, the fact that a loss of a sensor is not addressed by ST is the real problem. If a motion or contact sensor drops off for more than a few seconds or something, it should set off the alarm as well. I’d rather have more false alarms than a real break-in that goes unannounced. The ZigBee issue with keys sounds correctable though.


(I got a hair cut from Alexa) #3

Everything is vulnerable…it just is. Even humans and dogs standing guard. That’s why you do security in layers and with different systems. On the other hand, Forbes does a lot of hit pieces on Samsung while glorifying Apple…so maybe I’m overthinking this.


(Michael Hess) #4

Yeah this is a lot of “no duh” kinda stuff, but I think it’s important people don’t get complacent with a security system, like you said, layers!


(Matt Perva) #5

Correct, I think a lot of people have asked the question about using ST as a security system, while I feel it can somewhat, nobody should feel that using ST will replace a full security system because the instability alone is would make we want to not use it as one. Agreed with the previous, if a sensor loses signal for an extended period of time, it should automatically sound the alarm.


(Beckwith) #6

A bigger concern and the bigger story to me is reliability. Who cares if some hacker can figure out how to compromise the system if it doesn’t work reliable in the first place. If your door unlocks on its own as @JDRoberts has reported, who cares about the pimpled hacker. It is more likely that a drug addict would break in than a sophisticated thief.


(Dan Lieberman) #7

Hi All –

This article describes the same set of issues that came up back in December - see the earlier post describing the issue and our remediation plan. My earlier post indicated that we had hoped to have an update in place in 60 days to address the malicious misuse of insecure rejoin by allowing users to turn it off, but as is often the case with firmware, it’s taken us longer to get done. The update is in testing now, and we’ll make the firmware update available as soon as we’ve validated that it works as expected. I do want to apologise to all of you for not updating the Community sooner when it became clear that we wouldn’t have the update out in the timeframe we initially suggested.

To be clear, insecure rejoin is a convenience feature that is designed into the ZigBee specification - and turning it off may have the effect of causing some devices to lose their ability to talk to the network from time to time - the only way to get them rejoined would be to delete the device, do a factory reset, then re-pair. This is why we are assessing it carefully.

As always, please let me know if there are any additional questions I can help answer.

Thanks,
-d


Disable ZigBee Insecure Rejoin