Forbes article on SmartThings security issues

Hi All –

This article describes the same set of issues that came up back in December - see the earlier post describing the issue and our remediation plan. My earlier post indicated that we had hoped to have an update in place in 60 days to address the malicious misuse of insecure rejoin by allowing users to turn it off, but as is often the case with firmware, it’s taken us longer to get done. The update is in testing now, and we’ll make the firmware update available as soon as we’ve validated that it works as expected. I do want to apologise to all of you for not updating the Community sooner when it became clear that we wouldn’t have the update out in the timeframe we initially suggested.

To be clear, insecure rejoin is a convenience feature that is designed into the ZigBee specification - and turning it off may have the effect of causing some devices to lose their ability to talk to the network from time to time - the only way to get them rejoined would be to delete the device, do a factory reset, then re-pair. This is why we are assessing it carefully.

As always, please let me know if there are any additional questions I can help answer.