Gluten free, organic (“Inside Cybersecurity” Sept 2018 mention of new ST security requirements for 3rd party devices)

Any clarity as to whether the forthcoming announcement should be interpreted to mean:

  1. “to use our ‘works with SmartThings’ label, device makers must up their game on IOT security”
  2. “we won’t let devices connect to your hub (and therefore our cloud) if it doesn’t meet our minimum security requirements”

Specifically, I’m asking whether community developed device handlers for devices nor specially approved for use with SmartThings are going away?

From Inside Cybersecurity:

“Samsung will be announcing soon, I can’t give you an exact date, security requirements for third-party devices and Samsung’s own devices to connect to that Smart Things cloud,” Godfrey said during a panel at the “State of Cybersecurity Conference” at Georgetown University’s School of Continuing Studies.

“If cybersecurity is like organic and gluten free, we want to throw the biggest and best party, and invite everyone to come,” Godfrey continued. “But to come to the party you have to bring an organic, gluten-free dish. We think this will move behavior, it is not a regulatory solution, it is an industry-led solution, but if the party is big enough and people want to be there, you’re going to do the right thing for cybersecurity.”

Do you have the link to the full article because it’s hard to discern what is meant just from the snippets you posted. I would assume that they mean cloud to cloud devices. Devices connected directly to your hub (either z-wave, zigbee or lan) should be exempt from this. Zigbee and z-wave are already secure. And devices on my LAN only get an IP when I allow them. If they take away all DIY LAN devices, that will be the best thing to happen to Hubitat since they launched.


i’m guessing he’s referring to WiFi and/or Cloud-to-Cloud connections. Zigbee and Z-wave hub connected devices have their security baked in as part of their approval through the z-wave or zigbee alliance.

Here’s all I found

Yeah, it sounds like cloud-to-cloud or direct to cloud devices. I would assume devices that access your hub on your LAN would be exempt since they are directly connected to the hub.

There isn’t much more detail in tab full article, which is behind a paywall. I was encouraged to see in the April announcement about rate limiting of apps that Samsung remains committed to community-developed apps and handlers.