Hijacking security hub. possible?


(Thomas Yang) #1

Hi guys, I just came up with one question.
Let say if I am setting up my smartthings product, and I have my friend who also use
smartthings product. Isn’t it possible for us to detect each other’s?

So, friend turn my light on/off and I unlock/lock his door?

I am not clear on this. I also read about the hub, but need more details.

Thanks!


(Jody) #2

Short answer: No.

You will not accidentally turn off your neighbor’s SmartThings connected devices. The hub connects to the cloud and your mobile device has to connect to the cloud via the internet to access your devices. All of your devices will be tied to your account and your friend’s will be tied to his. The wireless radios in the hub are zigbee and zwave. Each hub will have it’s own mesh of devices. Two hubs in close proximity might interfere but there would be no accidental door unlocking of your friend’s locks.


(Tim Slagle) #3

Jody is right.

Here’s the short answer:

Each time you add a device to your network (mesh) it exchanges some security protocols with the hub. When this happens the device is “tied” to the hub it exchanged security information with and only that hub. The only way to add that device to a new hub is to have the hub tell it they no longer want to talk or have physical access to the switch and factory reset it.

Your next question might be: But then if someone resets it can someone add it back to my hub?

Nope… Unless they have access to your SmartThings account.

Long and the short of it… Have a strong password.


(The fish is still dead.) #4

Two factor auth/authy support, please! :blush:


(Tim Slagle) #5

While I am a huge supporter of 2FA it is by no means a fix all. Most security experts will tell you that while 2FA is a great second layer of protection it does not negate the need for a strong password.

http://www.wired.com/2013/04/five-myths-of-two-factor-authentication-and-the-reality/


(The fish is still dead.) #6

I never suggested using a weak password, only the addition of 2FA. =)


#7

You have to understand that there’s a lot going on under the hood here, and most of it doesn’t involve interactive users. I don’t know how one would implement 2FA between, say, a contact sensor and a hub. Would you force it to renew with a new auth code every 30 days? What happens when you have 100 devices on the network (not at all unusual in a larger house)?

2FA is a good idea for user authentication, but not such a great idea for device-to-device communication. Also, Authy as a 2FA solution always seemed… odd to me. If one of your authenticators is in the cloud, isn’t that a risk in itself? I strongly prefer something like Google auth where a key exchange happens and your device holds the only copy of your key.


(The fish is still dead.) #8

Your password doesn’t apply to the sensor/hub communication, so why would the 2FA?


#9

That’s the point, it wouldn’t apply to sensor/hub communication. The OP was worried about his hub controlling his neighbors devices, which doesn’t involve a user password.

Having said that, I do like 2FA for user auth, and I don’t think it’s a bad idea for ST so long as I’m not forced to re-enter my username/password/authenticator more than once when setting up a new client device.