There are a couple of companies like Cujo and Dojo that are releasing products in the next year or so specifically as context-aware firewalls to secure IoT hubs. However, none of these products are out yet. What should we do to secure our Smart Things hubs and cameras and other IoT devices in the meantime? The thread on network security on SmartThing only seems to cover basic issues of securing wifi and that’s about it.
Interesting Topic … but very “wide open” in scope.
I’m watching to see where it leads and contribute to the discussion.
What do you mean by “secure”?
We can eliminate a lot of tangential discussion by assuming that:
(a) You keep access to the SmartThings App secure (i.e., it stays logged in, so be sure to secure all your mobile devices using traditional lock screens).
(b) There is no two-factor authentication available for the App or the IDE/API web at this time.
© Third-party Apps (both big and small … Amazon Alexa, IFTTT, InitialState, SmartTiles, …), are a huge topic that likely is out of scope of this one.
And to add one more detail to @tgauchat 's excellent questions:
Do you mean secure in terms of protecting your data? Or in terms of protecting your account from unwanted control requests? Or in terms of protecting your house if you are using SmartThings as a security system?
These are three separate questions, with very different answers.
For example, the best lock in the world doesn’t protect you from somebody breaking a window on the other side of the house. And most locks don’t protect you from somebody breaking a window right next to the door the lock is on.
Any wireless radio frequency system can be jammed by someone who is physically pretty close to it. It’s essentially the same thing as turning on The microwave and Netflix starts to buffer.
That means if you are trying to keep your house safe and you are relying on wireless radio frequency contact and motion sensors, it’s always going to be possible for someone targeting your specific house who is very nearby to jam those signals so that the reports of a change in state don’t get through to your system controller. That’s just physics.
To get around that, more expensive security systems will do a “wellness check” where they ping the sensors from time to time and send an alert notification if a sensor is not responding.
You could do that yourself with SmartThings, but it’s not a built-in feature.
Even more expensive security systems have a feature which can detect attempted jamming, but it means having additional devices and it’s a much more complicated approach than the wellness check.
Anyway, a wellness check is a reasonable approach for the jamming issue for most low end security systems. But obviously it doesn’t do anything about protecting your data or preventing unauthorized control commands.
So that’s why the details matter in terms of security vulnerabilities. There are many different ways that the system can be vulnerable, and each needs its own targeted solution.
Cujo and Dojo will do very little to secure a ST implementation.
ST hubs, where all internet bound communication to the rest of the in house eco system must filter, is controlled by ST themselves and you must allow all communication to and from ST’s cloud based systems.
Very little else happens with that ST box, although you will want to limit communication to it - this is normally accomplished by the simple nature of NAT at your perimeter. You should have some sort of security gateway there as well.
Most attacks on ST are likely to leverage cloud bound vectors over which a local gateway can have no preventative capability.
Both of the offerings are very thin on actual details (surprise, surprise), but what could be interesting is some future offering that was able to prevent or detect anomalies, attacks, undesirable actions on the local zwave, zigbee, etc networks by monitoring devices, statuses, communications, etc… I don’t know enough about those protocols to know if such overlays are possible, but this would interesting as these networks and our dependencies upon them grow.
I’m interested to see where this goes as well. I agree with the above. I’m mostly interested in seeing where local radio hacking comes in. Back when WEP wifi encryption was the best security, I remember being able to hack right through it in a minute or less. WPA was maybe a few minutes, sometimes less, sometimes more depending on your timing and if you get lucky and sniff the radio signals while someone is connecting to the network (or you can sometimes force them off the network and force a reconnect)… I’m sure attacks like these for zigbee or ZWave networks aren’t far away.
I too don’t know the protocols well enough, but how hard would it be to hack the ZigBee/zwave networks and spoof some unlock commands.
put the IoT devices on a seperate low-security router that doesn’t share keys with the high-security router for banking and whatever other traffic. Most of today’s IoT will never be fixed for the security holes they have.
IoT door locks are something else. I’m still using sad ol’ keys.
A very simple low cost advantage is to connect your hub to the cellular data network. That way it is completely on it’s own network. FreedomPop offers a low cost device that when setup correctly costs you nothing per month. FreedomPop offers 500MB per month for free. My setup has about 60 devices running about 40 apps and the typical data usage is about 180MB per month. Well within the free limit.
How does that secure it?
Security comes from isolating the devices from the home’s or business’s general network. Most people talk about breaching a weakness in order to gain access to more valuable data found on the network. If the hub or any of it’s devices are breached there is nothing to gain other than the local telemetry. And if people want crawl down that rabbit hole then the only other option I can see is to unplug everything and put it back in the box.
I’d suggest the segmentation be done with your existing perimeter security device, giving your IOT it’s own network segment.
A cellular network is not secure in and of itself and doing this requires you setup security for the cellular network as well, this is in addition to the security controls you put in place for your terrestrial internet connection.
I use a cellular connection for backup to my primary, they all share a similar control set.
Isn’t this all phobia? When considering all that’s already been said…I mean, c’mon.
Prior to home automation I’d bet most of us were more likely to leave a door unlocked by accident than to get hacked in present scenarios.
Why to we go to such extremes? Prior to home automation we all were fallible to some degree (admit it or not) but next thing you know there’s ST and the expectations of Fort Knox.
There’s logically, possibility and reality. The 1st 2 are gonna cost you to not stress over.
spam isn’t a big deal either - just delete it.
The additional aspects of remote hackability, difficult attribution, and access to rich information derived from IOT infrastructures changes these dynamics.
The minute your lights are turned on a 3am by some script monkey just to mess with you and wake up your family, nothing even damaging, tunes will start to change.
Folks try to minimize the risk or even inconveince by saying, go ahead and peruse my plex library - I DON"T CARE…hahaha. security… what a waste.
But the reality is, sirens turned on, cameras being watched, doors unlocked for purposes of theft… they will happen no matter how much effort we put into security because security is not absolute. But we need to make it very very difficult so it is not common place. It doesn’t take much for these issues to quickly overcome the inconvenience of proper security.
Let’s not forget, this is a product that is intended to SECURE YOUR HOME. It should close vulnerabilities and not add additional vectors of attack, by definition.
People DO make light of others attempts to keep their loved ones safe…don’t they?
“the children…a bit over the top don’t you think?”…or something to that effect…sound familiar?
And now here I am the one making light lol. I hope it wasn’t at the expense of anyone’s loved ones.
As with anything there is best case and worst case scenarios…pro’s / cons. What matters greatly for some may be miniscule for others. I suppose it all depends on the application and how it is used.
I agree, some of it is a gamble, to a degree (my words). I’m sure in homes with the elderly, or those with physical / mental disabilities (whom may utilize home security and / or home automation), the reward outweighs the risk.
I was never aware that ST was intended as a home security system first and foremost.
At any rate…let the mouse / mouse trap debate continue on. I won’t be detoured regardless. If I do indeed minimize the risk, seemingly to make myself feel better about it, than so be it I suppose…the odds are in my favor until they are no longer.
I suppose they would be disappointed that i didn’t “buy in” to the Security System pitch
The point I was attempting to make is that SmartThings is sold as a Home Automation solution where self monitored security is among the benefits.
Under that umbrella (if you will) would be home protection and security…security in the sense of locking you door for example.
Now, does a door lock constitute a Home Security System?..maybe not by itself. How about in combination with contact sensors? I believe together they certainly could be considered Home Security but are Home Automation until they are professionally monitored in my mind.
I suppose the truth is in the eye of the customer. To me, a security system is monitored by a company whom can dispatch authorities in case of emergency. I suppose others read into what marketing intends and translates that into a Home Security System. If someone is over-sold on their pitch than I’m sorry…happens everyday. That doesn’t make it the ereal deal.
Multi-tools are sold as replacing a whole tool.box full.of stuff…yet you don’t see car mechanics and construction workers using them.
Look again: The box that is sold at retail at Sears, Home Depot, and Best Buy says “Home Monitoring Kit.” Not “Home Automation Kit.”
The tagline is “Make sure your home stays safe while you’re away.”
It’s sold as a security offering.
It’s also sold in other boxes and other marketing materials as a home automation offering. But consumers aren’t jumping to conclusions if they’re picking up the box at Sears and thinking it’s primarily to do with home security.
It is. SmartThings offers professional monitoring for the security system.
So where does Home Monitoring get translated to Home Security System? Here again, it’s all in interpretation.
Correct!..a security offering…not a Home Security System. Here again, some translate that to mean ADT is now in a box.
I understand what you’re saying, and do not disagree with the interpretation, should someone choose to accept it as marketed.
As i said, Multi-tools are marketed the same way, comparatively.
Does this then mean I am to take that as gospel and no longer need specific tools when the use case arises?
When people get upset at SmartThings because it’s a wanna-be Home Security System, it’s because it has been over-sold as such and the customer then (I feel foolishly) has that expectation.
Are we talking about what it actually is or what they say it is?..as I can’t think of much that lives up to “as advertised”.
Works fine for me with no disappointments when it comes to securing my home. I just think better judgement should prevail.
This is really splitting hairs here. It is designed and sold as a Home Monitoring and Security solution. The distinctions being made don’t have weight.
The company’s brand-new 24/7 professional home monitoring service, called ADT Canopy, is one of several new premium service offerings–including the recently announced Scout Alarm–that we’re extending to customers who wish to complement how they secure their home with SmartThings.
Taking this back to the point I made when I brought it up…
This is intended to be a home security solution. It should not introduce new vulnerabilities. It should mitigate existing ones.
We know people can pick our locks. Vulnerabilities such as that don’t excuse away vulnerabilities in SmartThings, nor should they be trotted out to promote a culture of apathy about security within ST. ST needs to be secure. SmartThings agrees.