I hear you and agree on introduction of vulnerability. I’m not sure I understand your reiteration, as I didn’t contradict or dispute.
I stand by my take on interpretation vs. expectation of SmartThings being considered a Home Security System (as I consider them). A solution for some, yes…a solution for all…absolutely not.
To that point, one could maybe get some Home Automation from a Home Security System; however, I wouldn’t have expectations for it to change the channels on my TV.
Heavens…
I’m not debating what they try to sell it as!
Just because they offer professional level service doesn’t mean I’m buying into it…nor should anyone else just because they say so.
My better judgement says otherwise. If anyone wants to keep debating “but they claim” than I don’t disagree with that. I’m not trying to debate ST having responsibility for their advertising.
If I want home security than I’m going with a true home security system and anyone complaining about security vulnerabilities should probably do the same.
Enough said.
I don’t really agree that we should retire ourselves, collectively, to not using ST for things it was intended to do because it has failed to do so reliably or to consumer expectations. That would be a long list of things. Basically, that’s an individual threshold and choice and I sense that when folks say “why use it as a security system” etc they are trying to excuse ST for their failures and also trying to shame the user for using it as it was intended.
My tact is a bit different. I would rather push ST to improve. Improve reliability. Improve security. Improve functionality. So long as ST agrees, and I faith they are trying to do so, and I haven’t completely lost faith that they will eventually execute I will continue down that road.
For the record, I don’t think ST’s security is terrible. There are some things that need improvement for sure, but reliability is a much bigger issue IMO.
What I don’t like to see, however, is the promotion of apathy about security. Especially when fallacious arguments are made to support such apathy.
BTW, I don’t use ST as my primary home security. As I have stated in the community several times. I have a traditional security panel. I also have ST because IoT and IoT security has a much more data rich, and feature rich reality and future. I have layered them on each other. I get rich data from ST and reliability from my old school panel.
When and if IoT is able to provide the reliability the old school panel can/does, then it will be time to consider depreciating it.
For others, it may be a small piece of mind they would otherwise not have at all.If I were in this for security only, and wasn’t willing to install a traditional panel, I would probably look at Abode or Scout - not ST at this time.
I want to see someone try and access my ST home and survive, let alone not get caught.
I know you have the creds, but the reality is even organizations with a quarter BILLION (yes billion) dollar budget for security still get breached. Some have multiple CS PHDs working with the CISO office.
BTW, the most likely way your ST system will be breached is not by attacking your home / st hub directly. It will be the ST cloud being compromised then they have control of all the ST hubs, including yours.
You have no way to secure the ST cloud nor prevent such vulns from effecting yours. You don’t have a ST hub / ST Cloud firewall yet do you? If so I want in. 
Most likely your security stack allows the ST hub to talk to the ST cloud on the necessary ports - but beyond that you have no visibility or certainly no control over what the ST cloud tells your ST hub to do over those ports.
how to keep your setup as secure as possible…
Also I didn’t necessarily mean the iot environment itself, the way I integrated my home allowed me to compartmentalize different functions and areas so that if one falls the others aren’t left vulnerable. For instance if you are physically able to access my attached garage by somehow hacking in through cloud you still won’t gain access to my house.
Similar setup here, cloud only things are on entirely separate lan/switch (segmentation) with their own perimeter security stack. They aren’t even allowed to talk to each other (micro-segmentation).
I don’t trust Vlans, they are not security in and of themselves, so I only use them within similarly positioned security zones but they don’t cross security zones - ex. trusted / unstrusted / etc
The problem is, of course, this is complex and it comes at a cost - and joe consumer will never do this.
Vlans setup on my 2 Asus rt-ac5300s with Asus wrt Merlin using hardware and custom trend micro based firewalls using SHA 2 hash and RSA 4096 bit keys ( might be overkill) .
A counter attack for those that may want to snoop is an “easy” to access video feed that appears to be an ip cam but its really just a looping video embedded with a buffer overload script.
Its not that pricey or difficult to set up and depending on what you need to protect its well worth it.
Careful. Hack backs are a crime. I doubt your going to get any takers in your active honeypot, but legally you can’t hack computer systems that are not yours. Is script kiddie going to file a complaint? No. Will you ever get in trouble, no.
But some one else’s system could be used to attack you, and that third party might complain depending on the nature of your exploit package. Also, legal interdiction systems that get attacked by such active attack back pot exploits might piss off the wrong fed.
99 percent Neva Gona happen, just pointing out legal issues
Join the NSA and hack with impunity where none of the rules apply. You can work with the chief scientists and become one yourself
It doesn’t fall under the legal definition so I am safe ( I just finished that course before thanksgiving, I actually learned something that had a practical application…sort of). Ill pass on working for any agencies like that, already have the clearances from contractor work and see enough of the mans violations of privacy
I appreciate the looking out though!
How does ‘secure’ it?