Major Security Flaw with SmartThings, OAuth, and Zigbee

If you’ve installed any SmartApps into your SmartThings ecosystem, you are at risk.

I’m surprised to see relatively little coverage of the University of Michigan study into the SmartThings ecosystem and the inherent security flaws in the ecosystem.

We are all trusting various aspects of our home security, privacy, and living conditions to our Internet of Things. Having garage doors, door locks, cameras, door sensors, and lights attached to the ecosystem puts everyone at risk until these issues are addressed, or mitigated.

Here is a good overview:

The full study from the University of Michigan may be found here:

The paper is here:

Additionally, Steve Gibson, a well-known security professional that hosts the “Security Now” podcast on the TWiT network, devoted the bulk of one of his episodes to it recently, the episode may be found here:

The transcript may be found here:

Finally, the last two pages of Steve’s show notes do a great job summarizing the issue:

Hope this helps. Steve also then followed up the episode with one on Zwave issues the next week:


This issue has been discussed at length here. Mods please merge thread.

U of M study

And here:

ST Response


A post was merged into an existing topic: SmartThings Platform Security - Response from Alex