Network Security and Data - Safe options?

So - Ive Decided to take the plunge in creating a new topic which I’m always fearful of doing - I did some research but the things I saw were old or on a higher level of complexity and thought maybe I could initially get some straight forward answers!

I’m a new to the HA and ST - I’ve had an echo for a while, got a couple of lights and it got me interested whilst I’m redecorating to maybe do a bit more. At the time I only had a couple of Wifi lights on the 2.4ghz linked to Tuya. I was also looking at ST app so had this linked via Globe Suite until it broke. However when I was looking for some more lights I saw a post in a review around some one saying one set included malware. I have no idea if this was genuine or some one just annoyed with customer service etc. However - it got me thinking as to if there could be potentially any one having access to network and collecting data or passwords etc. Edit - I have also purchased a ST hub too since incase that makes difference to answers

So firstly - Is this something I should be considering or over the top?

I did look to split my hub - use the 2.4 Ghz as HA and 5 Ghz as personal devices. Would this make any difference at all or not as from the same router? (I actually did this and to my luck discovered the 5Ghz wasn’t functioning and why I’ve had intermittent issues.) I just received new hub from ISP and although I can split it I have to keep the same password which seems pointless as its the device I want to keep away from hooking on to either device.
However - if it does make a difference having on separate I do still have the old hub so could use the 2.4 for HA and the new hub for all personal - if so what order should I link the devices. Should HA be secured on the end off of the Personal - or should the HA router be first - with the Personal access point being secured off of it. (I can make cases for both in my head so trying to understand how it actually works).

Any way - be great to understand if actually my concerns are over the top or if it is something I should be considering and some solutions?

Thanks

Not over the top, but the possibilities probably aren’t as great as you fear, either.

Let’s consider some possible scenarios:

  1. Local Thieves. you are an ordinary person who lives in an ordinary house in an ordinary neighborhood. Someone wants to break into your house and physically enter it. The odds are it would be way easier for them to kick in a door or break a window Then try to hack your system. Granted, there are some impressive magic trick type hacks that get written up in journals from time to time but very few of them would be practical for your typical sneak thief.

Now if you are a very wealthy or famous person or you have a malicious ex or family member who is specifically after you, that’s a different kind of situation. But in that case you’re not going to be looking at smartthings in the first place. :wink:

  1. Clockwork Orange type gangs. some malicious scriptkiddies randomly attack your system just to create chaos. Their goal is to see your individual suffering even if it doesn’t financially benefit them.

The most common type of these attacks are based on you having used the same user ID and password on multiple sites and some dark website having this pair available for sharing or sale. This is what has led to almost all of the recent Ring attacks in the news, for example. The Ring system itself wasn’t hacked, The attacker got the password based on the people having used it on a different site And they just randomly went around trying a big list of these until they got one that worked. :disappointed_relieved:

Most camera systems and security systems, including ring, offer optional “two factor authorization” (2FA) Which eliminate this attack vector, but again the people in the news didn’t have that turned on.

My personal advice would be to never buy a camera system that doesn’t offer two factor authentication and always use a password generator so you have a different password on every site. That will avoid most of these kinds of attacks from People who just think it’s funny to scare random other people. :scream:

SmartThings does not offer two factor authentication, btw.

  1. Thieves looking for something virtual of value may use an unsecured home automation vector to get into your WiFi network, Looking for banking or credit card information or potential identity theft information. They don’t need to ever be physically at your house.

This is a real if Uncommon threat. It requires much more skill than reusing a password. For this one you have to weigh the likelihood of it happening versus the potential loss.

To be honest, most people just shrug their shoulders about this one and go on with life, assuming they won’t be the one who gets mugged this way.

I would probably feel that way as well if I were the only one using my home network, but I have two housemates who are pretty typical guys under 35 and go to some fairly sketchy sites that I don’t want anywhere near my own financial information. So I run separate networks. But not many people do if you’re just worried about random stranger attacks.

Again, if you are wealthy, famous, or have a malicious person who might be specifically after you you would want to take more precautions.

  1. Mass destruction attacks. Anarchists or threats from foreign nations who don’t care about your individual response to their activities (unlike the sadists in 2 above) Figure out a way to just crash a whole bunch of systems at the same time. The equivalent of turning all the traffic lights green or poisoning the water supply.

We don’t like to think about it as a possibility, but it is a possibility. So then you have to look at protecting yourself from the potential damage. Which really is the exact same damage you would have just if an individual company’s system glitched really bad. (A far more likely occurrence.)

So how do you protect against that? You have a plan for backing up and securing any information you don’t want to have to rebuild from scratch if everything does go bad.

You deploy your devices in a way that they won’t cause physical injuries if they go on or off unexpectedly.

I personally don’t put anything on Networked home automation That wouldn’t be safe to have run for 24 hours unattended.

And I don’t put anything on it that might kill somebody if it started unexpectedly, including power tools and garbage disposals and cars.

I don’t put an isolated heating or cooling system on a room where the person who sleeps there is not capable of getting up and readjusting it themselves. (Whether it’s an infant or a person with a disability.)

I only use UL or ETK rated devices if they are going to be wired into the mains.

But if the anarchists (or PGE :rage:) take out all power or any subset of my home automation system for a few days, we should be able to manage. And if any part of it turns on again unexpectedly, it won’t be a disaster.

There’s no real way as an individual to prevent this option from happening, but you can use planning to reduce any potential damage if it did happen.

  1. Government uses your home automation system to spy on you or to gather data that you wish they wouldn’t. I’ll be honest, I have concerns about this in general in terms of the laws that get passed, but I just don’t worry about it as an individual risk.

I do make some choices about which companies I will do business with, even for their free services, but it’s not about anyone specific threat, it’s about their general corporate philosophy.

If this particular issue worries you as an individual, again, you aren’t likely to be using SmartThings. You’ll be looking for something that runs totally locally and stay off the Internet. :wink:

Now how much any of those five options will bother you specifically is just a personal issue. You might care about all of these. You might care about none of them.

The following thread talks about some of the specifics you can do in your planning in regard to a SmartThings system.

How to: Planning for Outages

But mostly keep your device software up-to-date, don’t reuse passwords, understand the risk from other people in your own house like my roommates, and plan your device deployment so no one will be physically harmed if it does or doesn’t work when expected. And you’ll probably be fine.

5 Likes

Thanks @JDRoberts for taking the time to provide such a great overview of things to consider.
Im sure it will come in handy for many people who start out the journey.

Point 1 isn’t really that significant to me - I’m not specifically worried about use of equipment to get within my residence. Like you say the local thief wouldn’t be bothered about this kind of equipment and would just do a smash and grab job.

Point 2 is something I was in the process of re-doing. Although feel I’ve taken a step back with the new hubs dual bands not allowing for separate passwords. However improving them all is more significant.
I’m not sure how I feel on Ring - I read somewhere how they decided to create a back door for surveillance services? I’m not sure how I feel about this - on one side supporting services to take preventative measures and fighting crime is a good thing, on the other hand in line with point 5 - I have to wonder what other uses they will take from this. And it should be an option not an enforcement? However - I guess we won’t ever know if we use a security system that links with cloud services?

I don’t yet use anything that would be of any physical harm or concern for any one but all good points to consider as I continue.

I think my main point of interest was linked in with 3 however you can tell me if it is different to what you mentioned. The concern was about devices that come with malware pre built in to them. Connecting the device already gives them access to the network - is this something that happens? Its where I had read about using a separate network. I’ve managed to locate the review that I happened to see that mentioned about malware on a light which initially got me thinking…

Malware Review on AliExpress Store

Thanks again - in general I don’t think I need to worry so much however be great to hear what you think about the above?

1 Like

The following point is just my personal opinion and a lot of people disagree with me, but I don’t buy anything from either Ali Baba or Ali express. There’s a ton of counterfeit stuff on the services, and, yeah, cheap Chinese stuff sometimes has malware on it. :scream:

I don’t buy anything electronic off of eBay, either. Or from third parties selling on Amazon or Walmart unless they are the manufacturer of that item or another authorized retailer that I know.

I only buy from authorized dealers of known reputation Where the manufacturer will honor the warranty.

But… There are a lot of people in the community who feel differently and feel the cost savings are worth it to get either no-name products or products from the big marketplaces. That’s a choice you have to make for yourself.

As far as ring and their cooperation with law-enforcement services, each individual customer does opt in as to whether they want to be part of that access channel or not. If you say you do, you are allowing the police to look at your door cam videos for when they are investigating crime on your street. I personally don’t participate. I would share a specific individual video with law-enforcement if I thought it was relevant, but I don’t give a blanket permission. But again, that’s just me.

2 Likes

Some great advice @JDRoberts thanks. Definitely something I will consider.
My initial idea was just to get a feeling if it was something I liked… but I hadn’t considered any dark side there may be too it - plus there is the safety element of imported items not constructed to standards. think it may be the better option to build up a little more slowly but take the more secure options.
Good to hear about ring … I only briefly heard so hadn’t looked into it.

1 Like