New to Forum - Worried about Remote Access security

From the article:

Googling a very simple phrase led me to a list of “smart homes” that had
done something rather stupid. The homes all have an automation system
from Insteon that allows remote control of their lights, hot tubs, fans,
televisions, water pumps, garage doors, cameras, and other devices, so
that their owners can turn these things on and off with a smartphone app
or via the Web. The dumb thing? Their systems had been made crawl-able
by search engines – meaning they show up in search results — and due to
> Insteon not requiring user names and passwords by default in a
> now-discontinued product, I was able to click on the links, giving me
the ability to turn these people’s homes into haunted houses,
energy-consumption nightmares, or even robbery targets. Opening a garage
door could make a house ripe for actual physical intrusion.

That’s not hacking. That’s leaving your doors and windows open with a sign out front saying “y’all come on in” :smile:

2 Likes

I just use “correcthorsebatterystaple” for everything. :stuck_out_tongue:


Reference: https://xkcd.com/936/

4 Likes

Love that graphic. I tried explaining it to my mother-in-law a while ago. That was pointless :slight_smile:

Ahh, Passwords. About as secure as a lock on a door.

Every person who ever lived in new york knows that one lock doesn’t keep someone out, you must have 3 or 4 locks minimum :smile:

I once participated in a lock picking deadbolt contest and the reality is I won very quickly, because I was the only person to check to see if the door was actually locked. It wasn’t. Everyone else immediately started trying to pick the lock while I was on the other side. Next year the contest included 3 locks, some locked, some not, but a strike plate in front of them so you couldn’t see which was locked and which wasn’t.

And yet, ST doesn’t seem to think Two factor authentication rises to a level of priority for the mobile apps or IDE.

4 Likes

Good grief Patrick, give them a break! They have to get simple schedules working first… :grimacing:

3 Likes

I am a wee bit concerned with how my cellphone connects to the Smartthings hub. I do not enter an IP address for the gateway of my home network, and I did not have to punch a hole in my firewall. That means I am reliant on a third party service, even if I dont pay for it. The documentation is not exactly clear as to what the “Smarthings Cloud” introduces as far as security vulnerabilities. It is also not clear if I can disable this cloud connection and function entirely through VPN to the hub.
So, I assume my Hub connects to the cloud, and my device connects to the cloud and they are able to engage in all sorts a magical configurosity. This is really cool, but my account contains the GPS location of my property, as well as the ability to unlock the front door. How secure is this connection through the cloud, and what is to stop somebody from hacking it and gaining access to my property?
My wife is a Security professional, and she is getting all twitchy about me using this solution without more information on what is happening in the cloud.

It’s an understandable concern, and one that’s discussed at length in the forum.

Meanwhile, for the current version of the hub, all the logic and scheduling runs in the cloud, the hub is basically just an antenna relay. So you can’t bypass the cloud as the hub doesn’t have standalone functionality.

Thanks for the response. I appreciate the firewall comments, but those I am already familiar with. My concern is that the key control over the components in my house are not under my control. At home, I can use VPN and totally restrict who can get in, so if I use a Device Hub behind my firewall I have control. I understand the vulnerabilities and remediation for them. I do NOT understand Smartthings cloud. How is the connection authenticated? What happens if Smartthings is hacked, and the hacker basically gets a nice list of locations courtesy of the GPS, along with the “key” to the front door as well as a handy tag that tells them if anybody is home. Does Smarthings publish detailed specification of what they do to ensure that my account is not accessed by anyone I do not want in?
Understand, if this is cloud based, you have given full control of your house to Smartthings. If Smartthings goes out of business (unlikely but possible) your Smartthings hub is an anchor. How does Smartthings protect my account? What data do they store, and how is it protected from unauthorized access? Do Smartthings admins have access to my account (doubt it, but it is not stated!).

@April, please DONT combine this with the existing discussion. This is not a question about how to secure my home network, it is a question about the control of devices on my home network NOT being in a location that I control. This topic has not been discussed at length as far as I can tell.

1 Like

Your account is protected by a password, therefore in can be broken into with enough determination. Your concerns are legitimate inasmuch as no cloud service is 100% secure. My advise - if you think it will make you lose your sleep, don’t use it. :smile:

Anyway, I don’t think the issues you’re bringing up are new. This has already been discussed in the thread referenced by @JDRoberts

This is a risk with any cloud service. Fortunately, we have not seen any major breaches at this point.

Take a look at this talk by @hagins on youtube. He speaks about the security model used by ST and HA security in general. Starts around the 6:00 minute mark.

I don’t have references handy, but this Topic definitely has been discussed a few times. I’m pretty sure I’m one of the first persons to strongly express this concern as a comment in the original Kickstarter campaign, in fact!

Frankly, I totally empathize with your feelings – but, bluntly, there’s nothing that can be done about it. SmartThings is entirely based on a Cloud architecture (and the upcoming Hub V2 revamp will be a “hybrid” architecture that still uses the Cloud as the system of record and remote access).

Like most good SSAS and Cloud Services these days, SmartThings is subject to independent security audits. They have returned high scores. Password authentication would be better if enhanced with a 2-Factor option, but that’s complicated for most consumers, so I doubt it is a priority.

I think that access and data storage in the ST Cloud is fully accessible by authorized SmartThings employees, and that is certainly a hack risk (but not much less secure than a Bank).

If the plug is pulled on the business, your investment in the Hub is lost (~$99), but the devices will transfer to a few competitor’s systems. Unfortunately, your automation and other integrations will be a write-off (i.e., the logic is pretty much proprietary). The Privacy Policy would protect your data from abusive takeover.

What everyone said above is true. I am a Security Engineer by trade and when it comes to cloud services, you are at their mercy. If you don’t trust them, I recommend going with Mi Casa Verda which is totally local and not cloud based. There is always a debate in the industry is the cloud more secure than on-prem and there are software products out now that specialize in Cloud Security for enterprises such as SkyFence and part of their software does an analysis on what type of controls vendors have in place and risk ratings are assigned to help enterprises make decisions on a case by case basis… Since Smartthings is a consumer driven marketplace, I don’t think these tools will provide value. In addition, AWS doesn’t allow you to perform vulnerability scans without written permission, so I wouldn’t recommend launching scans against the ST cloud.

Personally, I am a heavy user of Cloud based services. I rotate passwords often using a Password Cloud Based Management system, don’t keep the same passwords for each site/service and hope for the best. If your worried about their cloud getting hacked and then your hub and home network, it’s a relatively low risk, far fetched scenario, and unless you were some major target like a celebrity or POTUS, I wouldn’t be concerned.

SmartThings isn’t for you then. Even the V2 hub will be able to fully control every smart thing from the cloud.

Now in practice, your risk is no greater than the risk you face by having a bank account (I assume you have a bank account with some bank with “online banking”) - if your account is breached (the most likely scenario) then at the bank they can steal your money, while at your house they can annoy you by turning on and off lights/heat, and possibly unlock your doors.

Admins, Support staff, etc can gain access to your account. They will do so in order to troubleshoot issues you may be having. Obviously they wouldn’t be any more or less risky than the support staff at your bank, or your investment house, etc.

1 Like

@Stiv_Ostenberg is your primary concern about loss of control? Or are you actually concerned about someone using this to break into your house or building through ST?

Honestly no matter how hard you try, if someone wants to get into your house or building they will. ST doesn’t make it any easier or harder to do so. A door or window will still be a point of entry. The best thing to do to resolve this is to add Camera’s or Video Recording devices that are VERY HIGH resolution. Recording to the cloud will make it so if the devices are noticed that there would be nothing that they could do about erasing or removing the storage for the device.

If you are concerned about your information getting out, understand that ST goes a long way to anon the data. But, that is a valid concern. The question there is what can be done with the data? People might learn your habits, but honestly with the Smart Phones and computers we have today, that is already out there.

So what is the real concern here? Even if you are running VPN from the home, it will not protect your internal network unless all devices, servers and Home Entertainment devices are all under VPN. And so far, I have not been able to get my Smart TV or Entertainment devices to work (like Roku) under a VPN unless I setup additional hardware. And frankly if you dedicate the hardware to make all devices work through VPN, you could do the same with ST Hub as well.

I think you have valid concerns, but you need to consider what you gain, and what has really changed in the since of Security at your home?

Topic is in alignment with what is above, but also adds and contributes to conversation. OP could also benefit from your discussion, therefore, merged.

If it makes you or your wife nervous, don’t buy it. There are local-only alternatives, like the Vera line from MiCasa Verde. You give up, obviously, the ability to change the control settings when you’re away from home, but many people don’t do that anyway.

Everyone has their own priorities when it comes to peace of mind. All of your questions are good ones, and all of the answers pretty much come down to “It’s a real risk, but a statistically small one for most people.” If you think the risk is larger for you specifically, or if it just bugs you, remote-controlled automation is not going to make sense for you.

I buy organic bananas. I know statistically fruit with a thick peel faces little risk of pesticide contamination of the interior piece. So I could save myself twenty cents a bunch if I bought conventional. But I would think about the statistics every time I ate one, and it would spoil my enjoyment. So I buy the organic ones. Personal choice, but it just simplifies things for me because the concern is gone rather than overcome. :sunglasses:

So many “local” solutions are far more vulnerable because people port forward the controller to the internet instead of vpning in.

I trust the st model and has been through some solid testing. I would rather have my HA stuff secured and easily accessible remotely then have to deal with a local hub and setting up secured vpns. Although I have both, vpns are not easy to manage.

The port forwards are usually the least of the problems. Because they are local only, they usually have lots of open ports, no passwords or default passwords, and many other security holes left open. It would be just as easy to drive around in a van with some wireless gear doing MITM attacks on WiFi to get at those non-internet connected devices. Unless you plan on putting your entire house inside of a Faraday cage there are going to be weak spots where intruders can get in if they want in bad enough.

I’m wondering if a DDoS attack (or similar) is perhaps the greatest risk (perhaps mitigated by Hub V2, but only partially).

If SmartThings is “hacked”, it seems that the most malicious activity would be to try to halt all operations, as opposed to coordinating burglaries of distributed homes.

I suppose it would be more “fun” to unlock everyone’s doors and and/or turn on their sirens and such. It would certainly earn some publicity. Not sure if this would require a motive, beyond mischief. Anyone started watching “Mr. Robot” yet?