Protecting smarthings home automation


(Sean Mills) #1

Hey guys I was just curious what you do to protect your home network security and smartthings devices. Having not set up my system yet it would seem from the outside that people could easily access your devices on the smartthings system and mess with things like turning your zwave lights on and off and getting into your door locks. I was curious how you guys kept everything secure. I also have never set up a firewall before but was thinking of doing that, is that the way to go or is their built in security with smartthings what have you guys done to keep your house safe?
Thanks


(Tim Slagle) #2

What makes you think this?


(Sean Mills) #3

Been reading stuff like this on home automation…
Home automation devices are easy to spot with Shodan, a search engine for hackers, as pointed out by its creator John Matherly. And the home automation market forecast is predicted “to exceed $5.5 billion in 2016.” Despite the technology having been available for over a decade, and many of these automation systems being extremely vulnerable, having a “smart house” has become very trendy.

Exploiting houses with home automation may not be low-hanging fruit for malicious hackers, but with its increasing popularity and expanding product lines, we will see it gaining more attention from hackers who realize how insecure many of these systems actually are. For example, CEDIA IT Task force member Bjorn Jensen said, “Today, I could scan for open ports on the Web used by a known control system, find them, get in and wreak havoc on somebody’s home. I could turn off lights, mess with HVAC systems, blow speakers, unlock doors, disarm alarm systems and worse.”


(Amauri Viguera) #4

I’m sure there are some exploits out there, disclosed and otherwise, but nothing that applies directly to SmartThings.

I would be concerned about vulnerabilities in other components that you connect, such as TCP hubs or the like, but there’s little you can do about how other vendors treat the security of their ecosystem. If you find out that there are known vulnerabilities with Hue or Sonos or TCP or whatever, then don’t choose that particular vendor for components in your home automation setup.

I think the home automation market has been around for a long time, from the hobbyist stuff to the seriously expensive stuff, and you have yet to see the headline about how someone subverted some company’s software to do much more than maybe spy on a misconfigured webcam, if that.

I think the way ST works by being wired into the network rather than wireless, and requiring you to “invite” additional users that can manage your devices gives me a bit of comfort when it comes to the security of my setup.

With that said, unless you’re willing to roll your own you’re always going to be relying on someone else to have adequate security, and hoping that they act in good faith when it comes to managing whatever devices are exposed to them. Chances are pretty high that the ST folks are not poking around everyone’s DropCams in the middle of the night, but seriously how can you be sure? :slight_smile:


(Chrisb) #5

Check out this recent thread: Hacking concerns

Some discussion there about ST system security.


(Tim Slagle) #6

This is exactly correct. As long as you are comfortable with the security of your network you should be comfortable with the security of smartthings.

If you have good network security a “hacker” would basically need physical access. Also, zwave and zigbee are encrypted and they would need the encryption key to sned packets… so in this case they would need physical access on both ends to easily hack it. a pro could do it im sure.

But a pro also isn’t going to be hacking into my house. lol


(Sean Mills) #7

Ok, could be an overreaction on my part, just had a friend (who is much smarter than me) point out all of the possible security breeches with the home automation technology and you guys are all right I think my concerns were more with the things I would add on to the smartthings system, like a zwave based door lock ect.


(Amauri Viguera) #8

I think there should be some interesting stuff coming out soon from DEF CON next week though.

The guys from Synack are supposed to be presenting some information about how they can install persistent malware on a DropCam if they have physical access to it. And while it goes without saying that you shouldn’t let people touch your stuff, you never know when a neighbor or enterprising contractor is going to “casually” stand too close to your cameras for too long when they are in your house. Plus it brings up the issue of purchasing stuff from third parties, like used cameras from eBay or refurbished stuff that might have been compromised then resold.

There’s also the issue of the cameras running outdated (and vulnerable) copies of BusyBox and OpenSSL, which present other opportunities for exploits. It remains to be seen how much of this is available in practice as opposed to just theory, but security is one of those things that you can’t play around with too much. :slight_smile:


(Chrisb) #9

@Sean_Mills,

As was kinda pointed out in the other thread, no system is invulnerable. But ST is pretty decent I think. I don’t anticipate it being hacked by the average script kiddie out there. The biggest, most likely danger, in my opinion, would be annoyance attack… like flicking bulbs on and off or things like that.

Realistically, unless you are filthy rich and have lots and lots of expensive art work and/or electronics, you’re not going to be targeted by a mastermind criminal group. You have far more to fear from some local person kicking in your door and making off with whatever he can grab quickly rather than a group plotting an theft by hacking your HA and gain entry that way.

Having said that, there are three areas where I would exhibit additional caution:

Door Locks Obviously this provide an easy and effortless access to your home if someone can hack them. But again, this means someone who figures out how to hack these things, knows you have a HA, who actually has a desire to physically access your home (I suspect most hackers, while very comfortable in the cyber realm wouldn’t make great physical burglars), and who lives close enough to make it worth accessing your home.

Garage Doors Here’s where something annoying could prove to be costly. While I think it’s low probability that a hacker is going to open your doors for his/her own use, if the hacker does open your doors when you aren’t around and leaves them open that makes you susceptible to a random person walking down the street and seeing it as an opportunity. I highly recommend using the Garage monitor smart app so you know if your garage has been left open for a long time.

Cameras Again, here’s a case were annoyance could become more than that. I don’t suspect that many of us would put a security camera in our bedrooms or bathrooms, but I also suspect that we’ve all, for some reason to another, done the naked dash through the house… maybe you need clean clothes from the dryer or need to grab toilet paper or whatever or maybe you and your SO just got frisky in an unusual place. These would be times where in would be… inconvenient… if someone was hacked into your cameras recording pics.


(Amauri Viguera) #10

I think your areas of caution (for the doors and garage) are the main reason why I’m still not convinced that ST is the right solution (for me) when it comes to automating portal access, although I’m perfectly ok with it for convenience and surveillance :smile:

I’m always thinking about the worst case scenario, and some yet-to-be-found vulnerability on Schlage locks, or some disgruntled former ST employee (hello Samsung! :slight_smile: ) that might expose something that would threaten the physical security of my house.

I’m sure it will pass as the platform matures, but for now I’m always looking at this whole “open my house automatically when I get nearby” with suspicion, especially when I notice the presence reporting problems continue to appear on my Android phones.


(Patrick Stuart [@pstuart]) #11

So. How about how vulnerable Glass is. I mean a rock can break it? Doesn’t even have to be thrown hard?

And screws? How deep into the wood are your hinges? These can easily be hacked to release from the wood with just a simple shoe or boot with adequate force.

But I’m sure these aren’t concerns because most houses don’t have windows, doors, sliding doors, full height windows next to locks, etc.

But then, if someone broke the window into my house, they could go right up to my nest and change the thermostat… On no, they could turn on all the lights, or even my stereo and blow my speakers…

Seriously. Security is an illusion. Passwords make us feel safe, just like locks on doors makes us think we are keeping the bad guys out.

Accept the risks, or don’t but please don’t spread rumors about how vulnerable a system is or isn’t. If you know of a vulnerability, report it through appropriate channels. If you see someone suspicious casing your house, report it. If you see a white van parked outside your house and a rouge wifi access point named “FBI Surveillance Van #6” bring em some donuts and say hi.

Stop worrying and learn to love the technology… Or at least until you lose internet or power to your house.

Nobody reacts to alarms going off other than to look up and wish someone would shut that stupid alarm off.

Why would a hacker, stand outside your house, intercept a z-wave message (or zigbee) join the mesh, find the device ID, send the unlock code and open your front door? A simple 2 dollar bump key works much better and takes 2 seconds. A pick gun can take less than 30 seconds…

The real solution is monitoring. Cameras, logs, off site backups. You can’t stop them, but you can catch them.


(Convinced ST will never be unbroken…) #12

LOL. We must live on different planets (c; Here we have these things called neighbors; they actually look out for each other and respond to someone’s alarm going off (or any suspicious activity). But as for ‘catching them’… while there are some hot topics that get the local authorities attention (I won’t argue them here), a simple home burglary isn’t one of them.

But you’re spot on regarding the fact that no one is going to hack my network. Frankly I’d be more concerned with SmartThings simply opening my garage door when I am not home, which is why I don’t have it connected to doors and locks. As for a real burglar, they’d simply pick up a rock and break a window (or the glass in my door and reach through and unlock it as most fire codes don’t allow keyed cylinders on both sides). Hell, I don’t think you can even buy a smart lock with keyed cylinders an both sides.

If a siren doesn’t scare them off, there is little you can do. My local golf club is fully wired and monitored; but they have been hit several times recently. Once they absconded with their safe (which was bolted to the ground no less), and got away 'cause the sheriff was too lazy to check the golf course (where they were hiding), and the other two times they actually stole the copper in the conduit running from the clubhouse to the street!!! LOL


(Andrew Urman) #13

These are personal beliefs and not speaking behalf of SmartThings (you’re welcome lawyers).

For what its worth, Shodan doesn’t seem to work on HTTPS which is what SmartThings uses to communicate with the hub. It is a encrypted version of normal HTTP. Shodan and similar tools to break into the home mostly bank on the product. I don’t really consider wide open ports and non-secured cameras hacking, but they are reminders on how a company can/should/need to protect their customers.

I don’t think I’ve seen anything concrete on someone hacking ZigBee or Z-Wave from outside the network yet. There was a video out there where someone claimed to have hacked Z-Wave and unlock a lock, but it ended up being an issue with the lock itself. Though they did get on the network. As far as the cloud level stuff I believe it is pretty standard, which is actually good. Using well known standard encryptions give you a lot of safe guards. I won’t go into too much detail as I don’t fully know or understand it, but will say we submit to penetration testing from security firms to ensure integrity.

Allllll that said, if anyone ever says their product is 100% invulnerable to hacking in any form at anytime for anything THEY ARE LYING.