Question about Smartthings platform security (2018)

Hello all,

Got some question about smartthings security. Since our smart home can do a lot (unlock door, record video, and more) I’m thinking about the security in that platform.

Is there some sort of security around smartthings platform?

  1. Security validation if connected from a new ip address or from a new strange location
  2. Some kind of 2fa for account login
  3. Something else to protect our account other than email+password ?

Thanks a lot!

The short answer is that smartthings does not provide any level of platform security beyond simple sign in.

There is an FAQ where people talk about various ways of securing their home network, all of which is good information if you’re worried about being hacked, but doesn’t actually solve the issue of someone signing into your SmartThings account. :disappointed_relieved:

@tgauchat Is a big proponent of two factor authentication, but is far as I know Samsung has not shown much interest in adding that to smartthings although the option has been suggested for at least four years now.

@slagle @jody.albritton

1 Like

Thanks for the tag, JD.

You have to keep things in perspective @plboucher. While the statistical likelihood of an individual or mass attack on SmartThings Accounts is impossible to calculate, it is much less likely than attacks on bank accounts and social media accounts. Many of those offer 2FA; but even then, the overwhelming majority of users do not voluntarily activate 2FA or similar options!

Out of thousands and thousands of ActionTiles Customers, only about 5 have ever requested a 2FA feature. ActionTiles’s scope is smaller than the SmartThings App, but still can offer access to Locks, Alarm State, etc… We have protections against brute force login attempts and known serious vulnerabilities, but nothing else is desired by any Customer except a fraction of a percentage.

Security is a personal matter. Personally, I’m not worried. Professionally - we prioritize based on customer interest. I’m sure SmartThings does the same - you can ask them at Support@SmartThings.com

Security costs vendors money. Until there is liability law and regulation in this space, consumer focused vendors will do as little as they can get away with until bad publicity sends them into a tail-spin of security theatrics and marketing buzz.

2FA is “free” and simple to implement on a platform you own, at minimum.

I see California is implementing new laws next year and onward requiring IOT vendors to shore up poor practises, but it’s only the start.

I’m saying that the odds of such “bad publicity” are exceedingly small. Mass attacks against SmartThings Accounts are highly unlikely.

Yes - A breach would be costly, but multiply that cost by the chance that it will happen, and the financial risk is likely not worth the complexity of implementation. Consumers always have the option to choose a different vendor’s platform … provided they can find a vendor which implements the desired higher level of security.

Until that time, SmartThings users are subject to the limited warranties of the Terms of Use. https://www.SmartThings.com/terms

Thanks for the answers

I ask since my email account has been hacked this year, and a couple of website account, resulting in 4 digits lost.

I know it’s not the same for smart home, but one day thief will look for it to enter in empty house and steal everything

For now, I guess I will update my password account with a strong one, that is not use on another of my account

thanks

2 Likes