Researchers say there are serious security problems in Samsung’s SmartThings

(Brian) #92

Do I have to actually go into the house, or will you steal it for me? Will you teach me how to unlock the house, or do I have to learn SmartThings?

Yeah, you are right, this debate is futile. :slight_smile:

(Never Trust @bamarayne) #93

Gee… do the folks that buy CC #s need to learn how to use them or do the people they buy them from go and steal physical products with those CC #s on behalf of the folks they sell the CC#s too? Get real.

Yup it is, pollyanna.

Security is never a concern. Brush it off. Everyone is chicken little.

(Chris ) #94

I’m not overly concerned myself as I don’t have any smart locks yet. The random unlockings I read about out here has me holding off. Besides I don’t feel the need it’s more of a possible want, another thing to mess around with. My son is 9 when he’s old enough to come home from school himself a lock with a keypad should suffice so I don’t have to deal with the inevitable lost key.

(Michael Hess) #95

I think a lot of folks are really over thinking this.

Security is only a deterrent to those with little will to do wrong.

Having a lock, hack-able or bump-able, is nothing more than saying “Hey dude, that isn’t too inclined to steal but will if he see’s an easy target, continue to the next house.” Hence all my camera’s being blatantly obvious.

What this type of security offers over a normal lock, is notification. ANY time my front lock is locked/unlocked, or window/other door is opened when the system is armed, I get an instant text alert.

If I know my family’s habits, which I generally do, then I know when an alert comes in, not to be worried, or to be worried. Obviously this can be taken advantage of by even a simple minded criminal. They watch the house until someone DOESN’T come in at a normal time, on vacation maybe, taking too long to pick up the kids, and THEN comes and breaks the security to get in.

To layer on this, each member has a phone, with Life360. I already know they are close to the house before they enter, if that doesn’t happen and the door unlocks…well then I check the camera’s remotely.

Yes someone can still disable my internet, hack the system and disable the texts, etc. But seriously? What thief is going to go to that trouble when they can go to the 10 closest neighbors and steal their shit with no security to worry about.

I have zero concern over someone hacking my lock. The odds are EASILY in favor of some idiot drunk fool kicking down my door or busting out a window to sleep on my couch, and me knowing instantly that it happened.

( co-founder Terry @ActionTiles; GitHub: @cosmicpuppy; NOT a SmartThings Employee.) #96

@slagle, @jodyalbritton:

Is there some reason that select Community members and prominent Developers were not informed of this research sooner? (i.e., besides the obvious risks of disclosure, but … still?).

Actually, why did the Community have to wait to find this out in the media?


That’s the usual method for handling security flaws discovered by third parties.

The researcher contacts the company to inform them of the flaw and of their publication date. The company agrees to wait to announce until that date, but will work with the researcher on fixing as much as possible and the researcher will normally note that cooperation and any flaws that have been fixed as an addendum to the original work.

Publication date comes, researcher releases their paper, company puts out their reply press release on the same day or the day after.

That way researchers have a motivation to work with the companies but still preserve the freshness of their own research.

That appears to have been what was done here. On May 2, there was an official post to the smartthings blog about the issue, and I believe anyone who subscribes to the blog would’ve received an email notification about it.

SmartThings Platform Security - Response from Alex
( co-founder Terry @ActionTiles; GitHub: @cosmicpuppy; NOT a SmartThings Employee.) #99

I understand and am aware of the industry standard / customary vulnerability discovery / reporting protocols … mostly.

The sequence of the final steps are what concern me. If the “company” (SmartThings) is aware of the problem and has had 60-90 days to cooperate and mitigate the issues, etc., etc., then why doesn’t the “company” also do a Press Release before the researcher’s media release (even if only 24 hours in advance)? Wouldn’t that give a better impression to the Customers?

(Jason) #100

It would, but likely the research group wouldn’t provide the data to the company without being able to be the first to post it.

“If your not first, You’re Last” - Ricky Bobby

( co-founder Terry @ActionTiles; GitHub: @cosmicpuppy; NOT a SmartThings Employee.) #102

Yuck. :confounded:
I’ve got to read up on the disclosure protocols to see if this is considered customary and ethical.

Feel free to respond with a reference if anyone has one.

(Jason) #103

Yep, Redundancy to any set up is good!


That was my point exactly, my apologies if I wasn’t clear. The researcher gets the company’s agreement that the researcher will be the one to break the news at the beginning of their discussions. That’s why the researcher gives the company the researcher’s intended publication date.

Of course, things are different if there’s a life-and-death issue or something like that. But otherwise, that’s standard industry practice. The researcher gets to be the one to go public first. This is particularly true if there’s a paper being published.

White hat hackers, in contrast, generally preferred to be financially compensated and let the company do any disclosure. :wink:

@tgauchat , a reference from about 5 years ago:


So basicall, just be careful when using unapproved smartapps/device handlers? Ive tried to read the code on some custom code Ive copied and pasted but I dont really know what Im reading. Can someone provide examples of examples of code segments that would be malicious? IE letting someone remotely change the arming mode, etc.

( co-founder Terry @ActionTiles; GitHub: @cosmicpuppy; NOT a SmartThings Employee.) #108

Sure! How about I start with just one major example (and there are infinite possibilities, because SmartApps are just programs and code can be hidden in many ways)…

Any SmartApp you install can access your Location Object; even if you don’t grant it access to a single Device.

That means any SmartApp can change the state of SHM:

   sendLocationEvent(name: "alarmSystemStatus" , value : "away" )
   sendLocationEvent(name: "alarmSystemStatus" , value : "stay" )
   sendLocationEvent(name: "alarmSystemStatus" , value : "off" )

(Convinced ST will never be unbroken…) #111

I see a day when hackers offer up services to droolers and drug addicts, where for a fee, they offer up what homes in an area will have no one home between this and then, and offer to unlock the doors for them at this o’clock.


(Jason "The Enabler" as deemed so by @Smart) #112

All you gotta do is stand out front and yell at my house… It’ll open right on up for you. Take all my stuff, I don’t mind. It’s time for a new tv and laptop anyway.!

(Scott Alexander) #113

Finally a way to monetize SmartThings App Development! :wink:

(Bobby) #114

How are you going to turn on your lights if they take your precious Alexa, have you thought about that???

(The fish is still dead.) #115

He’s got a few of them. At some point, I’m sure the thief would say “enough already” and stop grabbing them. :stuck_out_tongue_winking_eye:

(Bobby) #116

I guess they need to leave the one in the garage so they can close the door after they pull the truck out…

(Brian) #117

Don’t worry the search function in this forum will provide the answer as I’m sure it’s been solved before :wink: - @bamarayne has just got to find someones laptop + Router to borrow so he can access the forum. Oh and come up with a novel search term

Just as long as we don’t see a new thread labelled