Researchers say there are serious security problems in Samsung’s SmartThings


(ActionTiles.com co-founder Terry @ActionTiles; GitHub: @cosmicpuppy) #23

This is precisely why SmartThings, despite repeated requests from various members of the Development Community, will not entertain the idea of making a significantly easier distribution method for unreviewed / QA’d SmartApps and Device Type Handlers. We understand and support this decision!

The “Shared OAuth method” (or, more bluntly called the OAuth “Backdoor”) that was used by SmartTiles and a few others, was firmly closed this past week. While SmartTiles was comfortable and honest in assuring our users that we believe that the security risks and concerns of the OAuth shared version of our SmartApp were well understood by us, and are manageable and can be self-mitigated, we are also fully aware and grateful of the benefits of the review process for both the security and performance perspective. SmartTiles is an officially reviewed and published SmartApp now, and our installer webpage can only install this protected ST managed edition from this point forward.

All the more reason, of course, that while “Platform / Product Stability” is the #1 focus of SmartThings (per CEO @Alex and team…), I’m sure this highlights the impact interconnections between all functions of the organization on product quality, especially key factors like security and performance. No company can do only one task at a time!

@jody.albritton and @slagle’s team needs to muster more resources to speed up the submit / review / approve / publish cycle for SmartApps and DTH’s so that this is not an onerous disincentive to officially publish, and thus minimize the distribution of ad hoc code to Customers who do not have the interest or ability to review code in order to add valuable functionality to their account.


Meanwhile, I have also posted a response comment to @Alex’s blog entry:


(Shelley Powers) #24

This is a point that needs to be made again and again: just because it appears in the forum doesn’t mean it’s trustworthy.


( I hate Mondays) #25

Another article I was reading


(Alex) #26

I would like to emphasize that those users who have any concerns using SmartTiles instances that were installed prior to publication are welcome to remove them and reinstall SmartTiles using the officially reviewed and published Smart App. The installation workflow did not change.

At the moment, there is no difference between published and unpublished instances.


(Jason "The Enabler" as deemed so by @Smart) #27

If I was that concerned if live in a house with no windows, one door, surrounded by a raging river full of gators and pirates. I’ve have no electronics and would live as a recluse.

But instead, I’m just very well insured. Come and get it if you can. I need a new tv!


(ActionTiles.com co-founder Terry @ActionTiles; GitHub: @cosmicpuppy) #28

Please be aware, however, that you will need to recreate your Dashboards in the newly installed edition. SmartThings does not provide us any method to migrate configuration data between SmartApp instances. We are considering export / import (backup / restore) functionality for V6, since it’s architecture may facilitate some practical options.


(Dale C) #29

Interesting paper, is this the research that @alex is referring to?


(Mike Swanson) #30

I don’t care if it’s a platform or a third-party app: This is why I’ll NEVER connect a smart lock to any portion of automation, even for monitoring purposes.


(Tim Slagle) #31

Hey guys,

Alex has posted a response here:


(AuxMax001) #32

Curious if the “hackers” reached out to have you address the issues prior to publication? DK


(M Li) #33

ArsTechnica has a good breakdown of a new demonstrated vulnerability in SmartThings, particularly as it relates to smart locks.

Needless to say, don’t use Smart Things for anything related to security


(Tim Slagle) #34

We have been working with them for a couple weeks now.


Major Security Flaw with SmartThings, OAuth, and Zigbee
(ActionTiles.com co-founder Terry @ActionTiles; GitHub: @cosmicpuppy) #35

Gosh… Folks have gone over this dozens of times.

If you think your external door, “automation connected” smart locks are the biggest vulnerability to your home, then you’ve got a lot more to think about…

  • Most locks brands are susceptible to picking or even simpler, “bump keys” – get one cheap on eBay!

  • Windows are the most common path to entry, and I doubt folks have bars on all their windows and remember to keep every single one of them manually latched every night? Fresh air around here trumps security risk.

  • Even external doors are not that difficult to break open without moving the deadbolt. A connected smart lock, however, can help alert home owners to tampering attempts.


(Alex) #36

Locks only keep the good people out. My front door has a glass frame around it. If someone wanted to force their way inside, it would not matter if the lock is smart or dumb.

My smart lock, however, improves the chances that the door is actually locked.


(Jason "The Enabler" as deemed so by @Smart) #37

There isn’t a lock on the planet that is secure in your front door. A boot will defeat it every single time.

You want security, live in a bank vault.

If you want the licks and you’re worried about when you’re home and sleep, add a security layer.

A simple chain lock will stop any electronic lock pick. Plus it makes noise when you break it.

But then again, y’all are being worried about a high tech theif coming in your house.

If they are high tech enough to back your ha system, they don’t care about your house… They’ve already stolen your bank account.


#38

For the record, we contacted SmartThings with all details in Dec 2015.


SmartThings Platform Security - Response from Alex
Thoughts on Industry Standards for Vulnerability Discovery Disclosures
(Mike Swanson) #39

I can’t imagine how you could have any heightened sense of security when you know the risk of it being hacked (at all). Why break a window when one can just hack the lock - drive by, push a button, and you’re in! No bump keys, no hand tools, just push the button.

I’m not against smart locks, I’m just against connecting them and controlling them remotely.


(Dan P Parker) #40

This is one of those silly bits of folksy “wisdom” that doesn’t stand up to even the most basic scrutiny. If it were true then there wouldn’t be any real point in having a lock, would there?


(ActionTiles.com co-founder Terry @ActionTiles; GitHub: @cosmicpuppy) #41

Thanks for your research and the publicly available full paper at this link:

While the research raises concerns of varying degrees and is subject to review and rebuttal, I am concerned with this particular paragraph (on Page 8):

Our network protocol analysis discovered a set of unpublished
REST URLs that interact with the backend to retrieve
the source code of SmartApps for display. We downloaded all
499 SmartApps that were available on the market as of July
2015 using the set of unpublished REST URLs, and another
set of URLs that we intercepted via an SSL man-in-the-middle
proxy on the Companion App (we could not download 22
apps, for a total of 521, because these apps were only present
in binary form, with no known REST URL). Similarly, we
downloaded all 132 unique SmartDevices (device handlers).

Has this “unpublished REST URLs” vulnerability that you found which exposes the source code of Published SmartApps been fixed? @slagle, @jody.albritton, @dlieberman?! :worried:


#42

Clarification on that. There is no vulnerability there. We only downloaded the explicitly open sourced code. The REST URLs mentioned there are only to automate the otherwise manual process of going to each app, and copy-pasting the code.