Perhaps I just didn’t catch the details in your Paper, but could you share the details of the REST URLs with us (or private message me, please), so that we can further understand and verify? Thank-you.
I didn’t even know that there were 499 published SmartApps, let alone any REST URLs for fetching their code.
It depends on your definition of “published”. 499 might be all SmartApps that have ever been published, including child SmartApps, and ones that have been deprecated or duplicated by new SmartApps.
[quote=“SparkyXI, post:39, topic:46834, full:true”]I can’t imagine how you could have any heightened sense of security when you know the risk of it being hacked (at all). Why break a window when one can just hack the lock - drive by, push a button, and you’re in! No bump keys, no hand tools, just push the button.
I’m not against smart locks, I’m just against connecting them and controlling them remotely.
[/quote]
The point is, it’s the other way round in your thinking, it’s actually easier for more people to pick/bump than it is for them to ‘hack’. That’s why the article is mostly click bait/scare journalism.
Nothing makes you more frighteningly aware of just how easy it is to get in your house/car than when you lose your keys… and I do mean shockingly easy, as in usually only a few seconds kind of easy. Just go through the the locksmith/picking videos on YouTube and you’ll realise why someone who wants to rob your house will chose those methods over a ‘hack’ any day of the week.
There is only so much you can do and security should always be in layers.
Agreed completely. I have security cameras, alarm, home automation. If they want to rob me, they have more layers than the person to my left and right.
My smart locks improve the chances that my wife won’t call the fire department to bust the door frame becuse she locked herself out of the house and there is a pot burning on the stove, while I am on business trip…(true story a few years ago)
True enough. A system that also has motion sensors, away mode etc can let people know when you’re away which is different than a burglar picking a random house.
well maybe, the market is a way of distributing apps without revealing the source code, open source or not.
Without the URLs being used that you mentioned, there is no way for the user to extract the smart app source code from the mobile app.
It may be that many of these apps are available in the IDE in source form, but that is an option chosen by the developer when the app is submitted for publication.
I for one could care less about the actual unpublished URL’s used for this, but would be very interested in the list of apps that this exercise exposed.
Should the above URL’s expose source code that the developer elected not to share, then this should be known to ST and the community…
Exposing vulnerabilities is not click bait nor scare journalism. It is the readers’ call to discern if it’s a real threat and what risk they want to assume. I know that hacking my system may be easy. But I think if someone takes the time to plan an attack on my personal property, they will be successful with or without my security system.
Well, if I’m gonna get robbed, I’d prefer to not be home when it happens. At least then my family won’t be harmed.
No but the manner in which they do is.
Oh sure, totally agree. I used to love the Verge, but I can’t trust their journalism as far as I can throw their editors nowadays… Totally click bait. Stopped reading them regularly quite a while ago.
Also agree with the security comment. I just feel like having another avenue of unlocking a door is less secure, but different strokes, you know?
Fair play and a good point I think!
Well, if you can afford a manor you can probably afforded armed security too. 
Damnit, you got me 
Well, honestly, I’m not concerned about security. To be scared of a connected door but to use online banking is hypocritical.
I can sit down the street from your house with a device that will tell me all I need to know to get in your house.
Our I wait till it’s dark and I kick in your back door.
Either way, I can get in.
Be honest with yourselves, security is only a psychological perception created to keep the masses calm.
Sound like a conspiracy, and it is… To bad this one is true.
This is true for every platform and every app. Nothing new.
Honestly, isn’t the bigger concern malfunctions of the ST software that could cause your locks to unlock when they’re not supposed to…which actually happened to some people during the recent SNAFU?
True but that’s assuming the same guy that would rob your house by hacking your lock when he KNOWS nobody is home would be likely to kick your door in if that wasn’t an option . I’m not so sure it’s the same demographic.
What isn’t given the proper credit here is that banking is a highly regulated industry with stringent security requirements. Both physical and cyber. The Banking Industry, in almost all scenarios, has strict liability as well. Someone puts a gun in their face and takes money? Not your problem. Someone from Russia hacks them? Not your problem.
On the other hand… what protections does a consumer have when they have losses due to shoddy security in SmartHome products? What regulations or laws control or dictate standards for this industry? What liability does the consumer retain in the event of losses?
Yes. My house is penetrable. But that doesn’t mean we want a “SmartHome” system that provides incredibly detailed data, not to mention one that is a Security System in and of itself, to be left vulnerable. It’s PURPOSE is to address the known vulnerabilities that exist at the physical layer. I know my house can be broken into. I can’t stop that. But I do want to monitor it and be able to respond accordingly. Intrusion Detection System.
Security may seem like a contrived construct, but I believe this is because the offensive tool sets far exceed the current capabilities of the defensive tool sets. We are still all very much learning.
If we think think the efforts to achieve better security through professional practice are a waste, I can only point out the Iranian Nuclear Enrichment incident (Stuxnet) as an example. These attacks can and do happen and they will be executed more and more. To prevent them from happening to systems we care about, we need to continue to this security practice. Like anything else it is not perfect, it is a game of cat and mouse that will never end. However, one cannot just give up. Risks must be mitigated in order to continuing living life. This has and will always be true.
All of this is true, very true. But security is still a perception.
If you want security you have to provide it yourself.