I agree except for the fact that IF a hacker can see which houses in his neighborhood have ST and are vulnerable ( smart locks, away mode, motion sensors ) he might be more likely to rob one of those houses rather than throwing a rock thru the window of a random house.
I don’t think you meant to, but you skipped my point. You presumed the hacker will rob a house (big presumption) and then made the choice about hacking or a rock. Your outcome was inevitable. You are saying this hacker would rather physically rob a house than download lists of credit card numbers?
Hackers are by definition are people with the requisite skills to steal LOTS more money in infinitely easier ways. Essentially If they are dumb enough to show up at your house, they are not smart enough to hack it.
2 Likes
Well maybe they’ll try it just to see if they can, like climbing Everest. I get your point but by that logic ST needn’t bother with any security measures because the type that could exploit wouldn’t bother they would just hack my bank account or credit card.
1 Like
No, because that argument goes to the completely opposite end of the spectrum which is not realistic. They should always close obvious holes, it should always remain harder than breaking glass, showing up at a house, downloading CC numbers, or other forms of crime. Crime is simply opportunity for the lazy.
1 Like
This really isn’t that big of an issue. Just as with any 3rd party app you find on the net for any platform, you have to be sure you can trust it.
The good thing is no published app would be able to do this and most code posted on the forums here would likely receive some scrutiny from the members of the forum. The moral of the story, if you want to be sure, only install published apps, or those here on the forum from the devs who have been around here a long time and active on the forums. Otherwise, groovy isn’t hard to understand and you can always look for commands such as unlock where you wouldn’t expect them
3 Likes
No they have cash, that can be transferred by thieves. They also have valuable data thieves want and steal such as PII.
You have it wrong. These are crimes of opportunity. If someone gains a foothold on the ST eco system, they find houses they can ascertain the address of, that have the necessary components - can they tell if someone is home, the last time they were home, if they are on vacation, can they unlock the door and disable security, etc. Now where do they have folks they can sell this information to? Or where do they have people that can affect the physical layer stuff? Just like PCI/CC data theives, there are markets for this data - it is not common for the theives to use the information themselves.
Instead of debating how a vulnerable system would be leveraged - the energy is better spent eliminating vulnerabilities.
Already covered this. Stolen data, systems and access is marketed. Then others use those CCs, Systems, etc to perpetrate their crimes.
2 Likes
And, on top of that, the neighbor would have had to installed a 3rd party app with the vulnerable code and given it ouath access in order for this scenario to even work
3 Likes
I wasn’t clear, I was talking about a home, not the bank.
Not valuable information compared to others.
Agree, but I’m good with my security, and ST is already on this path. This is a forum, for discussion. For my part, here are my energies focused: ST fix basic security items without bogging down the interface! People, don’t install 3rd party apps you don’t know! People, use smart passwords and change them regularly! People if you have really freaking valuable stuff, don’t protect it with a home automation hub!
Phew, energy spent properly.
1 Like
There is a market. There will be a market. People take over machines, and sell access to those machines. People steal CCs and sell those CC numbers. They sell this stuff in bulk. Or even rent it. So you want access to 1k or even 1m androids? X number of dollars an hour. 10m CC numbers - 500 bucks.
10k SmarHomes in Chicago? Pick a price.
A value will be applied to such things and it will be marketed.
Do I have to actually go into the house, or will you steal it for me? Will you teach me how to unlock the house, or do I have to learn SmartThings?
Yeah, you are right, this debate is futile. 
1 Like
Gee… do the folks that buy CC #s need to learn how to use them or do the people they buy them from go and steal physical products with those CC #s on behalf of the folks they sell the CC#s too? Get real.
Yup it is, pollyanna.
Security is never a concern. Brush it off. Everyone is chicken little.
I’m not overly concerned myself as I don’t have any smart locks yet. The random unlockings I read about out here has me holding off. Besides I don’t feel the need it’s more of a possible want, another thing to mess around with. My son is 9 when he’s old enough to come home from school himself a lock with a keypad should suffice so I don’t have to deal with the inevitable lost key.
I think a lot of folks are really over thinking this.
Security is only a deterrent to those with little will to do wrong.
Having a lock, hack-able or bump-able, is nothing more than saying “Hey dude, that isn’t too inclined to steal but will if he see’s an easy target, continue to the next house.” Hence all my camera’s being blatantly obvious.
What this type of security offers over a normal lock, is notification. ANY time my front lock is locked/unlocked, or window/other door is opened when the system is armed, I get an instant text alert.
If I know my family’s habits, which I generally do, then I know when an alert comes in, not to be worried, or to be worried. Obviously this can be taken advantage of by even a simple minded criminal. They watch the house until someone DOESN’T come in at a normal time, on vacation maybe, taking too long to pick up the kids, and THEN comes and breaks the security to get in.
To layer on this, each member has a phone, with Life360. I already know they are close to the house before they enter, if that doesn’t happen and the door unlocks…well then I check the camera’s remotely.
Yes someone can still disable my internet, hack the system and disable the texts, etc. But seriously? What thief is going to go to that trouble when they can go to the 10 closest neighbors and steal their shit with no security to worry about.
I have zero concern over someone hacking my lock. The odds are EASILY in favor of some idiot drunk fool kicking down my door or busting out a window to sleep on my couch, and me knowing instantly that it happened.
4 Likes
Is there some reason that select Community members and prominent Developers were not informed of this research sooner? (i.e., besides the obvious risks of disclosure, but … still?).
Actually, why did the Community have to wait to find this out in the media?
That’s the usual method for handling security flaws discovered by third parties.
The researcher contacts the company to inform them of the flaw and of their publication date. The company agrees to wait to announce until that date, but will work with the researcher on fixing as much as possible and the researcher will normally note that cooperation and any flaws that have been fixed as an addendum to the original work.
Publication date comes, researcher releases their paper, company puts out their reply press release on the same day or the day after.
That way researchers have a motivation to work with the companies but still preserve the freshness of their own research.
That appears to have been what was done here. On May 2, there was an official post to the smartthings blog about the issue, and I believe anyone who subscribes to the blog would’ve received an email notification about it.
1 Like
I understand and am aware of the industry standard / customary vulnerability discovery / reporting protocols … mostly.
The sequence of the final steps are what concern me. If the “company” (SmartThings) is aware of the problem and has had 60-90 days to cooperate and mitigate the issues, etc., etc., then why doesn’t the “company” also do a Press Release before the researcher’s media release (even if only 24 hours in advance)? Wouldn’t that give a better impression to the Customers?
It would, but likely the research group wouldn’t provide the data to the company without being able to be the first to post it.
“If your not first, You’re Last” - Ricky Bobby
1 Like
Yuck. 
I’ve got to read up on the disclosure protocols to see if this is considered customary and ethical.
Feel free to respond with a reference if anyone has one.
Yep, Redundancy to any set up is good!
1 Like
That was my point exactly, my apologies if I wasn’t clear. The researcher gets the company’s agreement that the researcher will be the one to break the news at the beginning of their discussions. That’s why the researcher gives the company the researcher’s intended publication date.
Of course, things are different if there’s a life-and-death issue or something like that. But otherwise, that’s standard industry practice. The researcher gets to be the one to go public first. This is particularly true if there’s a paper being published.
White hat hackers, in contrast, generally preferred to be financially compensated and let the company do any disclosure. 
@tgauchat , a reference from about 5 years ago:
3 Likes