I have neighbors that might very well notice a door being kicked in or other forced entry. Granted entry and knowledge of whether or not someone is home kicks things up a notch.
In any event, it’s simple a convenience vs risk issue that we all have to decide for our selves.
Why secure credit card transactions with a chip/pin when someone can just rob you with a gun?
That is an interesting analogy.
The difference here, at least for the imminent future, is that Credit Cards, Bank Accounts, and other online attack venues, are solely online and requires little or no physical activity. i.e., Someone hacking a store to grab all the credit card numbers to sell them, doesn’t go into the store to use them.
Hackers that use “skimmers” at ATMs even minimize the physical exposure risk.
The risk of a home burglary in the USA is very low (average under 3% of homes are burgled per year). It is likely to be lower for people that have a smart home system, not higher.
Still… eventually, if burglars in your neighborhood are given a map of all the SmartThings users, a way of knowing who are home and who are away, and a tool to disable the system (ummm… wire cutters to cut the cable line?
), does that increase your risk to 6%? 60%?
3%. Dang. That’s insanely high.
What are your chances of being impacted by cc fraud?
The point is, its a cop out to not build things securely when possible and practical simply because there exists threat vectors outside of your control.
In the US we don’t use Chip and Pin, its Chip and Signature. While it does protect against skimming its not a full deterrent.
Making your house less attractive to criminals is the #1 thing you can do. My neighbor had his car broken into, asking them how they broke in he left the door unlocked. He was burgled and an idiot. Locking your doors (in theory) will reduce your risk by a third. About 30% of break ins were not forced entry.
Smartthings may have unfairly been called out. Many systems use zigbee for their wireless security, but all have higher upfront costs. There are still plenty of easy targets out there, once it is more prevalent than we have to worry about it. Zigbee 3.0 fixes a lot of these issues.
edit:spelling
If I ever have to break into a house, I will not target a ST house! I can’t count on SHM turning off!
Jokes aside, I will break a window, open it, take things in five minutes and leave. If there is a dog, a person, or anything weird I will just move onto the next house. “What’s SmartThings brah?”
Wait, that’s if you forced me do work. What I’ll really do is buy a list of CCs off a Russian site and type them into a computer until I get a hit.
This security “scare” is silly. It’s chicken little. It’s for people who don’t grasp statistics.
I’ve been stolen from twice in my life. One was a car, and one was a roommate in my then automated house. Neither criminal was capable of using technology. Again, the criminals capable of this have jobs where they embezzle or seriously lucrative hacking careers. They don’t get dirty.
Let’s keep this thread on topic and refrain from personal attacks.
Agreed.
…
I’d be more worried about turning thermostats to extreme highs, shutting off HVAC systems, freezers, or other uses that are not opening doors.
Statistics and Security is a interesting topic. Misunderstanding this can lead to fallacious beliefs and arguments.
The risk of your house being broken into is low.
The risk of you being in a plane crash is low.
The risk of your system being impacted by CVE-2005-1943 is low.
However, there is collective risk and there should be collective response. We demand symantec, microsoft, zone alarm all to patch against against Loki. We demand the FAA, Boeing, American Airlines make planes and flying safe. We buy security systems from ADT, fund police departments, and lock our doors.
I have never been in a building that was hit by a plane controlled by extremists. It’s truly silly to think that will ever happen to me. Is it silly to be concerned about attacks from terrorists? Statistically, yes. You are more likely to be killed by a toddler than a terrorist. There is a collective risk, however. We don’t just ignore extremists. Because there is a clear and demonstrable risk, we collectively demand a mitigation response
If there is a smarthome platform that has known vulnerabilities that allow bad actors to gain control over those smarthomes, and the organization that makes that platform chooses to ignore those vulnerabilities under the premise the risk of someone breaking into your home is low - another capable organization will step up with competitive products that do address such vulnerabilities and the market will decide which one is right for them.There’s plenty of history to be exceedingly confident how this story ends.
Do I think I am more secure or less secure after instaling SmartThings? I would have to say I am.
The standard is evolving and security is being improved. The more people using the technology and the more competition there is, will just continue to drive innovation. We are still fairly early on in home automation (% of people using) but its a growing market.
Definitely. One of several reasons I bought it. Provide more rich intelligence to supplement a old school ‘dumb’ security system.
That same richness of data, however, can be turned against me if the industry as a whole doesn’t take security seriously. We can’t have a attitude of security concerns = scare tactics. I don’t think that is ST’s position at all, and invite @ben to comment in that regard if I am incorrect. However, there are certainly end users that believe that, and there needs to be a counter voice.
Considering that ST has publicly expressed cooperation and agreement with the security researchers here, I think that’s validation of my position. And more importantly contradicts those that disagree.
I’d like to see the stats that support that assertion.
That said…
There’s a critical component of this that’s being overlooked. The probability of X occurring is only half of the equation. The other half is the cost to you should X occur. For instance, it is FAR more likely that the decorative vase sitting on the hallway table will fall/be knocked over and break than it is that my house will catch on fire. In spite of that I haven’t taken any extra precautions to mitigate the risk to the vase (it’s just a cheap decoration) aside from being careful to not bump into the table it’s sitting on when I walk past it. On the other hand, I have multiple fire extinguishers readily available (one upstairs and one downstairs) and 6 different smoke detectors, and pay a monthly premium to my insurance company for a home policy that includes fire damage coverage.
So when assessing how much sense it makes to worry about something that’s relatively unlikely to happen you need to also weight the impact of an occurrence of said event.
Correct. In risk management, you look at the risk, what mitigation or controls are available or are possible, the costs to implement those controls, etc. You weigh everything.
When it’s your risk, it’s somewhat of a closed loop. You can choose to accept it or mitigate it and since you or your organization is captive - there is a closed loop. Your wife, generally, won’t divorce you if you fail to mitigate the risk of the vase being broken.
However, in a consumer market - if your product has unacceptable risks that you either fail to mitigate or you cannot reasonably mitigate due to cost of doing so - your consumers may choose someone who has/can/will. Perhaps their systems are able to mitigate it for 1 cent because their security architecture is better or the system was designed with security in mind and yours is very difficult to retrofit. Maybe some clueless exec heard from a client that security concerns = scare tactics and therefore they didn’t invest in security as result, so now they don’t have the talent to mitigate.
Hypothetically, the impacts of a single HA security event for an individual consumer may be small, and the costs to fix it for ST may be enormous. However, not fixing it for ST - and ending up on 60 minutes can be the most costly of all. Impact to brand and reputation is HUGE. In fact, for organizations I work with - this is the single biggest concern of c-level management.5 years ago, it was a predominantly a CISO level concern, 3 years ago it became a CEO level concern, now it’s board room fodder.
You are correct. There are many more nuances to this.
Mind blowing, eh? While I believe our response to terrorism is out of control and not in line with the actual risk. I absolutely support mitigative steps that neutralize those that execute these attacks. Yet, I don’t think we should neutralize toddlers. When we understand that dynamic and the logic that buoys that, we are able to shed the aforementioned fallacious conclusions about statistics and security. Risk Management professionals don’t play actuarialists, but they often have them in their employ and have a good understanding of how the science works.Wielding statistics (real or imagined) like a 3 year old wields a sword has entertainment value, but that’s about it.
You obviously don’t know my wife. 
[quote=“JH1, post:154, topic:46834”]http://www.snopes.com/toddlers-killed-americans-terrorists/1
The Snope piece doesn’t support the statement based on it. Extrapolating stats from a single year to a “you’re more likely to…” generalization is bad enough, but there are other huge problems with it as well (for instance, nearly all of the toddler-induced deaths were inflicted upon themselves rather than someone else, so to include those in a measure of what a toddler likely to do to me is disingenuous at best).
Right again, perhaps look at it as what risks do these things represent to your family or our society, etc. For the record, statistics are the inference of probability, for example, from a representative example. So there is nothing wrong with extrapolation. In fact, it’s absolutely required. In statistics, there is NEVER good enough sampling data. By definition, if there was, we wouldn’t need statistics. 
But we should always strive for the best data we can realistically obtain.
Anyway, toddlers/terrorists is a conversational tool if anything in this realm.
AND YES I CONFIRM I DO NOT KNOW YOUR WIFE. ANY IMPLICATION TO THE CONTRARY IS A FILTHY LIE.
What I’ve learned here is that I should not use home automation or get near a toddler. I think that matches the title and intent of the article and post. 
BTW, for the record ST needs to close known security holes in a responsible manner. I don’t think anyone is arguing against that. For my part I am only arguing against tinfoil hats. They are uncomfortable and hot.
Truly glad to hear it. However, I think that implication that security concerns here are scare tactics, which was explicitly stated, is where there has been spirited disagreement.
I absolutely disagree with insinuations that the researchers, the vulnerabilities, the articles, etc, lack merit. Equally disagreeable is the idea that other threat vectors that may exist negate the need to have security at all.
How do we keep going from network security to terrorism and toddler homicide?
I think the toddlers are killing us, not the other way round. I never got the details on how though. I suspect it has to do with tinfoil, and a conspiracy in the NSA to backdoor our hubs, open our doors and install video cameras in our bedrooms, to see if we are terrorists.
All you have to do is install a malformed app, authorize it to view/use your locks or doors, and turn your back on your toddler… who is working for the NSA. Have you seen that kid with an iPad?