Security Announcement from SmartThings

Dear SmartThings Customers and Community Members,

We want to inform you that a potential security vulnerability with the SmartThings Hub was recently discovered. We have resolved the issue and have no reason to believe that customers’ data or system security was compromised in any way.

The vulnerability had to do with how our SmartThings Hub and Cloud authenticate each other. For those interested, we’ve included more detail below.

Protecting customers’ privacy and data security are fundamental to everything we do. We regularly perform penetration tests of our system and also work with white hats who try to break our platform so that we may continue to improve its security.

We intend to aggressively stay in front of any issues and be transparent with you about our efforts.

Thank you,
Jeff Hagins, SmartThings Co-founder and Chief Technology Officer

What was the issue?
The SmartThings Hub communicates with servers operated by SmartThings to report device events and receive commands from the SmartThings Cloud. These communications are encrypted using the Secure Sockets Layer (SSL) standard, which includes the ability to cryptographically validate that the remote server is “who” it claims to be. It was discovered that the SmartThings Hub did not properly validate the remote server’s identity. This means that an attacker with privileged access to a user’s home network (e.g. physical access) could have executed a “man-in-the-middle” attack that could have decrypted the communications between the SmartThings Hub and the SmartThings Cloud. However, even decrypted, the conversation between the Hub and Cloud is in a non-human-readable format and would have required additional significant reverse-engineering to gain any knowledge of what the messages mean.

What did SmartThings do to resolve this issue?
SmartThings resolved the issue by replacing the SSL framework used in earlier versions of the firmware with a new framework that properly validates the remote server’s certificate, and updated all online SmartThings Hubs with the 13.13 version of firmware.

Why is SmartThings confident that no customer info was exploited or compromised?
First, we have not found any evidence of abnormal activity to indicate that our system was compromised. Second, a successful exploitation of this vulnerability would have required that an attacker obtain a privileged position in the user’s network. This means that an attacker would have first needed to compromise the customer’s home internet router before they could have taken advantage of the vulnerability we found.

What is SmartThings doing to ensure that this doesn’t happen again?
In addition to performing ongoing security testing as a part of the software development lifecycle, we regularly pay a third-party security firm to perform penetration testing on our platform. We believe that it is fundamental to have a proactive and aggressive approach to protecting customers’ security and data and will continue to do everything we can to stay in front of any potential issues.

Glad to see this was brought to light by ST and not other sources. Appreciate the transparency.

Probably explains some of the recent disruptions as well no?, past few days have been a little on the rough side…

No… Based on my interpretation of the Announcement, I don’t think this is related to “recent disruptions”.
Most of us had / have received Firmware 13.13 quite a few days ago, and there were no further bug-fix releases (as far as I know).

Key observation: Firmware 13.13 included this important Security fix, so ST was wise not to publish information about the weakness prior to wide deployment.

Good to see a man in the middle vulnerability get patched. However, I was hoping the announcement was the addition of two factor authorization which would prevent a more likely breach.

I meant the rather quick deployment of firmware in a short period of time. The last update being staged placed less load on the distribution infrastructure…

How would a two factor authentication work in a situation like a hub communicating to a cloud server? (Genuine question here.)

Sounds like this was an unlikely scenario (needed direct network access to exploit) but thank you for patching it and for making us aware.

When you log in or get an oauth key an additional factor is required. I prefer phone SMS string.

I prefer Google Authenticator App as my second-factor; (I use it for my LastPass, ZoHo and Dropbox accounts), but I don’t know if it is very popular on iOS (but it is available).

Thanks for the detailed and transparent description of the problem, and for the timely fix! I really appreciate it when companies take security issues (and disclosures) seriously. Makes me feel good about using SmartThings.

It’s great the hub has been updated!
But did the SmartThings App for the iOS get updated as well?
According to SourceDNA, the App (v1.7.2) is vulnerable.

So your phone is the authentication device and you want a SMS as 2nd authentication…, that is not 2 factor, but still one factor. (only one thightly coupled device involved).

2 Factor is that you have a security calculator uncoupled to the phone as a 2nd source of a secret.
For a website that is NOT viewed from a phone, an SMS can be a 2nd factor in authentication.

You’re right. I guess I was thinking from the IDE.