Dear SmartThings Customers and Community Members,
We want to inform you that a potential security vulnerability with the SmartThings Hub was recently discovered. We have resolved the issue and have no reason to believe that customers’ data or system security was compromised in any way.
The vulnerability had to do with how our SmartThings Hub and Cloud authenticate each other. For those interested, we’ve included more detail below.
Protecting customers’ privacy and data security are fundamental to everything we do. We regularly perform penetration tests of our system and also work with white hats who try to break our platform so that we may continue to improve its security.
We intend to aggressively stay in front of any issues and be transparent with you about our efforts.
Jeff Hagins, SmartThings Co-founder and Chief Technology Officer
What was the issue?
The SmartThings Hub communicates with servers operated by SmartThings to report device events and receive commands from the SmartThings Cloud. These communications are encrypted using the Secure Sockets Layer (SSL) standard, which includes the ability to cryptographically validate that the remote server is “who” it claims to be. It was discovered that the SmartThings Hub did not properly validate the remote server’s identity. This means that an attacker with privileged access to a user’s home network (e.g. physical access) could have executed a “man-in-the-middle” attack that could have decrypted the communications between the SmartThings Hub and the SmartThings Cloud. However, even decrypted, the conversation between the Hub and Cloud is in a non-human-readable format and would have required additional significant reverse-engineering to gain any knowledge of what the messages mean.
What did SmartThings do to resolve this issue?
SmartThings resolved the issue by replacing the SSL framework used in earlier versions of the firmware with a new framework that properly validates the remote server’s certificate, and updated all online SmartThings Hubs with the 13.13 version of firmware.
Why is SmartThings confident that no customer info was exploited or compromised?
First, we have not found any evidence of abnormal activity to indicate that our system was compromised. Second, a successful exploitation of this vulnerability would have required that an attacker obtain a privileged position in the user’s network. This means that an attacker would have first needed to compromise the customer’s home internet router before they could have taken advantage of the vulnerability we found.
What is SmartThings doing to ensure that this doesn’t happen again?
In addition to performing ongoing security testing as a part of the software development lifecycle, we regularly pay a third-party security firm to perform penetration testing on our platform. We believe that it is fundamental to have a proactive and aggressive approach to protecting customers’ security and data and will continue to do everything we can to stay in front of any potential issues.