Security Flaw with Smartthings App 1.7.51.42

I have spoken with several Smartthings support specialist regarding the security flaws of the most recent app update for the Smartthings app version 1.7.51.42. I have tried the new update, 1.7.51.42, with two different VPNs, McAfee Connect and Private Internet Access, at this point and it does not work with them. In case you don’t know using these apps without proper encryption can be attributed to incidents with IoT devices being hacked

  1. https://vpnoverview.com/privacy/devices/privacy-risks-smart-thermostat/
  2. https://www.zdnet.com/article/smart-locks-opened-with-nothing-more-than-a-mac-address/#:~:text=A%20smart%20lock%20sold%20by,a%20MAC%20address%2C%20researchers%20say. The Smarthings Classic app still works with the VPN as do all previous versions of the app, Allowing this new update to bypass my VPN exposes it to cybercriminals. The Smarthings Classic app works just fine with the VPN. Conversely, I would like to respectfully as possible say the Samsung developers should NOT be seeking to encourage consumers to expose their devices to vulnerabilities that can be exploited by bypass the VPN security features. Smartthings app 1.7.50-21 and previous versions worked just fine with VPN protocols. The idea is to PROTECT data and make it MORE secure, not create updates that make it less secure. Are their developers and support team going on record for Samsung acknowledging a security limitation of this new app without informing consumers of the risk?
3 Likes

So what did the smartthings support specialist tell you after you spoke with them?

Here. I’ll do you one better and post his response. They’re going to need to inform their consumers if this security issue now that they know it exists and fix it or offer consumers their money back.

What’s even worst is when you mention security issues like stingray equipment and Bluetooth sniffers to the tech support representatives as the issue, they act like you’re speaking an entirely different language! I think it’s obvious they are not Security+ certified!

  1. https://www.techtimes.com/articles/246754/20200103/you-can-easily-get-into-anybody-s-smartphone-with-this-tool.htm
  2. https://www.buzzfeed.com/loganwilliams/listening-for-those-who-listen
  3. https://medium.com/bugbountywriteup/smartphone-surveillance-techniques-f9e206c5c456

There needs to be an escalation process in which people with good technical acumen and higher level of technical knowledge can communicate directly with developers there.

Tagging @jody.albritton @blake.arnold

It works with ProtonVPN.

@tleroy What settings are you using, because I just tried that one a few minutes ago. The only way I found it could work is by using a split tunnel, which would allow the Smartthings app to transmit AROUND THE VPN which is a security risk! Hackers can utilize that to get your information when it is transmitted to the Smartthings hub.

Split tunneling is disabled.

@tleroy You still did not say what settings you are using? What VPN protocol are you using? Because the only way I found that it will work is if the VPN is off, split tunnel, you have allowed it to bypass with the “per app settings.” WHAT SETTINGS ARE YOU USING?

Someone mentioned when you get not-helpful support responses to reply with:

Your message has not solved my issue, please escalate this to your technical lead and team manager for further assistance.

2 Likes

@jlv I know right! I was trying to give @tleroy to support his claim with some technical evidence. However, it appears he is either 1. Messaging just to be “messaging.” or 2. Has no idea how VPN protocol works.

I’m not stupid…

The VPN is not being bypassed with split tunneling.
It doesn’t matter: openVPN or IKEv2. Both work.
It doesn’t matter: secure core on or off. Both work.
It doesn’t matter: TCP or UDP. Both work
It doesn’t matter: alternate routing on or off. Both work.

1 Like

I’m currently using SmartThings 1.7.51.42 through TunnelBear. It just works.

1 Like

@aruffell mentioned he had to white list Chinese ip addresses to stop the new app from crashing, so I wouldn’t put it past them not to allow using the new app securely with VPN’s, I know they don’t provide support if you use an ST hub through a VPN.

1 Like

you got it.

1 Like

Respectfully, I’m a network engineer (but no connection with smartthings other than as just another customer) And I’ve seen many situations where some VPNs worked and some didn’t.

It is not appropriate to ask another community member not to comment when they are providing factual data about their own experience. If you feel you need more technical information than they have provided, then ask politely for that.

I would note the important point that @alwas made That in the past there have been issues with specific IP blocks, and that may need to be investigated.

In any case, it is unquestionably disappointing that smartthings does not Provide some kind of recommended VPN option, Even if they only want to pick a couple of specific products. That just seems odd.

You also didn’t say what country you are in. There have also been multiple issues in the past with the platform handling different regions differently. So that would be helpful information.

I understand how frustrating this is, and it’s been extremely frustrating to deal with support since they shifted from dedicated smartthings staff to the general Samsung desk. (One of my friends reported a problem and support asked where they had bought their virtual switch. Sigh. :disappointed_relieved:)

Anyway, this is a very helpful creative community, with people at many different technical levels, so the more information that can be shared here, The closer we can all get to seeing if there is some kind of solution.

Submitted with respect.

3 Likes

@JDRoberts Yeah, I understand what you are saying, man. I was not trying to be rude or anything like that. I was just merely asking for the guy to provide some technical input as it relates to his claims about his VPN settings. There are a few details as it relates to how that could be. I found that if the VPN settings are not set to “Always on” in the VPN profile part of the phone apps can still work around the VPN and the Smartthings app can connect that way. However, that’s not a secure process and that has only become an issue with this new update. It has not been an issue with any of the previous updates. As a matter a fact the Plume app still works fine and the Smathings Classic app works just fine.

1 Like

Since you mentioned the Plume app, does that mean you are using the Hub model that is also a WiFi mesh system? If so, that could explain why you are seeing a problem and other community members are not: it’s very different firmware.

(And if I recall correctly, @tleroy is not using the WiFi mesh model. I think he has a V2, but I don’t know if he’s updated to the V3. But different hub models could definitely explain why the two of you had different VPN experiences.)

What is the model number of your hub? (It should be on a label on the underside.)

@JDRoberts EXACTLY! That’s what I was thinking and why I was trying to get more details. Smartthings Wifi has the AI security feature so it is different than just the hub. However, I do have a version 3 hub as well. But the version 3 hub is connected directly to the modem, not the Smartthings wifi. Also, I use the router mode for the SMartthings wifi for the secure network feature. I would not imagine that would be an issue because the only time there is an issue is when I have my VPN on. WHen I turn it off, it’s fine. Also, the classic app and the previous version of the app did fine with it for years.

1 Like

I have hub v.2. and latest Smartthings application on Android 9. I’m in US.
When I use my phone on local WiFi or cell data Smartthings app works fine.
When I try to connect through VPN on my phone (build into Android PPTP or L2TP) ST app gives me “no network connection” on tiles.
It does not matter if I VPN to my home hub location or some place else - ST app does not work.