The fact is, here, that the security breach is in the sensor mesh network.
This is nothing a user can configure. So yes, users have to ensure their (internet) network (the wifi…) is configured correctly with all the security features your ISP/box can offer.
This will not prevent a “hacker” or more generaly a thief to use a tool (a raspberry with a xbee module, or worse, an arduino ?) to get access to the SSL security key and unlock your door or ring your alarm (or shut it down).
In few weeks, when a “complete solution” will be available, any script kiddy, like the son of your neigbour, will be able to fuck up your setup, turn your lights on in the night or set your thermostat to 10 degree C and freeze you in the night.
My point here is, there is now a known flow in the z-wave and xbee protocol, and I wonder how is ST doing with this ?
Maybe it is using it’s own certificate which is a good starting point, but maybe it is not. In the later, I expect ST to come with a solution to upgrade the hub and re-pair the devices so a new “private” certificate is used instead of the factory once.
I don’t want to scare anybody. Maybe I should ask this question to the support. Or maybe some ST engineer reading this thread will be able to provide some technical details.
Having anybody able to hack, control or read my devices is a security concern to me. If ST is prone to this kind of risks, owners have to be told.
If ST know about it and do nothing, customers may take actions and ask to be refund for their “unsecure” hardware.