Security on the Local LAN?


(joe) #1

I was writing a smart app that sent/received data to a device on my local area network. To do this I am using the sendhubcommand and am also subscribing to events at that location. While doing this I found that the subscription will receive all of the traffic that comes in on the hub (basically anything that comes to tcp port 39500 on the hub).

This does not seem very secure to me since all a hacker would need to do is get an unsuspecting person to install a mischeivous smart app that listens for data and forwards it to some other server. While this is probably not be a big deal if you are just turning lights on and off, if you are controlling door locks or alarms via wifi it could be a pretty big problem.

Is there any way to protect against this type of vulnerability? Maybe I should avoid sending/receiving directly to/from the hub?

Here is a simple bit of code that demonstrates the issue.

def initialize() {
  	subscribe(location, null, localLanHandler, [filterEvents:false])
}

def localLanHandler(evt) {
	def msg = parseLanMessage(evt.description)
    log.debug (msg)
}

Researchers say there are serious security problems in Samsung’s SmartThings
(ActionTiles.com co-founder Terry @ActionTiles; GitHub: @cosmicpuppy) #2

Good observation.

I’ve raised similar concerns before in a different context. The “Location” object can be accessed by any installed SmartApp, unlike Devices which must be individually granted to each SmartApp.

That’s what is the first opening to the vulnerability you describe.

Not sure if there is an easy solution… Ideally there needs to be some sort of Firewall to filter LAN Events so they only go to the specific authorized SmartApp?