Protecting our customers’ privacy and data security is fundamental to everything we do at SmartThings. We regularly perform penetration tests of our system and engage with professional third-party security experts. We embrace their research so that we can continue to get in front of any potential vulnerabilities, and be industry leaders when it comes to the security of our platform.
A research report entitled “Security Analysis of Emerging Smart Home Applications” was released this morning by a team from the University of Michigan and Microsoft Research. The report discloses hypothetical vulnerabilities in the SmartThings platform and demonstrates how, under certain circumstances, they could be exploited.
It is important to note that none of the vulnerabilities described have affected any of our customers thanks to the SmartApp approval processes that we have in place. Over the past several weeks, we have been working with this research team and have also already implemented a number of updates to further protect against the potential vulnerabilities disclosed in the report.
Specific enhancements we have already implemented include:
Modifying the SmartThings platform to ensure that only “Published” OAuth SmartApps can be installed into customer accounts, through the OAuth method. Published SmartApps are those that have undergone a complete source code security review by SmartThings to ensure that the application does only what it advertises as its purpose – and contains no malicious code.
Updating our best practices for development of SmartApps that expose web services, and mobile applications that integrate with the SmartThings platform. We are working with our third-party developer partners to ensure that all partners follow these best practices to avoid any potential vulnerabilities.
In all cases, we have strengthened our source code review processes and believe in its efficacy, but are also working to update the underlying platform to systematically prevent these potential vulnerabilities in the future.
As an open platform with a growing and active developer community, SmartThings provides detailed guidelines on how to keep all code secure, and to determine what is a trusted source. Code downloaded from an untrusted source can present a potential risk – just like when a PC user installs software from an unknown third-party website where there’s a risk that software may contain malicious code.
Even though current customers have not been impacted, we take the recommendations of Mr. Fernandes, Dr. Jung, and Dr. Prakash extremely seriously and are grateful for all opportunities to continue to improve the security of our platform.
Let us know any questions you’ve got here and we’ll be ready to dig further into the details.