SmartThings Security Approach - Abstract

Hi all –

I know there’s been some questions and discussion around the security approaches that we’ve taken in building the SmartThings Platform, so I wanted to make this paper available to all of you. It’s an abstract that describes our security approach at a high-level, and we’ll release a much more detailed paper in the Fall.

Abstract - SmartThings Security Strategy & Approach

Thanks,
Dan Lieberman
SmartThings, Inc.

4 Likes

Quick question. Since this document only addresses physical devices and their virtual representation in the physical graph. Would it be fair to assume that virtual devices and smartapp data is also owned by the user?

Example, my location isn’t tied to a device (maybe the hub) is that data private?

Is using another cloud based service that has no physical device also protected user data?

How is that data protected from ST employees and contractors or 3rd party providers?

What audit trail exists to show who accessed my private data, since it is considered private by SmartThings, will you be compliant with all state laws regarding user data privacy?

If I suspect my data has been compromised what is the proper way to file a complaint and what would be the resolution to these incidents, if/when they would occur?

What is SmartThings policy on unauthorized data access disclosure? Will you publicly announce it or just notify the effected users or keep it quiet?

Thanks for your answers in advance…

4 Likes

It may be useful to note (as has come up in various discussions / feature requests), that Access Control granularity is limited to the “Device Instance” resolution.

As an example, a user can authorize a SmartApp to have full access to a particular Lock, but cannot limit that access to only the read-only Attributes, nor to particular Commands such as “lock()”, but not “unlock()”.

The read-only functionality would be useful, as then the Lock could be used as an “open/closed” Sensor while protecting the Lock from manipulation.

The Command level granularity is less critical, but the use case I gave (lock but not unlock) is quite conceivable. For example, folks have been discussing the obvious risks of granting access to their door locks to their Amazon Echo – someone could yell “Alexa, unlock the front door.” … But note, if I am able to only grant Command “lock()”, then we still can use Echo to make sure the front-door is locked via voice control. (And the read-only example applies here too … “Alexa, are all my doors locked?”).

And thus we’d be one step closer…

“Alexa, unlock the pod bay doors.”

“I’m sorry Dave, I’m afraid I can’t do that.”

:satisfied:

3 Likes

@dlieberman Can you please let us know you intentions on answering the above questions that are not addressed in the document you shared?

Or will we just have to wait till the fall when a more detailed paper is released?

Also, I will ask again, since it was several months ago that I asked for it.

Is there an official channel (besides support@smartthings.com) to submit potential vulnerabilities or suspected private data breaches we can report our concerns to?

1 Like

It would be great if we really felt that SmartThings takes serious vulnerabilities as professional / industry conventions have set precedent.

EG:

You could do this with a special device type (kinda like the big switch) which only passes on the lock() request to the physical lock. Then only grant your 3rd party services access to that device.

Also gives you the “revoke” ability since you could either delete or set the virtual device to nothing.

But yeah, would be messy.

1 Like

It doesn’t have to be messy, in theory.

The shadow Devices and virtual Devices are useful in so many ways that it would be great if they were seamlessly integrated into the platform (i.e. could be created on the fly by the UI and API / SmartApps, and could be organized… hidden or linked to their related physical devices in a nice UX).

A very workable design challenge that actually doesn’t require an architectural change to the underlying platform.

@pstuart - Sorry for the delay in getting back to you - I’m on vacation and haven’t really been online.

I’ll block off some time next week to compile and answer as many of the questions as I can. As for a forum for reporting, I’d continue to suggest using support@smartthings.com, as we can then track issues using the support ticketing system. Is there a reason that you’d prefer for there to be a separate channel?

Thanks,
-d

I’ve been personally told by your support team management that they have to move tickets into the “Resolved” status as soon as possible in order to keep the queues manageable and their metrics favorable.

As a result, issues are often “resolved” by just informing the Customer it is a known issue with an undetermined fix date.

This interaction is discussed in various Forum posts.

Due to your internal process described above, the Support ticket channel is not appropriate for potentially critical security discoveries.

1 Like

The last time I submitted a security flaw to support they told me to bring it to the community. Unless things have changed and support has the appropriate protocol to escalate potential security issues properly, it would be nice to skip the first level support. Especially if they are the source of a potential security breach.

2 Likes

Maybe in the new developer portal we could have a page like this.

https://technet.microsoft.com/en-us/security/ff852094.aspx

or this

https://www.google.com/about/appsecurity/

or this

Every one of those have PGP keys to encrypt a security issue report and a separate email address specifically for tracking security concerns.

2 Likes

Again, sorry for the delay in getting answers to your questions here. I’ll do my best to answer them one by one:

Since this document only addresses physical devices and their virtual representation in the physical graph. Would it be fair to assume that virtual devices and smartapp data is also owned by the user? Example, my location isn’t tied to a device (maybe the hub) is that data private?

Yes - this policy doesn’t apply ONLY to devices that are connected to the hub, but to all event and account data for a given Location.

There are specific policies governing the use of anonymized and aggregated data, as well as the sharing of data with third-party businesses opted-in to by the user available in our Terms of Use and Privacy Policy available on the SmartThings website.

Is using another cloud based service that has no physical device also protected user data?

There’s some nuance here since we don’t have any control over the remote system and how they use your data. As above, event data that is stored in the SmartThings Platform is treated by SmartThings as protected user data, but once that information leaves the SmartThings Platform - say, because the user linked their SmartThings account to a remote cloud service or accepted incremental Terms and Conditions associated with a third-party business - that data becomes governed by the Terms of Use and Privacy Policies of the remote service. This is also detailed in our Privacy Policy available on the SmartThings website.

How is that data protected from ST employees and contractors or 3rd party providers?

There are instances in which SmartThings operations and support personnel must gain access to databases to ensure the operation of the service and to support users in solving issues that arise. There are internal policies in place to minimize access to data including limiting the number of employees who have direct access to databases for the purposes of maintaining and operating the service, and requiring that any support personnel be granted explicit permission from users before accessing their data through our support tools. We are currently working on documenting all of the specific policies and procedures around our information security and privacy programs and additional detail will be included in the more detailed white paper when it is published. In the meantime, our Terms of Use and Privacy Policy are always available on the SmartThings website.

What audit trail exists to show who accessed my private data, since it is considered private by SmartThings, will you be compliant with all state laws regarding user data privacy?

SmartThings always endeavors to maintain compliance with all regulatory requirements for the regions in which we operate. As above, additional detail around specific policies and procedures will be included in the white paper when it is published.

If I suspect my data has been compromised what is the proper way to file a complaint and what would be the resolution to these incidents, if/when they would occur?

If you suspect that your data has been compromised, please reach out to support@smartthings.com to begin an investigation. Resolution would be dependent on the specifics of each case, though as above, additional documentation around policies and procedures is under development.

What is SmartThings policy on unauthorized data access disclosure? Will you publicly announce it or just notify the effected users or keep it quiet?

As always, we’ll comply with local regulations - though again, there’s a lot of nuance here and beyond that it’ll depend entirely on the specifics of the case. This is also another area that will be addressed in more detail in the development of the documentation of policies and procedures.

As for security / vulnerability disclosures, we’ve had disclosures from third-party security research firms come through our support@smartthings.com channel, and we’ve always taken them seriously and made sure to quickly validate submissions, remediate any issues, and re-test once patches are in place. This has been the the case with disclosures from companies like Gotham Digital Science, Tripwire VERT, and the NCC Group who have all worked with us to ensure that we patch discovered vulnerabilities before they publish their reports.

In all of these cases, support has escalated these disclosures and we’ve exchanged keys with the submitter to manage secure communications, but I do like the suggestion to make available a public key specifically for these types of submissions. We’ll look into that further.

Thanks,
-d

3 Likes

Thanks for the reply. Looking forward to the further details.

I would highly doubt any other company in this space would take the time or consideration to detail this level of data and user protections in place or will be in place.

With anything involving users and employees / contractors, there are always risks with data and security issues.

Two more questions. I’ve been told that 2 stage authentication for the mobile app and IDE are NOT on the roadmap and not considered a priority.

Can this be looked at again and see if 2 stage (optional) authentication can be implemented ASAP for mobile and the IDE?

This would go along way into shoring up the weakest part of the ST ecosystem, the user and their password.

Also, since there seems to be a significant oversight / ommission in the OAUTH2 implementation in SmartApps, where there is no exposed method to revoke a security token for installed SmartApps.

Can this also be prioritized to be fixed ASAP (as it was first identified in Oct 14) to give developers the ability to revoke or expire OUATH security tokens?

These two items would improve security dramatically at the user level.

Thanks!

3 Likes

Hey Ben. While I’m very enthusiastically anticipating V2 of the hub, I continually am disappointed with the reality of devices I buy, especially new ones, that have what I consider to be security and privacy-breaching built-in to them as their default. So before I pre-order, I thought I’d ask about this since I can’t find anything detailed on the ST site, forums, etc…

As a company, Samsung is clearly accelerating what they do with connected device data collection. As an example, I ended up setting my Samsung TV as a monitor-only—and am using my various other media devices to drive content to it—since the constant updating and phoning home the TV did while connected were violations I viewed as insanely intrusive.

As such, I am intentionally seeking out devices which I can control over what (and how much) data is released. I’ve done that by buying direct-connect cameras (vs. using cloud-service-only cameras), for example, and will do so with IoT devices whenever I can.

Thoughts?

1 Like

In this case, I’m afraid any cloud-based system is not for you. SmartThings, Wink, Alexa, they all use the cloud extensively and you have no control over what data is shared with the cloud. If this is a concern for you, there’re alternatives that can work without the Internet connection, for example Staples Connect and Vera Edge.

1 Like

Geko, did you note that I was clear about describing those devices/services “I can control” and choose what is and is not captured? I know how the cloud works and I know that the sort of control I expect is also limited.

At the same time when I go out and spend $2k+ on a Samsung TV and they have built-in draconian data capturing, I expect a higher level of control than when I opt to use a SaaS service (e.g., Google services) where I know that I’m the product since they’re giving me all of that stuff for free. There’s a difference and I asked the question mainly to discover if ST’s new Samsung overlords have “guided” them toward modest, or extreme, levels of data capture.

This might be of interest on the security and privacy questions:

2 Likes

Good grief, put the tin foil hat away, I sincerely hope you don’t have any Google or Apple devices, ALL of these are reporting back and listening.

Samsung got busted about their TV’s, everyone lost their proverbial poo and acted like they were the only one that could be accused of doing it…

If you are GENUINELY concerned, I hope your ‘tcpdump’/wireshark skills are up to snuff…