SmartThings Security Approach - Abstract

Maybe in the new developer portal we could have a page like this.

https://technet.microsoft.com/en-us/security/ff852094.aspx

or this

https://www.google.com/about/appsecurity/

or this

Every one of those have PGP keys to encrypt a security issue report and a separate email address specifically for tracking security concerns.

2 Likes

Again, sorry for the delay in getting answers to your questions here. I’ll do my best to answer them one by one:

Since this document only addresses physical devices and their virtual representation in the physical graph. Would it be fair to assume that virtual devices and smartapp data is also owned by the user? Example, my location isn’t tied to a device (maybe the hub) is that data private?

Yes - this policy doesn’t apply ONLY to devices that are connected to the hub, but to all event and account data for a given Location.

There are specific policies governing the use of anonymized and aggregated data, as well as the sharing of data with third-party businesses opted-in to by the user available in our Terms of Use and Privacy Policy available on the SmartThings website.

Is using another cloud based service that has no physical device also protected user data?

There’s some nuance here since we don’t have any control over the remote system and how they use your data. As above, event data that is stored in the SmartThings Platform is treated by SmartThings as protected user data, but once that information leaves the SmartThings Platform - say, because the user linked their SmartThings account to a remote cloud service or accepted incremental Terms and Conditions associated with a third-party business - that data becomes governed by the Terms of Use and Privacy Policies of the remote service. This is also detailed in our Privacy Policy available on the SmartThings website.

How is that data protected from ST employees and contractors or 3rd party providers?

There are instances in which SmartThings operations and support personnel must gain access to databases to ensure the operation of the service and to support users in solving issues that arise. There are internal policies in place to minimize access to data including limiting the number of employees who have direct access to databases for the purposes of maintaining and operating the service, and requiring that any support personnel be granted explicit permission from users before accessing their data through our support tools. We are currently working on documenting all of the specific policies and procedures around our information security and privacy programs and additional detail will be included in the more detailed white paper when it is published. In the meantime, our Terms of Use and Privacy Policy are always available on the SmartThings website.

What audit trail exists to show who accessed my private data, since it is considered private by SmartThings, will you be compliant with all state laws regarding user data privacy?

SmartThings always endeavors to maintain compliance with all regulatory requirements for the regions in which we operate. As above, additional detail around specific policies and procedures will be included in the white paper when it is published.

If I suspect my data has been compromised what is the proper way to file a complaint and what would be the resolution to these incidents, if/when they would occur?

If you suspect that your data has been compromised, please reach out to support@smartthings.com to begin an investigation. Resolution would be dependent on the specifics of each case, though as above, additional documentation around policies and procedures is under development.

What is SmartThings policy on unauthorized data access disclosure? Will you publicly announce it or just notify the effected users or keep it quiet?

As always, we’ll comply with local regulations - though again, there’s a lot of nuance here and beyond that it’ll depend entirely on the specifics of the case. This is also another area that will be addressed in more detail in the development of the documentation of policies and procedures.

As for security / vulnerability disclosures, we’ve had disclosures from third-party security research firms come through our support@smartthings.com channel, and we’ve always taken them seriously and made sure to quickly validate submissions, remediate any issues, and re-test once patches are in place. This has been the the case with disclosures from companies like Gotham Digital Science, Tripwire VERT, and the NCC Group who have all worked with us to ensure that we patch discovered vulnerabilities before they publish their reports.

In all of these cases, support has escalated these disclosures and we’ve exchanged keys with the submitter to manage secure communications, but I do like the suggestion to make available a public key specifically for these types of submissions. We’ll look into that further.

Thanks,
-d

3 Likes

Thanks for the reply. Looking forward to the further details.

I would highly doubt any other company in this space would take the time or consideration to detail this level of data and user protections in place or will be in place.

With anything involving users and employees / contractors, there are always risks with data and security issues.

Two more questions. I’ve been told that 2 stage authentication for the mobile app and IDE are NOT on the roadmap and not considered a priority.

Can this be looked at again and see if 2 stage (optional) authentication can be implemented ASAP for mobile and the IDE?

This would go along way into shoring up the weakest part of the ST ecosystem, the user and their password.

Also, since there seems to be a significant oversight / ommission in the OAUTH2 implementation in SmartApps, where there is no exposed method to revoke a security token for installed SmartApps.

Can this also be prioritized to be fixed ASAP (as it was first identified in Oct 14) to give developers the ability to revoke or expire OUATH security tokens?

These two items would improve security dramatically at the user level.

Thanks!

3 Likes

Hey Ben. While I’m very enthusiastically anticipating V2 of the hub, I continually am disappointed with the reality of devices I buy, especially new ones, that have what I consider to be security and privacy-breaching built-in to them as their default. So before I pre-order, I thought I’d ask about this since I can’t find anything detailed on the ST site, forums, etc…

As a company, Samsung is clearly accelerating what they do with connected device data collection. As an example, I ended up setting my Samsung TV as a monitor-only—and am using my various other media devices to drive content to it—since the constant updating and phoning home the TV did while connected were violations I viewed as insanely intrusive.

As such, I am intentionally seeking out devices which I can control over what (and how much) data is released. I’ve done that by buying direct-connect cameras (vs. using cloud-service-only cameras), for example, and will do so with IoT devices whenever I can.

Thoughts?

1 Like

In this case, I’m afraid any cloud-based system is not for you. SmartThings, Wink, Alexa, they all use the cloud extensively and you have no control over what data is shared with the cloud. If this is a concern for you, there’re alternatives that can work without the Internet connection, for example Staples Connect and Vera Edge.

1 Like

Geko, did you note that I was clear about describing those devices/services “I can control” and choose what is and is not captured? I know how the cloud works and I know that the sort of control I expect is also limited.

At the same time when I go out and spend $2k+ on a Samsung TV and they have built-in draconian data capturing, I expect a higher level of control than when I opt to use a SaaS service (e.g., Google services) where I know that I’m the product since they’re giving me all of that stuff for free. There’s a difference and I asked the question mainly to discover if ST’s new Samsung overlords have “guided” them toward modest, or extreme, levels of data capture.

This might be of interest on the security and privacy questions:

2 Likes

Good grief, put the tin foil hat away, I sincerely hope you don’t have any Google or Apple devices, ALL of these are reporting back and listening.

Samsung got busted about their TV’s, everyone lost their proverbial poo and acted like they were the only one that could be accused of doing it…

If you are GENUINELY concerned, I hope your ‘tcpdump’/wireshark skills are up to snuff…

It doesn’t hurt to ask. You won’t know until you ask. Since ST is charging you peanut for a hub. I wonder what are they doing with all the data. Selling them to China?

Unless you work for NSA you don’t really have that kind of control. Well maybe, if you unsubscribe from your internet service, don’t ever pick up the phone and always use cash when you buy things!

Sure, except you expect any manufacturer to come out and tell you?

Actually a lot do, it’s just buried in their T&C’s…

Benji, a few tinfoil hat moments is a good thing. Wish more people had concern. Of course, you undoubtedly swing open your front door when a service technician appears and invite them in to go through your drawers, examine your computer and all its files, maybe scan your tax returns and mail? Or do you just draw the line there but skip over reading terms of service and license agreements?

Not to steer the subject of this thread but of course I don’t expect an answer from the manufacturer but it’s good to have concern and bring it up. That’s what this community is for. :wink:

SBDOBRESCU: Obviously the level of data gathering and surveillance is unprecedented and, unfortunately, most of it is hidden and usually not secure.

I, for one, am not willing to bend over, grab my ankles, and hand any service provider a jar of Vaseline so they can have their way with me. My preference is to be aware, choose what I am willing and not willing to share, and do so with transparency.

Too often privacy and security takes a back seat to “customer convenience” and “it will help us improve the product and services we deliver to our customers.” Some of that is OK with me, but there is a reason I turn off location services on my phone for certain apps that I don’t want broadcasting my whereabouts to anyone who cares to look. When I load apps, and the operating system has a permissions prompt that allows ME to decide if I want my location broadcast, notifications and so on, then I have some level of control. That’s all I really expect…an ask…not just an assumption they can take anything and everything.

1 Like

No, I actually go and look at the data being transmitted as hinted :wink:

Just because I’m digging at your tin foil hat, doesn’t mean it’s something that doesn’t concern me, the difference being that I know that certain features depend on certain data and if I want them I have to agree to the data that is transmitted. Additionally I understand that most of the data that is transmitted isn’t actually that big of a deal :wink:

Like I said, I sincerely hope you don’t have any Google or Apple products, you pretty much cannot do anything these days without devices sharing data. You’ve just got to understand that individually you’re not that important.

1 Like

Seems entirely reasonable to me.

@sborsch I can mostly only point to our Privacy Policy:

And state that we are not selling your data. We are against the practice of using personally identifiable info for anything other than troubleshooting and improving the experience of using SmartThings.

5 Likes

The issue is If you want all the basic functionality and don’t want any outside connection why should you have to push data? If you do want a function that requires pushing data upstream then fine, but not all of us do. I’m retired old and creaky don’t get around well, which is why I am interested in this technology. I however go outside of my fence line maybe once a month for an hour to pay bills that’s it. I don’t have a cell phone don’t need one. I don’t want to let the world know when I wake up and don’t do social media. I do pay cash for every thing I buy I don’t have credit cards. I retired as a ethical hacker / security consultant I am well aware that a company can have the best privacey policy in the world and be sold and change it, I know what my network security is like I have no ideal what smartthings is like, so why should I trust any data to them? It’s not tinfoil hat it’s call due deligence. and proactive protection. I can so no technical reason for this at all unless your wanting to interact with social media and what not. Sure they may want to collect data for trouble shooting and stistcal anaylis.

In conculiion I like what the thing has to offer I really want to buy it but if I have to create and account to use it forget it not happen.

2 Likes

@dashoe - When we set out to build SmartThings, we recognized a significant shift in the opportunities for computing at scale afforded by the cloud, and that connecting everyday devices to the network will allow for entirely new applications and use-cases over time - especially with the vibrant developer community that has developed here.

Our vision is to provide our users with the easiest way to turn their home into a smart home, using whichever devices make sense for them. We still have a very long way to go as an industry to fully realize that promise, but one thing is very clear: no one standard will “win”, and no one company will manage all of the connected devices in the world.

With these two things in mind, we decided to build a connected product. We started with a cloud first approach in which the SmartThings Hub was mainly a radio-proxy to our cloud service, and we’ve made great advances with our recently released next generation Samsung SmartThings Hub that brings much of the message handling and event processing down to the Hub. This model allows many of our users’ automations to continue to run, even in the event of a temporary Internet service outage. It is, however, not intended to be used entirely as a disconnected device.

We recognize that this model isn’t for everybody, but we believe it is necessary to fulfill our vision of the truly connected home. There are other products out on the market that will operate in an entirely disconnected mode - and while they won’t bring the same benefits that SmartThings does, they may be more suitable for your use-case.

5 Likes