SmartThings Security


#1

I’m interested in learning more about SmartThings security. What are the hardware and software mechanisms that keep a hacker from accessing my hubs and/or the devices associated with my hubs?


(ActionTiles.com co-founder Terry @ActionTiles; GitHub: @cosmicpuppy) #2

Here’s one starting point… And use Forum Search :mag_right: for existing Topics, because I don’t think SmartThings has published a comprehensive overview.

https://docs.smartthings.com/en/latest/architecture/index.html

Lots of technologies are blended to create SmartThings and each has individual security paradigms. They don’t have to work together because of access between components is isolated and controlled overall.


#3

See the FAQ (this is a clickable link)


#4

This is a great list of best practices and actions for users. Thanks for putting it together. My interest is in the specific hardware and software built into SmartThings that makes it secure. By way of clumsy analogy: wearing your seat belt and driving the speed limit is recommended for staying safe in your car, and technology such as automated breaking and lane departure warnings are the “built in” safety for the car.


#5

Do you know what role the hub’s unique serial number plays into the security of the system?

I assume it plays a role since a popular online retailer displays this disclaimer:

What you need to know – This product has a serial number that uniquely identifies the item. When your order ships, [online retailer] will scan the serial number and add it to the history of the order. Should the item go missing before it arrives, [online retailer] may register the serial number with loss and theft databases to prevent fraudulent use or resale of the item. There is no action required from you and the serial number will only be used to prevent fraudulent activity associated with the missing item.


(ActionTiles.com co-founder Terry @ActionTiles; GitHub: @cosmicpuppy) #6

I don’t know the implementation.

But I assume that someone cannot easily “clone” a Hub and have it impersonate a real one. There is likely an encrypted key exchange.

Keep in mind that the ZigBee and Z-Wave controller chips in the Hub also have unique network IDs, thus even if a Hub were cloned (it’s MAC and IP address?), the cloned Hub could not participate in, or control, the ZigBee and Z-Wave networks of the original Hub.


#7

The first link in the first paragraph of the FAQ takes you to a third-party industry report that lists some of the security measures that smartthings has implemented.

As far as the hub ID, each hub has a unique identification code, called the welcome code ( or activation code) in SmartThings documentation, which you will use when you set up the cloud account for that hub. But just knowing the code doesn’t tell you anything: the cloud account is also secured by email address and password.

Amazon is now using this kind of serial number to prevent one of their most common types of fraud: a customer who claims the product was never delivered. If an Amazon customer reports non-receipt of a package, Amazon reports that serial number back to the manufacturer to make sure it doesn’t get registered after theft is reported.

It also prevents a bad actor customer from buying an item and then returning a different, less expensive item for credit, something that had been happening with expensive game consoles.


#8

Once a hub has been “activated“ (assigned to a cloud account ), That same hub cannot be assigned to a different cloud account without the intervention of support.

That prevents someone else from hijacking your network (like your door locks) just because they know your serial number.