SmartTiles (& "other" External Services) Security

Continuing the discussion from SmartTiles Dashboard 5.4.2 - July 13 (www.SmartTiles.click):

Hi John,

@625alex may add details in his own words, but I’m providing first-line support while “Version 6” of SmartTiles is under development (no release date announced), so here’s a start to help put this in perspective.

Version 5’s source code also open for a while and was reviewed by various Community Members, so they can chip in as well, and, the fundamental OAuth security model utilized is a fundamental piece of the SmartThings Platform.

First of all, there’s no value to me replicating the official SmartThings Documentation of the architecture involved (“Web Services SmartApps”). In order for you to fully understand the security model, I must first point to the Documentation and assume that you have read it and can refer back to as necessary: http://docs.smartthings.com/en/latest/smartapp-web-services-developers-guide/index.html

Next, in general, your summation of the access rights granted to third-party services via Web Services SmartApps is essentially correct, thought there are some subtle differences that may apply in certain exception situations. Regardless, in the general case, it is important to acknowledge that access granted via the OAuth process to a SmartApp is a similar risk level for every third-party that you authorize, including, but not limited to, such examples as IFTTT, Amazon Echo / Alexa, The Ubi, SmartRules, Sharp Tools, Simple Rule Builder, InitialState, ThingLayer, etc, etc!

I list those examples not to deflect from the level of exposure you describe, but to emphasize that this is absolutely the intended, customary, typical, and standard method of granting third-party applications to access your Devices. The granularity of access is at the individual Device Instance level (i.e., if you grant access to some of your Switches, but not Locks, the third party application cannot subscribe to Events, read Attribute or run Commands against those Locks or non-authorized Switches. Unfortunately, the granularity is no finer than that: If you grant access to a Lock, it is full access to all the Events, Attributes and Commands (e.g., currently there is no option in SmartThings to grant “read-only” access to a Device Instance – you could create Virtual/Shadow Devices to get around this limitation, however). All this is described in the Documentation, though perhaps with more or less detail.

“Officially” published Third-Party services (via the method above, OAuth Web Services SmartApps) do have their SmartApps Only go through a review process (by SmartThings) before being published, which does not significantly increase trustworthiness of the service, though, because SmartThings still has no control of the actual Third-Party service. SmartThings could certify, for example, that the particular Web Services SmartApp does, in fact, only access Devices for “read-only” purposes, but that would be appropriate for a limited set of third-party services, obviously. The ones I list, IFTTT, Alexa, etc., need “control” permission, but even in the cases of published integrations, SmartThings is not able to audit the service itself to confirm their functionality, security, and data retention policies.

The behavior of Third-Party services can be monitored to some extent via the Event log entries that are triggered by the SmartApp. If a Lock is mysteriously unlocked, for example, SmartThings does, I believe, consistently trace which SmartApp triggered that action. If you did not expect IFTTT or SmartTiles to run an unlock command, at least there will be an audit trail. NB: Events have flags which determine their visibility; I don’t think Events can be hidden entirely though. This paragraph needs verification for accuracy.

So how big should your concern be?

Well… firstly, any and all Third-Party services will always have less access to your account, location, hub, and devices than SmartThings themselves. So we already must put significant faith in a cloud-based company to have strong security systems, policies, and procedures in place and constantly vigilantly contained. SmartThings publishes their data sharing policies as well as related Terms of Use on their web pages. I can tell you for a fact, however, that SmartThings own platform has some significant security flaws which they have not published and refuse to publish, and hopefully are in the process of remediation. Whether or not they should be more transparent regarding these vulnerabilities is a discussion for a different topic, as that is completely outside the control and scope of SmartTiles.

Secondly, all Third-Party services using the Web Services SmartApp OAuth authorization process are limited by the specific Devices that you authorize using the authorization web page and/or the Preferences configuration pages for the SmartApp in the SmartThings mobile App. The latter is the case for all SmartApps, actually, and is the fundamental access control method. If has some trust doubts regarding a particular SmartApp, or a particular third-party service, then by default it has access to none of your Devices, except those you expressly grant (it will only have access to some very few Location Scope functions, such as location.mode, and routines – I consider this to be a small leak that SmartThings should close, but again, not “our” problem – SmartThings has been notified of this specific concern by myself, in fact, and they have not offered to remediate). Regardless, at the Device Instance level, for such services that you do not fully trust, you would simply not select (and therefore, not grant access to) any particularly critical devices such as your Locks or Cameras.

What (else) can be done?

The above section is the baseline starting point for considering the risk of each Third-Party Service. In other words, they have no more access than you grant them, but once granted specific access with fairly broad granularity, you have little choice but to trust each such Service.

Large companies such as Amazon (and IFTTT?) are inherently highly trustworthy (at least as far as their intentions are concerned, and to the extent that they follow their published security and privacy policies). If your Amazon Account uses a weak password (your fault) or if it is compromised by hackers (their fault), then, indeed, the access methods and/or access credentials only to the particular authorized Web Services SmartApp are potentially compromised. Perhaps a reasonable, but loose, analogy here is if you use of the same login and password on multiple banking websites; or slightly more accurately, if you choose use your Facebook or Google+ OAuth credentials to login to various websites … a fairly common practice. Just like in the latter case, you can revoke access to those extra websites by using the application security settings inside Facebook and Google (etc.) – just as you can uninstall any Web Services SmartApp for any particular Third-Party service at any time and thus immediately disable it’s access – i.e., your SmartThings account user id (email) and password have never been shared with the Third-Party service.

To put this in perspective, over 5000 SmartThings Accounts have installed the Amazon Echo Web Service SmartApp, and over 10,000 have installed IFTTT. Perhaps many of these users have carefully avoided authorizing some Devices they consider critical (e.g., Locks); but I would not be surprised if many users have authorized every single one of their Devices. InitialState is a service that will store your event data “forever” for a fee, but you must put your trust in their privacy policy and security systems…

For Community and other small Developer based Third-Party services (SmartTiles, SmartRules, etc., etc.), there are far fewer installs, so far, and thus, hopefully less of a target for hackers; but, absolutely, these entities are less likely to have stringent security policies and architectures in place. Use of these services is, undeniably, at your own risk. As mentioned above, SmartThings may take a role here by accepting some of the associated Web Services SmartApps for review and publication, but they are never going to claim that the user faces “no significant unknown level of risk” from these services which are outside control of the SmartThings Cloud and Platform (subject only to the authorization granularity repeatedly mentioned).

So what about SmartTiles Specifically?

You mention this:

For SmartTiles versions currently released (i.e., below the unreleased Version 6), “we” actually have no access to your authorized Devices because we never, ever, store the generated “access token” (ref: http://docs.smartthings.com/en/latest/smartapp-web-services-developers-guide/tutorial-part2.html#appendix-just-the-urls-please). SmartTiles presents you with the URL for your Dashboard(s) and automatically includes the convenient URL based Access Token, should you choose the convenience of automatic login by book marking this full URL. That URL is never transmitted cleartext due to the use of HTTPS/SSL, but it is, indeed, not the most secure option, as it may be retrievable from your bookmarks, browser history, and certain types of proxies and server logs. If you remove the Access Token from the URL, then the SmartThings Platform will prompt you for your SmartThings Account Login and Password for the duration of the session (just like logging into the API/IDE or mobile App). Without an independent security audit, we cannot prove to you that we don’t store this token, but folks that have the Version 5.x source code can verify whether this token is transmitted anywhere at anytime (it’s not, really!).

The relevant SmartTiles.click FAQ for the above paragraph is at this URL: www.smarttiles.click/info/security

As for future versions of SmartTiles…; well, it is too soon for too many details, and may never reveal everything…

We will publish a data privacy and security policy at least as required per applicable legal jurisdiction. This policy will also, necessarily, explicitly disclaim our liability except as legally prohibited, of course. In other words, it will pretty much match SmartThings’s own policy, and for all intents it actually should be the same!

We are moving to more service-oriented architecture where the Web Services Access Token and certain device event history data and control paths, etc., will inevitably be stored outside of the SmartThings Cloud and on SmartTiles own or leased Clouds. Because the design is not finalized, and pending internal decisions, we may never reveal the particular cloud vendor(s) used. The one(s) under consideration are very prominent and have very well reputed security architectures in place, including strong end-to-end encryption of all data, and multiple user authentication options (i.e., you can authenticate using your Google or GitHub login, for example, if you wish to avoid creating yet another login and password to maintain – by this method, we receive a revocable authentication token, and never an actual login id and password).

For the case that a non-isolated security breach is suspected or detected, we are planning to maintain the ability to instantly revoke access to the Web Services SmartApp for all users. This is a bit of a nuclear option as it would fully disable all Dashboard installations indefinitely, but this is an example of the type of security precaution that is considered important to restrict and instantly arrest the damage that could be caused in extreme scenarios.

Finally, just like SmartThings themselves and all vendors and services that hold critical data and provide a path to access or control your Devices, at some point in time and periodically thereafter, SmartTiles can submit the platform for independent audit (i.e., full review of the platform, cloud vendor choices, source code, etc., under non-disclosure agreement), with the results published after remediation. Between audits, “white hat” hackers will be encouraged to gently probe the platform for vulnerabilities on a “black-box” basis.

The process described in preceding paragraph should really be industry standard for all the various “Third-Parties”; but I think it is reasonable for most people to “trust” external services with access to their SmartThings Devices even without this most stringent level of audit / verification. If, in your words, you “can think of no greater threat than granting access to third parties”, then you may decide, for yourself, on a case by case basis, which, if any, third-party services to use. On average, we expect SmartTiles to be more trustworthy than others, but we can’t be expected to expend significantly more effort than other typical and popular third-party services (i.e., IFTTT, etc., etc.) to prove this to you.

Thank you. That is perhaps the most in depth response to a query that I’ve ever seen in my life. Bravo!

It seems, at the end of the day, that it all boils down to risk mitigation.

• Larger organizations like Amazon or IFTTT are indeed bigger targets, but I believe that generally we assume they have more sophisticated defenses due to greater resources and theoretically deeper knowledge pools.

• Those bigger companies might also have internal protections in place to help guard against rogue personnel. From hiring practices to audit trails, etc.

Generally speaking the threat of a widescale breach is probably the biggest thing holding back the home automation space. I mean, if they hack my bank account all they can get is money. But if they can compromise my home, they could hurt my family and I in ways that are unthinkable.

The counter argument of course is that if you even have one window in your house, security is an illusion to start with.

Again, thanks for the reply.

Cheers,

John P.

My pleasure, John!

SmartTiles wants to be considered as trustworthy as practical, and are unfortunately constrained by the limitations of the SmartThings platform. This Topic is an opportunity for other third-party service projects to share their strategies in this regard as well.

Risk mitigation is definitely the focus; “risk”, however, is often highly subjective or poorly enumerated, and yet it is a personal favorite subject.

I would counter that very small companies (~5 employees?) have an inherent advantage over large ones in this regard. I’ve worked for very large Banks, and you’d be surprised (or not surprised?) at how lax security can be on a department by department basis, or how easily a vulnerability can remain unnoticed (and exploited) just due to the problem of managing across scale of thousands of systems and employees. There are statistics that indicate inside-jobs are the greatest cyber-security risk; fewer employees minimize this risk, to a point.

Exploring sentiments like the above are perhaps beyond the scope of this particular Topic, but are of specific interest to me (once again…). I’ve read and heard IoT and Smart Home speakers who give random examples of both real and theoretical vulnerabilities, but I have somewhat ambivalent feelings regarding the “danger level” of the scenarios.

The thought of having my home burglarized is, indeed, unthinkable, yet not enough for me to put in place extraordinary measures. Basic locks and a few sensors, slowly improving monitoring, and following good habits with respect to lighting / occupancy … and insurance. I honestly don’t fear electronic hacking of my door locks any more than physical force or bump-keys. I don’t have cameras in any particularly private areas of my home, so don’t fear them being hacked either (though I’d prefer not, of course – and if they were baby monitors instead of just doggie cams, I would have second thoughts).

A few of my neighbors have claimed that their cars have been unlocked without force by the use of some sort of radio frequency amplifiers for the key-fobs. Well – I’ve had a few break-ins and content thefts via smashed windows and jimmy locks, that the incremental danger from this mysterious technology is meaningless. Actually, I’d much prefer the lack of broken glass… Perhaps I should just keep my doors unlocked.

The emotional and financial impact of a “widescale breach” probably will not sink in until such events have occurred. Frankly, SmartThings is still too likely to have large and long outage, even without a malicious player. And such an outage is significantly inconvenient – more and more so as my home becomes “smarter”.

A scenario in which everyone’s thermostat is disabled via a hack or denial of service attack, during a deep winter freeze is … just a theory, right? There’s no financial incentive for such a hack, though that doesn’t discount the possibility of just cyber mischief / vandalism as a motive. And the best way to counter this specific example is for thermostat manufacturers to ensure fully offline and manual override can never be disabled. This absolves SmartThings and “third-parties” of this, specific scenario risk.

So … I’d say it is not just risk mitigation it is also risk perspective. There are a significant number of consumers who will never consider using SmartThings at all due to its use and dependence on the Cloud. I can’t count the number of comments on new smart lock announcements that say “stupid product – why would anyone want to put their lock on the internet where it can be hacked?”. That’s such an extreme and pedantic point, but it is frustratingly common.

And then there are others who don’t give it a second thought, including when they authorize a half dozen third-party services to their SmartThings or other connected Things (more and more are going to enter the marketplace!).

Logically we know that the prudent position is somewhere in-between; but the balance is subject to the individual. In either case, we have to have faith in the service providers, and, unfortunately, in the financial industry most commonly, this faith has been shattered repeatedly. The deeper emotional link between cyber-security with home-security as a result of connected / smart home products, may by the catalyst to security awareness and improvements across industries and consumers.

Continuing discussion from:

I understand that the ToU indemnify SmartThings from any damages resulting from the use of third-party apps and services. However it’s no different than Apple AppsStore ToU in this regard. The review process constitutes due diligence and gives me as a customer peace of mind that the third-party app meet SmartThings publication criteria and is free from malicious code.

Therefore I would not recommend using unpublished, closed-source SmartApps to anyone.

I’d love to give you a piece of my mind, Geko ! …

It is absolutely true that SmartTiles would benefit from the “peace of mind” we could offer our users as a result of the review and publication process. It still is our goal. The process currently has many kinks to iron out, however, and sure looks like a net-negative to many Developers. SmartThings is just not sufficiently responsive to Developer’s needs at this time.

Therefore, if I can give my users reasonable assurances, or even audit by a third-party security firm, these may be strategically sound alternative options.

Once again, it’s not about you personally or SmartTiles specifically. My issue is with a particular loophole in SmartTings framework that allows installing unpublished, closed-source third-party SmartApps via OAuth flow. SmartThings, as a business, has responsibility to protect their customers from any possibility of abuse, not just protecting themselves from liability.

P.S.
I, for one, was a big fan of SmartTiles, but since it’s gone closed source, I’ve removed it. Not because I don’t trust you or Alex, but on principle. I understand your and Alex’ desire to protect your intellectual property and eventually monetize it, however I’m not willing to trade security for convenience.

Understood. May I redirect that discussion to a recent Topic with a more diverse audience… ie. to:

I participated in that discussion quite actively, but as I’ve expected, nothing of substance came out of it.

Peace of mind is definitely a good reason…I would want it. And what gives someone that peace of mind? Its the fact that you trust SmartThings, more soever because it is a Samsung entity now. You know that they will scrutinize the submitted code and ensure there are no security issues etc.

However, if someone like SmartTiles is using some of the existing loop holes to provide users to install apps, then that is a choice that the users have to make. Do the users trust SmartTiles? Is there is risk? Definitely! But is the risk worth taking? In my opinion YES! Because I do not want to miss out on SmartTiles. SmartThings does not provide that feature to me at this point in time. In someone else’s opinion may be its not worth it. It is possible that over period of time people may start trusting SmartTiles more as their reputation gets better and better, especially if they are transparent about the security measures being taken. So one can wait for SmartThings to come up with an awesome easy to use dashboard, or I can take a calculated risk and opt for SmartTiles.

Is there a guarantee that an app submitted through SmartThings will be absolutely safe? Heck, is there is guarantee that SmartThings Platform itself is completely safe? The answer is NO! But we all know that they follow the best practices in terms of security and will ensure there are no breaches. As a provider, if SmartTiles can demonstrate the same then that should give me almost the same peace of mind.

I do see the risk that if other players start exploiting this loop hole more and more, and if this loop hole is misused, then that can be a total disaster. SmartThings already have it clearly stated in their terms of agreement that they are not responsible for any breaches that occur due to third party applications.

Bottom Line: Until SmartThings comes with a way to motivate the developers to create and submit amazing apps like SmartTiles, they should keep the loop hole open in order to allow those possibilities, while the decision and risk is totally on the end user and ST has no liability.

Security is always a personal choice. Some people chose not to wear seatbelt, some don’t lock their front door and some keep their key under the doormat. Many still use “secret” as their password. No-one can stop them from doing that and most of them will actually never suffer from any negative consequences. However, there’s a law of probabilities and statistically, some of them will eventually become victims of their own negligence.

Statistically, the number of users compromised due to negligence are lot lesser than the number of users whose security was compromised on “trusted” platforms and providers - Ex: Target.

And choosing SmartTiles is not negligence. It is a calculated risk, like I mentioned earlier. If SmartTiles can show me that the same security measures are being taken, then I will consider that and make a decision accordingly. Choosing SmartThings or any other automation platform is a calculated risk. What have you taken into consideration while “calculating” the risk? Reputation? Competence? Customer Base? Everyone has a different way of assessing it.

But if Mr, Kambooza comes from nowhere tomorrow and offers a link to install a smart app that turns your light ON with motion…and I decide to go for it…then that is negligence. Credibility is really important and SmartTiles is doing everything that they should, to establish that.

It’s kind of funny that you are raising security vulnerabilities in HA, when most of us are using zigbee freely.

I’m not aware of any official statistics to back up your assertion. However, as in any situation, there’re forces beyond your control and there’re decisions that you make yourself. I, personally, value security over convenience. Your criteria are obviously different. That’s fine by me and I’m not here to change your mind.

However, objectively, there’s a least one security vulnerability related to SmartThings access token management I’m aware of, that makes me uncomfortable using SmartThings web services apps.

Another issue that I have with installing SmartApps from someone else’s account (which is the case with SmartTiles and similar “unofficial” apps) is that I have no control over security of that account. I may have a very strong password on my own account, by if the other account is hacked, a malicious app can be installed and distributed to thousands users instantly. How’s that for a calculated risk?

I’m sure, new vulnerabilities are discrovered all the time. Absolute security is a myth. It’s a matter of minimizing your exposure to those vulnerabilities. There’s also difference in threat level between somebody hacking your Hue bridge and somebody hacking your SmartThings account connected to your door lock, garage door and security system.

Check this example that I was referring to earlier Target: 40 million credit cards compromised
I would like someone to prove that 40 million Target customers were compromised merely due to negligence (poor passwords on Target Debit accounts etc). This can very well happen with SmartThings for all we know.

Do you have control over the admin accounts within SmartThings? Do you know whether they are using the same level of password strength that you personally would like to use? How do you know how many people within SmartThings can access your account? What if one of them happens to be your neighbor and he hates that the leaves from your tree messes up his yard .

I guess this debate can go on. But I would say this: I think SmartThings SHOULD close the security loop hole BUT… ONLY after they have means to provide developers other avenues for publishing apps with the flexibility of monetary gain for developers. Until then, it is up to the users to make a choice whether they should allow 3rd party apps to be installed on their accounts.

In my opinion if the standard security measures and best practices are applied when providing these 3rd party installation options, then I would consider the system would be as safe as SmartThings is today.

Today, you may be against apps like SmartTiles…but may be few days down the road, you may feel that SmartTiles is in fact taking all the steps to ensure security is not compromised. Or may be you will just wait till ST does something big (Like Hub V2 that solved all their issues ) …Like you said its a personal preference…so lets leave it there.

When I first installed SmartThings a couple of years ago, I hoped it would help to keep tabs on our doors and locks. There were occasions when we would forget to close garage door or lock the front door when leaving home.

Did SmartThings make my home more secure? No. And yes!

I now have a good chance of unlocking the door remotely when needed. I can check the garage door (but God forbid me from controlling it). When the rain barrel is full, I get notifications more often than not.

My locks usually lock themselves, but on occasion they used to remain unlocked until morning when my phone decides to teleport to distant places in the middle of the night.

But the most security comes out of the fact that we are now so freaking conscious about our home, always!

SmartThings is a utility, as is SmartTiles. Are they secure? Somewhat… Depends… Are they convenient? Sometimes… Sure.

It’s up to each individual user to calculate the risk of using either. It’s always good to have options.

What I know for sure is that whenever support needs to access my account they have to request my permission and they do. If an employee gains an unauthorized access to my account with an objective to cause damage, it’s not only a cause for termination, it’s also a potential civil lawsuit against both the employee and the company. I’m sure a multinational corporation like Samsung is mindful of that and has all necessary HR policies in place and I certainly trust that SmartThings takes my privacy seriously.

Sure! Just that it may be very difficult or rather impossible to prove it. But anyways…the point being, everything is possible… SmartThings or SmartTiles. Yes, SmartThings would be a more trustworthy source for obvious reasons…but at the same time we cannot belittle efforts from others who want to be at the same level. Remember that ST was also a kickstarter company to start with…but people trusted them at the time and today it is a Samsung company. Perhaps SmartTiles may later be acquired by Dundas … you never know

Why would you assume that SmartThings is more trustworthy in this regard than it is in even much more simple process (what is QA?), crisis management and engineering?

I’m not trying to belittle anyone’s effort. As I said several times, I have great respect and admiration for Alex, and everyone else who spend their time writing SmartApps and receive little or no reward. My point however, is that SmartThings is no longer a star-up and has a customer base exceeding 100,000 users and spanning two continents. I believe that it’s time to insist that they take appropriate measures to patch known security holes even if it may cause temporary “inconvenience” for some users.

Because lawyers don’t care about software bugs. They do care however about potential class action lawsuits.