Veracode audits SmartThings


(Kristopher Kubicki) #1

Results OK

https://securityledger.com/2015/04/research-iot-hubs-expose-connected-homes-to-hackers/

Whitepaper:


#2

Network World says SmartThings did the best of those tested. Basically if you have cloud control of individual devices, you have a security vulnerability, just a fact. But it would take a dedicated personalized attack to hack ST that way.


(F5snopro) #3

1. Account Compromise
Access to a user’s account would provide an attacker with the ability to view and manipulate
all of the products and services paired with the Hub. This may include light/power switches,
door sensors, and more.

Uh, duh… Glad ST came out strong.


#4

We might also note, though that Staples Connect wasn’t included in the comparison tests because it has no cloud controls, not even an IFTTT channel.

And the audit didn’t evaluate SmartThings’ IFTTT channel, which I suspect adds back in some of the vulnerabilities mentioned.

As always, pluses for one person are minuses for another. It depends on your own priorities.


(DLee) #5

Anyone figure out the password to telnet into our hubs? :slight_smile:


(Mike) #6

I found this interesting: http://www.theregister.co.uk/2015/04/08/your_home_automation_things_are_a_security_nightmare/

SmartThings did the best by only failing a telnet test, though there aren’t many details about the test parameters.


#7

Very interesting–people have been talking about it all day. There are already two forum topics on this study, one with links to the full study.

http://community.smartthings.com/t/some-news-on-security-in-iot/13998

Or try this one if you’re a new forum member.


(Christopher Masiello) #8

Well, it’s good to know that I have/had every single one of these risky devices in my home. Yikes!


(Mike) #9

@JDRoberts I get a access error trying to get to the link you posted. I guess there are private parts of the forum?


#10

My bad, that category isn’t open to new members. @april has kindly moved us to an open to all topic, so read from the start of this one. Sorry for the confusion!


(April Wong) #11

Hey! @zj4x4 , you’re right it is. The SmartLounge is for very active members, and it seems the topic is posted in there. the system automatically bumps you if you’re active.

Cheers.

–

http://www.cio.com/article/2906954/researchers-show-that-iot-devices-are-not-designed-with-security-in-mind.html

Just merged some topics together.


(Mike) #13

Thanks @April. Am I considered a new member after being here for almost 18 months?


(April Wong) #14

you’re not considered a new member. but due to post count and participation, the system itself bumps people into tiers. Generally speaking, stuff gets posted maybe once a month on the lounge, and isn’t much you’re missing. the last topic prior to the link on veracode, is that Gary was on vacation and wanted an update on what he missed the last few weeks. Trust me. You’re not missing much.


(Darryl) #15

I had access for a while, I can confirm, nothing to see there, move along…