YouTube video"proving" SmartThings is insecure...complete BS


#1

You guys gotta watch this. This video made me SO mad. Saying that this guy “easily hacked” SmartThings when all he did was write a malicious SmartApp… It’s not on the marketplace and if it were released to the community it would get torn apart. So the only way it would affect anyone is if he sent the code directly to SmartThings users.

Hey guys, I wrote a cool Android app that steals your phone’s pin… But it’s not in the app store and the only way you can install it is if you use the developer tools to upload it and install it. This proves that Android phones are easily hackable and insecure.


(ActionTiles.com co-founder Terry @ActionTiles; GitHub: @cosmicpuppy) #2

This is why we can’t have nice things.

##News Flash!

  • quad-copters (drones) can gouge people’s eyes out if you fly them into people.
  • horseless carriages are 1000x more likely to injure passengers and pedestrians than the ones pulled by horses.
  • free WiFi or just using any email service makes you vulnerable to spoofers and identity theft.

Doh! :confounded:


(Ray) #3

It’s BS but at the same time. I consider that as a warning for using unknown smartapps which most of us on here installing them without blinking an eye.


#4

True, but I still feel pretty safe. I only use rule machine and native routines for all of my automations and I don’t have any smart door locks, alarms or anything like that so I’m not worried about it. And I only use popular community apps anyways which I feel pretty confident that something like that would come up in the forums. People would notice. This is more of a caution of, don’t jump on using a random unpopular smart app in the forums.


#5

I think the warning is valid in that some people don’t come to the forums much but they do Google and find various things in Github. It would be all too easy to release malware. Right now, the only thing that’s probably Limited that is that the customer base is so small. It’s not a very tempting target. But once it’s available on Samsung TVs, assuming custom code is still allowed, that will all change.


(ActionTiles.com co-founder Terry @ActionTiles; GitHub: @cosmicpuppy) #6

While controversial, I believe that SmartThings should not allow “everyone” by default to have Developer access to their Accounts.

At the very least, Customers should have to fill out a request and disclaimer form that makes them explicitly aware and responsible for the risks.


(Fast, Good, Cheap...pick two.) #7

This is nothing more than to stroke someones ego that it can be done.

I think it’s common sense if you can write code to make something good than likewise for something bad.

Technically, anything connected to the internet can be hacked, just like any house with a door or window can be breached.


(Ray) #8

Definitely true but at the same time. Leaving your doors and windows open at night is an invitation for trouble. The battery apps before this one got ST attention and made a few changes to a few things. The last thing we want is a real hack caused by ST. I know my spending on HA will be next to nothing if my low tech wife thinks it’s not safe.


#9

The thing about this video that bothered me and my reason behind the post isn’t that I think SmartThings is bullet proof, or that it’s not insecure. It may very well be, and most likely is. As other people have said…anything can be hacked, and I agree with that 100%. Which is one of the reasons I’ve held off on getting a smart lock or smart garage door opener. Everything I have so far, even if it were completely hacked, the worst they could do is mess with my lights, or know when I’m home (which isn’t much of a feat anyways).

The part that bothered me was that the video will shy people away from using SmartThings. It puts it down and makes it sound like you should either go with a different system, or wait. It just bugs me when people don’t do their research or consult with other people. If they had noted in the video that in order for this hack to work, you must down load his custom code and publish it manually to your SmartThings system, then I wouldn’t have been nearly as bothered.

The majority of SmartThings users probably don’t use the IDE and probably don’t load up custom code and the stock routines and market apps probably work just fine for them.

In my opinion, they made this so called “hack” seem like it’s some huge deal killer for SmartThings.


(I got a hair cut from Alexa) #10

If you let a stranger into your house and give him access to the back side of your digital lock, he can change the code. If you give someone your userid and password to smart things they can get in and change your house lock, and turn on lights. If you give someone the keys to your car they can drive away with it. If you give someone your Facebook password they can post stuff pretending to be you. If you give someone your google password they can totally ruin your world.


#11

With that logic…if you give someone your mothers maiden name, the last 4 of your social, the street you grew up on and your dogs name growing up…you’re utterly screwed. No passwords needed, just reset them all. And most of that information isn’t hard to get with a little social engineering.


(Ray) #12

The people that watched this video and shy away from ST are the same people should be stay away from ST in my opinion. ST is not a plug & play type of system yet so having these type of folks will be nothing but pain for both side. On the other side. Maybe they should be on ST for more platform stability improvement from ST due to overload and complaints.