SmartThings Platform Security
Protecting our customers’ privacy and data security is fundamental to everything we do at SmartThings. We regularly perform security checks of our system and engage with professional third-party security experts, embracing their research so that we can continue to stay in front of any potential vulnerabilities and be industry leaders when it comes to the security of our platform.
A research report entitled “Security Analysis of Emerging Smart Home Applications” was released this morning by a team from the University of Michigan and Microsoft Research. The report discloses hypothetical vulnerabilities in the SmartThings platform and demonstrates how, under certain circumstances, they could be exploited. Over the past several weeks, we have been working with this research team and have already implemented a number of updates to further protect against the potential vulnerabilities disclosed in the report. It is important to note that none of the vulnerabilities described have affected any of our customers thanks to the SmartApp approval processes that we have in place.
Even though current customers have not been impacted, we take the recommendations of Mr. Fernandes, Dr. Jung, and Dr. Prakash seriously and are grateful for all opportunities to continue to improve the security of our platform.
As the co-founder / co-developer of the SmartTiles web client (http://SmartTiles.click), one of the top Community developed SmartApps measured by both installed users and praise, we take security very seriously. Our current version sacrifices some degree of security order to provide conveniences to our users; but we have publicly documented and discussed these choices and self-mitigation options for users. We have also built fundamental security improvements and features that go above and beyond the granularity of SmartThings into our V6 platform, which is getting closer and closer to public release.
I can assure readers that SmartThings has been expedient and cooperative with us as we have discovered and securely reported a few risks in the platform in the past few months, and are committed to industry standard escalation protocols. Also, our SmartApp code has been reviewed by SmartThings’s engineers and they work closely with us to assess and provide mitigation recommendations for the risks inherent in they way we designed our app, as well as any vulnerabilities solely due to limitations inherent to their product/platform.
No company has perfect transparency or response with respect to security issues, particularly since the publicity / exposure of discovered vulnerabilities obviously increases the risk until mitigation is in place, and even sets the company up for more strenuous attack attempts; not just impact on their reputation. In our opinion, SmartThings may have been below industry average in some past cases. We have first-hand experience of their commitment and continuous improvement in this area, however, and we are confident that they are now within the tier of “industry leaders” that Alex Hawkinson refers to.
Security risk is *always* relative. A home with a smart lock is still much more vulnerable to a break-in via a window or bump-key than a hack — not to mention that having intruder alerts facilitated by SmartThings mitigates the impact of the latter two entry methods (since most burglaries are conducted via low-level criminals not hacking experts), giving Customers a significant net security *benefit*, regardless of any newly discovered or unresolved attack vectors