RSS Feed
« Nimbus Protocol Enumeration with Nmap | Main | JetLeak Vulnerability: Remote Leakage of Shared Buffers in Jetty Web Server [CVE-2015-2080] »

SmartThings SSL Certificate Validation Vulnerability

The Labs team at Gotham Digital Science recently conducted independent research into the SmartThings platform as part of an ongoing effort to identify security vulnerabilities in “Internet of Things” devices and assist vendors in the preparation of appropriate fixes.

During the course of this research, a vulnerability was discovered in the SmartThings Hub device that could allow attackers to intercept and modify communications between the Hub and the SmartThings backend servers.  This vulnerability has been patched by the vendor and updated firmware has been pushed to existing Hub devices.  GDS would like to thank SmartThings for their responsiveness and efforts in remediating this issue.


The communications between the SmartThings Hub and the SmartThings backend servers is encrypted with SSL. However, the SSL client implementation in use does not validate the authenticity of the SSL certificate presented by the server during the initial handshake. An attacker with the ability to monitor and intercept traffic can present a “forged” SSL certificate to the Hub claiming to be a legitimate backend server, which the Hub will accept as genuine. This makes it possible to perform a “man-in-the-middle” attack, whereby an attacker relays communications between client and server without their knowledge. In this scenario, the communications are available to the attacker in an unencrypted form and may be modified or disrupted, effectively defeating the protections offered by SSL encryption.

Secure and authenticated communications are vital to a platform such as SmartThings, which may be used as part of a home security system. As an example, the Hub transmits a data packet when a SmartSense Open/Closed Sensor opens. By simply not relaying this data packet, an attacker can prevent notification of this event from ever reaching the SmartThings backend servers, which in turn prevents notification being delivered to the end user.

A potential mitigating factor is the lack of WiFi communication used by the Hub, making traffic interception more difficult as it requires that an attacker be physically connected to the same network as the Hub or for interception to occur during transit over the Internet. However this does not offer complete protection, as several home networks make use of WiFi bridges or repeaters. An attacker may also have compromised another device residing on the network such as a router or personal media server that may be used to perform traffic interception.

Disclosure timeline:

11/10/14 - Initial report to vendor
11/11/14 - Report acknowledged
11/21/14 - Vulnerability confirmed
01/29/15 - Updated firmware rollout begins
03/04/15 - Public disclosure