SmartThings Vulnerability Disclosure
- Points per vulnerability
SmartThings lets you easily monitor, control, and secure your home from anywhere in the world.
This program adheres to the Bugcrowd Vulnerability Rating Taxonomy for the prioritization/rating of findings.
This program only awards points for VRT based submissions.
Targets
In scope
| Target name | Type | Tags |
|---|---|---|
SmartThings Hub
|
IoT | |
SmartThings Mobile Application for iOS
|
iOS | |
SmartThings Mobile Application for Android
|
Android | |
SmartThings Rest APIs
|
API Testing | |
SmartThings Graph Console
|
Website Testing |
Any domain/property of SmartThings not listed in the targets section is out of scope. This includes any/all subdomains not listed above.
Target Information
Access
Researchers are encouraged to self provision accounts and/or use any devices they currently own for testing. When registering, for identification purposes, please use your @bugcrowdninja.com email address. For more info regarding @bugcrowdninja email addresses, see here.
Target Features
- Connect wirelessly with a wide range of smart devices and make them work together.
- Monitor and control connected devices in your home using a single SmartThings app for iPhone or Android.
- Receive alerts from connected devices when there’s activity in your home.
- Automate connected devices in your home and set them to turn on or off when doors are opened, as people come and go, and much more.
- Manage connected devices in your home with SmartThings Routines for Good Morning, Goodbye, Good Night, and more.
- Control connected devices in your home with voice commands using SmartThings and Amazon Alexa or Google Home.
- Requires an internet-connected Wi-Fi router with an available Ethernet port, SmartThings hub with connecting devices, plus the free SmartThings app for Android (4.1 or later) or iPhone (iOS 9.0 or later).
Mobile Downloads:
Web Interface:
- https://graph.api.smartthings.com/
REST APIs:
- https://*.api.smartthings.com/
- https://account.smartthings.com/
Documentation:
- https://smartthings.developer.samsung.com/
In-Scope
- All OWASP Top 10 issues pertaining to web and mobile applications
- Primarily:
- Non-Self XSS (Self-XSS is out of scope)
- All Injection flaws
- Authentication and authorization flaws
- Remote exploitation of the hub including code execution bugs, overflows, command injection, gaining console/root access etc. (Weakness and security issues in ZigBee/wireless protocol itself is out-of-scope.)
- Sensitive information leakage - oAuth tokens, PII, secrets
- Remote or local bugs exploiting the tester’s own environment (Hub, Mobile App, Sensors and communication to/from these devices) that would allow exploitation of OTHER customer’s data or environment
- All Supporting SmartThings REST APIs (*.api.smartthings.com) used by the mobile apps
- Malicious File Uploads with an exploit PoC
- Third-party libraries used by SmartThings
Out-of-Scope
- TLS related configuration flaws
- Username / email enumeration
- Issues related to password complexity
- DoS/DDoS. Do not flood the cloud API servers with large payloads.
- Clickjacking
- oAuth expiration, scope
- API Rate Limitations
- Low or informational risk findings
- Password policies (strength, lockout, expiration etc.)
- Leakage of non-secret data like unique identifiers via GET requests is out of scope. Secret data like passwords, access tokens are in scope
DISCLAIMER
- All the vulnerabilities should be reported with a non-malicious exploit/Proof of Concept to determine the impact of the issue. While doing so, please limit the data exposure to a maximum of 5 accounts/queries as applicable.
Program rules
This program follows Bugcrowd’s standard disclosure terms.