SmartThings Vulnerability Disclosure

  • Points per vulnerability
  • Managed by Bugcrowd

Program stats

12 vulnerabilities rewarded

Latest hall of famers

Recently joined this program

Disclosure

Please note: This program does not allow disclosure. You may not release information about vulnerabilities found in this program to the public.

SmartThings lets you easily monitor, control, and secure your home from anywhere in the world.


This program adheres to the Bugcrowd Vulnerability Rating Taxonomy for the prioritization/rating of findings.

Targets

In scope

Target name Type
SmartThings Hub IoT
SmartThings Mobile Application for iOS iOS
SmartThings Mobile Application for Android Android
SmartThings Rest APIs API
SmartThings Graph Console Website

Any domain/property of SmartThings not listed in the targets section is out of scope. This includes any/all subdomains not listed above.

Target Information

Access

Researchers are encouraged to self provision accounts and/or use any devices they currently own for testing. When registering, for identification purposes, please use your @bugcrowdninja.com email address. For more info regarding @bugcrowdninja email addresses, see here.

Target Features

  • Connect wirelessly with a wide range of smart devices and make them work together.
  • Monitor and control connected devices in your home using a single SmartThings app for iPhone or Android.
  • Receive alerts from connected devices when there’s activity in your home.
  • Automate connected devices in your home and set them to turn on or off when doors are opened, as people come and go, and much more.
  • Manage connected devices in your home with SmartThings Routines for Good Morning, Goodbye, Good Night, and more.
  • Control connected devices in your home with voice commands using SmartThings and Amazon Alexa or Google Home.
  • Requires an internet-connected Wi-Fi router with an available Ethernet port, SmartThings hub with connecting devices, plus the free SmartThings app for Android (4.1 or later) or iPhone (iOS 9.0 or later).

Mobile Downloads:

Web Interface:

  • https://graph.api.smartthings.com/

REST APIs:

  • https://*.api.smartthings.com/
  • https://account.smartthings.com/

Documentation:

  • https://smartthings.developer.samsung.com/

In-Scope

  • All OWASP Top 10 issues pertaining to web and mobile applications
  • Primarily:
    • Non-Self XSS (Self-XSS is out of scope)
    • All Injection flaws
    • Authentication and authorization flaws
    • Remote exploitation of the hub including code execution bugs, overflows, command injection, gaining console/root access etc. (Weakness and security issues in ZigBee/wireless protocol itself is out-of-scope.)
    • Sensitive information leakage - oAuth tokens, PII, secrets
    • Remote or local bugs exploiting the tester’s own environment (Hub, Mobile App, Sensors and communication to/from these devices) that would allow exploitation of OTHER customer’s data or environment
    • All Supporting SmartThings REST APIs (*.api.smartthings.com) used by the mobile apps
    • Malicious File Uploads with an exploit PoC
    • Third-party libraries used by SmartThings

Out-of-Scope

  • TLS related configuration flaws
  • Username / email enumeration
  • Issues related to password complexity
  • DoS/DDoS. Do not flood the cloud API servers with large payloads.
  • Clickjacking
  • oAuth expiration, scope
  • API Rate Limitations
  • Low or informational risk findings
  • Password policies (strength, lockout, expiration etc.)
  • Leakage of non-secret data like unique identifiers via GET requests is out of scope. Secret data like passwords, access tokens are in scope

DISCLAIMER

  • All the vulnerabilities should be reported with a non-malicious exploit/Proof of Concept to determine the impact of the issue. While doing so, please limit the data exposure to a maximum of 5 accounts/queries as applicable.

Program rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.