Any domain/property of SmartThings not listed in the targets section is out of scope. This includes any/all subdomains not listed above.

Target Information

Access

Researchers are encouraged to self provision accounts and/or use any devices they currently own for testing. When registering, for identification purposes, please use your @bugcrowdninja.com email address. For more info regarding @bugcrowdninja email addresses, see here.

Target Features

• Connect wirelessly with a wide range of smart devices and make them work together.
• Monitor and control connected devices in your home using a single SmartThings app for iPhone or Android.
• Receive alerts from connected devices when there’s activity in your home.
• Automate connected devices in your home and set them to turn on or off when doors are opened, as people come and go, and much more.
• Manage connected devices in your home with SmartThings Routines for Good Morning, Goodbye, Good Night, and more.
• Control connected devices in your home with voice commands using SmartThings and Amazon Alexa or Google Home.
• Requires an internet-connected Wi-Fi router with an available Ethernet port, SmartThings hub with connecting devices, plus the free SmartThings app for Android (4.1 or later) or iPhone (iOS 9.0 or later).

Mobile Downloads:

• Android: Here
• iOS: Here

Web Interface:

• https://graph.api.smartthings.com/

REST APIs:

• https://*.api.smartthings.com/
• https://account.smartthings.com/

Documentation:

• https://smartthings.developer.samsung.com/

In-Scope

• All OWASP Top 10 issues pertaining to web and mobile applications
• Primarily:
  • Non-Self XSS (Self-XSS is out of scope)
  • All Injection flaws
  • Authentication and authorization flaws
  • Remote exploitation of the hub including code execution bugs, overflows, command injection, gaining console/root access etc. (Weakness and security issues in ZigBee/wireless protocol itself is out-of-scope.)
  • Sensitive information leakage - oAuth tokens, PII, secrets
  • Remote or local bugs exploiting the tester’s own environment (Hub, Mobile App, Sensors and communication to/from these devices) that would allow exploitation of OTHER customer’s data or environment
  • All Supporting SmartThings REST APIs (*.api.smartthings.com) used by the mobile apps
  • Malicious File Uploads with an exploit PoC
  • Third-party libraries used by SmartThings

Out-of-Scope

• TLS related configuration flaws
• Username / email enumeration
• Issues related to password complexity
• DoS/DDoS. Do not flood the cloud API servers with large payloads.
• Clickjacking
• oAuth expiration, scope
• API Rate Limitations
• Low or informational risk findings
• Password policies (strength, lockout, expiration etc.)
• Leakage of non-secret data like unique identifiers via GET requests is out of scope. Secret data like passwords, access tokens are in scope

DISCLAIMER

• All the vulnerabilities should be reported with a non-malicious exploit/Proof of Concept to determine the impact of the issue. While doing so, please limit the data exposure to a maximum of 5 accounts/queries as applicable.