SmartThings Vulnerability Disclosure
- Points per vulnerability
Program stats
16 vulnerabilities rewarded
Validation within
about 1 month
75% of submissions are accepted or rejected within
about 1 month
Latest hall of famers
Recently joined this program
Disclosure
Please note: This program does not allow disclosure. You may not release information about vulnerabilities found in this program to the public.
SmartThings lets you easily monitor, control, and secure your home from anywhere in the world.
This program adheres to the Bugcrowd Vulnerability Rating Taxonomy for the prioritization/rating of findings.
Targets
In scope
| Target name | Type |
|---|---|
SmartThings Hub
|
IoT |
SmartThings Mobile Application for iOS
|
iOS |
SmartThings Mobile Application for Android
|
Android |
SmartThings Rest APIs
|
API |
SmartThings Graph Console
|
Website |
Any domain/property of SmartThings not listed in the targets section is out of scope. This includes any/all subdomains not listed above.
Target Information
Access
Researchers are encouraged to self provision accounts and/or use any devices they currently own for testing. When registering, for identification purposes, please use your @bugcrowdninja.com email address. For more info regarding @bugcrowdninja email addresses, see here.
Target Features
- Connect wirelessly with a wide range of smart devices and make them work together.
- Monitor and control connected devices in your home using a single SmartThings app for iPhone or Android.
- Receive alerts from connected devices when there’s activity in your home.
- Automate connected devices in your home and set them to turn on or off when doors are opened, as people come and go, and much more.
- Manage connected devices in your home with SmartThings Routines for Good Morning, Goodbye, Good Night, and more.
- Control connected devices in your home with voice commands using SmartThings and Amazon Alexa or Google Home.
- Requires an internet-connected Wi-Fi router with an available Ethernet port, SmartThings hub with connecting devices, plus the free SmartThings app for Android (4.1 or later) or iPhone (iOS 9.0 or later).
Mobile Downloads:
Web Interface:
- https://graph.api.smartthings.com/
REST APIs:
- https://*.api.smartthings.com/
- https://account.smartthings.com/
Documentation:
- https://smartthings.developer.samsung.com/
In-Scope
- All OWASP Top 10 issues pertaining to web and mobile applications
- Primarily:
- Non-Self XSS (Self-XSS is out of scope)
- All Injection flaws
- Authentication and authorization flaws
- Remote exploitation of the hub including code execution bugs, overflows, command injection, gaining console/root access etc. (Weakness and security issues in ZigBee/wireless protocol itself is out-of-scope.)
- Sensitive information leakage - oAuth tokens, PII, secrets
- Remote or local bugs exploiting the tester’s own environment (Hub, Mobile App, Sensors and communication to/from these devices) that would allow exploitation of OTHER customer’s data or environment
- All Supporting SmartThings REST APIs (*.api.smartthings.com) used by the mobile apps
- Malicious File Uploads with an exploit PoC
- Third-party libraries used by SmartThings
Out-of-Scope
- TLS related configuration flaws
- Username / email enumeration
- Issues related to password complexity
- DoS/DDoS. Do not flood the cloud API servers with large payloads.
- Clickjacking
- oAuth expiration, scope
- API Rate Limitations
- Low or informational risk findings
- Password policies (strength, lockout, expiration etc.)
- Leakage of non-secret data like unique identifiers via GET requests is out of scope. Secret data like passwords, access tokens are in scope
DISCLAIMER
- All the vulnerabilities should be reported with a non-malicious exploit/Proof of Concept to determine the impact of the issue. While doing so, please limit the data exposure to a maximum of 5 accounts/queries as applicable.
Program rules
This program follows Bugcrowd’s standard disclosure terms.