I was doing some research on how to back up smart home hub configurations (spoiler alert: you generally can’t) when I had a startling revelation. Several of the devices in my home were actively sending data to Samsung’s SmartThings servers. Why was that startling? I removed my SmartThings hub nearly a year ago and currently use a Wink hub.
I found this out by signing in to the SmartThings’ site, where I have a developers account; that shows me the IDE, or integrated development environment, to add device handlers. Without a developer account, you won’t see the same information that I see.
My first inclination was to blame Samsung, which I suspect would be a common reaction among smart home owners in the same situation. But no, this data breach was one of my own doing: After thinking it through, I realized I never removed all of the connected devices in my home from the SmartThings hub before switching back to Wink.
I should know better of course. Regardless, this was an eye-opening experience that was worth sharing, even if it makes me look rightfully foolish.
To be clear, not all of my devices were sending information back to Samsung. Those that use Wi-Fi had an “Active” status and a few Zwave devices showing as “Online” were still reaching out across the web to share their data. That data included the device’s MAC and IP addresses, current state (such as on or off), and other information.
However, all of my smart home’s devices appeared on the SmartThings server, since I never removed them from the hub, and even those that were no longer listed as “Active” showed data from their last online state. Yes, I can tell you that on March 26, 2018 at 5:07pm, the temperature in my house was 68 degrees while the humidity was 33 percent.
Even without a SmartThings hub in my house currently, I was able to use the SmartThings app to control the still active devices. I added the app back to my phone in preparation to delete all of my devices when I found this out. It makes sense though: These devices are still able to communicate with the SmartThings server and the app simply pings that server to send the command.
To resolve the problem, I actually used two methods just for testing purposes. Removing devices in the SmartThings app certainly works but I was also able to remove them through the SmartThings web portal. Although it’s unlikely you’ll ever be in the same situation – because you’re smarter than me! – either approach will work.
The obvious moral to the story here is when switching or replacing smart home hubs, do it properly and manually remove all of your current devices before connecting them to your new hub. We have enough true privacy and data concerns in the smart home that we don’t need to create our own.