I was doing some research on how to back up smart home hub configurations (spoiler alert: you generally can’t) when I had a startling revelation. Several of the devices in my home were actively sending data to Samsung’s SmartThings servers. Why was that startling? I removed my SmartThings hub nearly a year ago and currently use a Wink hub.
I found this out by signing in to the SmartThings’ site, where I have a developers account; that shows me the IDE, or integrated development environment, to add device handlers. Without a developer account, you won’t see the same information that I see.
My first inclination was to blame Samsung, which I suspect would be a common reaction among smart home owners in the same situation. But no, this data breach was one of my own doing: After thinking it through, I realized I never removed all of the connected devices in my home from the SmartThings hub before switching back to Wink.
I should know better of course. Regardless, this was an eye-opening experience that was worth sharing, even if it makes me look rightfully foolish.
To be clear, not all of my devices were sending information back to Samsung. Those that use Wi-Fi had an “Active” status and a few Zwave devices showing as “Online” were still reaching out across the web to share their data. That data included the device’s MAC and IP addresses, current state (such as on or off), and other information.
However, all of my smart home’s devices appeared on the SmartThings server, since I never removed them from the hub, and even those that were no longer listed as “Active” showed data from their last online state. Yes, I can tell you that on March 26, 2018 at 5:07pm, the temperature in my house was 68 degrees while the humidity was 33 percent.
Even without a SmartThings hub in my house currently, I was able to use the SmartThings app to control the still active devices. I added the app back to my phone in preparation to delete all of my devices when I found this out. It makes sense though: These devices are still able to communicate with the SmartThings server and the app simply pings that server to send the command.
To resolve the problem, I actually used two methods just for testing purposes. Removing devices in the SmartThings app certainly works but I was also able to remove them through the SmartThings web portal. Although it’s unlikely you’ll ever be in the same situation – because you’re smarter than me! – either approach will work.
The obvious moral to the story here is when switching or replacing smart home hubs, do it properly and manually remove all of your current devices before connecting them to your new hub. We have enough true privacy and data concerns in the smart home that we don’t need to create our own.
Hi Kevin. You don’t seem nearly as concerned as I am about this. I get how the Wi-Fi devices could continue to communicate to the Samsung service if you never disconnect them. While that’s not ideal and I’d prefer devices to have encrypted communication to only one “home base” at a time, I get it. The Zwave devices that were still able to communicate (through your Wink hub I presume?) to Samsung are far more concerning. How is that happening? It makes me think that if this is the case, Samsung could actually see the status of any device it happens to know the MAC address of which could give it the IP address and who knows what else. Communication of the Zwave devices must not be encrypted and it doesn’t sound like the communication from your Wink Hub is either. I’d love to hear more as you dig into this. Would also like to hear recommendations on products that encrypt all data in motion. I kind of liked the idea of hubs as a means of keeping a local device network functioning regardless of internet communication, but might have been a bit naive in thinking is was also acting almost like a firewall.
I’m concerned but also confused as I try to understand how the non-WiFi devices are still communicating with Samsung’s servers. I suspect that yes, somehow, the devices are getting a connection through my Wink hub but I’m still researching. As I dig deeper, it *appears* that Samsung’s servers are just pinging some of my old devices but again, still researching and will report back. Thanks!
Any update on this post?
Kevin, great article and informative. I arrive to this article because I was looking up the privacy implications of using some smart hub.
Do you have any recommendations for limiting or eliminating information transmission back to the Samsung mothership? For instance, is there some setting to disable this transmission (assuming you don’t manage your devices through Samsung’s servers)? What about router blockng IP or IP ranges?
Thanks!