Security and ImSmart

Most of the time, security becomes a concern only when your hear the big companies being hacked. And, also most of the time, these hacks were possible because of a lack of security. It’s rarely the difficult hacks that happen. Open firewalls, passwords in plain text, no SSL certificates and so on are the norm on easy hacks.

In 1994 I founded an Internet service provider in my hometown and had the chance to work with very talented people that taught me what to look for regarding network security. That being said, I’m not perfect but judging from what I see broadly on the Internet business, I may be a bit ahead of the mass. I will lay out here the security measures that were taken to ensure the security of your account and your IoT devices. Feel free to comment or ask questions.

The first barrier is the use of a secure web site. You see https and the word Secure in the address bar of your browser? That’s a good thing. If you don’t see it ask more questions. The secure web site means that if someone were to stand on the network between you and they could not read the data because it’s encrypted. That means your password and all data you enter on the web site is sent securely. What’s more: the requests sent to IFTTT are also sent securely through https. Your information will then be secure from IFTTT to ImSmart and back to IFTTT again. If you use URL in ImSmart trigger actions, it’s up to you to use secure URLs.

But how good is security if sensitive information is sent securely only to be stored in plain text? If someone hacks in a web site and gets away with the database or log files, sensitive information could be read in plain text. But, at ImSmart, your account password is hashed and your IFTTT Maker keys are encrypted. A hashed password means that it’s one-way encrypted; it cannot be decrypted. The basic workflow for registration and authentication in a hash-based account system is as follows:

  1. The user creates an account.
  2. Their password is hashed and stored in the database. At no point is the unencrypted password ever written to disk.
  3. When the user logs in, the hash of the password they entered is calculated and checked against the hash of their real password (retrieved from the database).
  4. If the hashes match, the user is granted access.

The same strict procedure is applied to your IFTTT Maker keys: they are not stored in database or written to files in plain text. They are stored in database encrypted and written to files with placeholders (such as MakerKey#1). I went a bit ahead with the IFTTT Maker keys showing them blurred on screen until you hover the mouse over the key.

Being able to access the database or log files will not give out your sensitive information. Another security measure is in place regarding your account:

  • Your account will be locked out with too many failed attempts. The account will be automatically unlocked after some time. This will prevent brute force attacks on your account. You will receive an email when your account is locked so that you know and you can act if you were not responsible.

Last but not least: there is a possibility that someone tries to break into your IoT devices by guessing your UserKey, VariableKey or TriggerKey at ImSmart and change the status of your variables, hence your lights or whatever devices you connect to. It’s good practice to keep the ImSmart operation URLs secret because they contain your UserKey, VariableKey or TriggerKey. So if someone tries to brute force ImSmart web API, they will be blocked and I will receive an email about it. However, remember that there are 3612 possibilities (that is 4,738,381,338,321,616,896) for a UserKey, VariableKey or TriggerKey and you need to combine a UserKey with a VariableKey or a TriggerKey to compose a valid operation URL. That makes 2.24×1037 possible combinations. So brute force against ImSmart is not impossible but just highly improbable. It would be much easier to steal this information directly from you than from ImSmart. So please be safe with your information.

One last (for real) word of caution: although it’s tempting and now much cheaper to install and use any new security system connected to Internet (including these nice security cameras), you’d be advised to take great care in installing such a system and control it using ImSmart or any other connected system. If your system becomes compromised who will be responsible and who will tell you? You don’t want your home to be unlocked by mistake. Rely on good old security measures where you deliberately turn on and off your security system by keying in your code at the keypad. And check with your insurance company if they will pay for any theft claim with the way you setup your system.