Telstra's answers El Reg's Smart Home security questions

Telstra has managed to emit a response to The Register's questions about the soundness of its Smart Home service strategy, which we received at 5:10 PM yesterday.

Vendors

Telstra has, pleasingly, identified the vendors supplying its kit:

Third-party vendor patch management:

Telstra: “Telstra works with our smart home partners to follow industry best practices, with timely device patch management and secure platform configuration updates.

“Firmware used by vendors must pass a rigorous quality assurance process before being deployed to devices. Once updated firmware is available on the platform, all devices will be automatically updated.”

The Register: While it's a good thing that the system won't rely on consumers to patch products, Telstra's automatic patch process had better be bulletproof.

Encryption

Telstra: “All communication from the home [Customer premises equipment] CPE and the app to the platform is encrypted, including transactional communication from the Smart Hub and all images and videos from the camera.”

The Register: This is pleasing news, but we also believe more transparency is needed – what crypto protocols, libraries, and certificate hashes are in use?

Configuration

Telstra: “Telstra Smart Home is designed to be simple for customers to use. Using the app rather than a desktop provides a better user interface experience, stepping customers through the set up process and allowing them to move around the house as they need, removing complexity from the set up process.”

The Register: We still believe that UPnP-plus-cloud should not be the only configuration option, because (a) UPnP is famously difficult to secure, and (b) if any connection fails, users can't touch their systems (for example to adjust a thermostat).

Over to you, readers: is this enough to reassure your security concerns? ®