Telstra's answers El Reg's Smart Home security questions
It's not quite an Internet of S**t, but nor does it come up smelling of roses
Telstra has managed to emit a response to The Register's questions about the soundness of its Smart Home service strategy, which we received at 5:10 PM yesterday.
Telstra has, pleasingly, identified the vendors supplying its kit:
- The platform is powered by Icontrol;
- Cameras, smart plugs and door sensors are provided by Sercomm;
- Motion sensors originate with Tyco Visonic;
- Light globes are provided by Sengled;
- Thermostats are provided by Zen;
- The Smart Hub is provided by Flex; and
- The Smart door lock is provided by Lockwood.
Third-party vendor patch management:
Telstra: “Telstra works with our smart home partners to follow industry best practices, with timely device patch management and secure platform configuration updates.
“Firmware used by vendors must pass a rigorous quality assurance process before being deployed to devices. Once updated firmware is available on the platform, all devices will be automatically updated.”
The Register: While it's a good thing that the system won't rely on consumers to patch products, Telstra's automatic patch process had better be bulletproof.
Telstra: “All communication from the home [Customer premises equipment] CPE and the app to the platform is encrypted, including transactional communication from the Smart Hub and all images and videos from the camera.”
The Register: This is pleasing news, but we also believe more transparency is needed – what crypto protocols, libraries, and certificate hashes are in use?
Telstra: “Telstra Smart Home is designed to be simple for customers to use. Using the app rather than a desktop provides a better user interface experience, stepping customers through the set up process and allowing them to move around the house as they need, removing complexity from the set up process.”
The Register: We still believe that UPnP-plus-cloud should not be the only configuration option, because (a) UPnP is famously difficult to secure, and (b) if any connection fails, users can't touch their systems (for example to adjust a thermostat).
Over to you, readers: is this enough to reassure your security concerns? ®