issuhub.com

Abusing the Internet of Things

(Rick Simeone) #1 
Accept-Language: en;q=1

X-ST-Client-AppVersion: 1.6.5

X-ST-Api-Key: [DELETED]

X-ST-Client-OS: iOS 8.0.2

User-Agent: SmartThings/1006 (iPhone; iOS 8.0.2; Scale/2.00)

Connection: keep-alive

The X-ST-Api-Key token is constant and can be considered public knowledge. The value
submitted for Authorization is the access_token value that was received by the app upon suc-
cessful authentication. The graph.api.smartthings.com server responds with the following:


HTTP/1.1 200 OK

Content-Type: application/json;charset=utf-8

Date: Fri, 17 Oct 2014 04:46:47 GMT

Server: Apache-Coyote/1.1

Vary: Accept-Encoding

X-Pad: avoid browser bug

Content-Length: 1204

Connection: keep-alive

[{"id":"[DELETED]","name":"Home","accountId":"[DELETED]","latitude":42.613706,

"longitude":-120.200028,"regionRadius":150,"backgroundImage":

"https://smartthings-location-images.s3.amazonaws.com/standard/standard62.jpg",

"mode":{"id":"[DELETED],"name":"Away","locationId":"[DELETED]"},"modes":

[{"id":"[DELETED]","name":"Away","locationId":"[DELETED]"},{"id":"

[DELETED]","name":"Home","locationId":"[DELETED]"},{"id":"[DELETED]","name":

"Night","locationId":"[DELETED]"}],"role":"owner","helloHomeAppId":"[DELETED]",

"temperatureScale":"F","hubs":[{"id":"[DELETED]","name":"Home","locationId":

"[DELETED]","firmwareVersion":"000.010.00246","zigbeeId":"[DELETED]","status":

"ACTIVE","onlineSince":"2014-10-08T18:42:52.679Z","signalStrength":null,

"batteryLevel":null,"type":{"name":"Hub"},"virtual":false,"role":"owner",

"firmwareUpdateAvailable":false}]}]

According to the response, one location is associated with this user’s account. This is
identified by the value of the id token. The latitude and longitude values represent the
actual physical location. There are also several modes, such as Away and Home. The user can
manually set the current mode, or the SmartThings system can be configured to do it auto-
matically, such as setting the value to Away when the user’s phone is outside of the regionRa
dius value of the location.
The SmartThings app now needs to pull additional information about the SmartThings
devices associated with the account and their configurations. It does this by issuing the follow-
ing POST request using the location id and access_token (for the Authorization field)
obtained earlier:


GET /api/locations/[DELETED]/smartapps/ HTTP/1.1

Host: graph.api.smartthings.com

Accept: application/json

CHAPTER 4: BLURRED LINES—WHEN THE PHYSICAL SPACE MEETS THE VIRTUAL

(^92) SPACE

Free download pdf
Get our desktop app
Company
Features
Documentation
Resources
© ISSUHUB. 2024. All rights reserved.