developer account and use the Text Me When It Opens program, they could use this testing
functionality to send any text message to anyone in the world, and it would also appear as
originating from the short code 512-69.
Now imagine if someone were to change the sendSms code to the following:
sendSms(phone1, "WARNING: Systems malfunction. All devices disarmed.
Possible intruder activity.")In this case (Figure 4-13), the user will get a text message with the scary warning from the
same 512-69 short code. Imagine getting such a text message after midnight, while you are
sleeping or perhaps even away from home. Users that have gotten previous text messages
from the SmartThings system will be likely to trust the message, because it originates from
the same short code. In fact, when the short code used by SmartThings recently changed (to
512-69), users inquired about the change on discussion forums, indicating that they are
indeed aware of and trust messages that originate from the code.
Many users might choose to use push notification services such as Apple Push Notifica-
tion and Google Cloud Messaging to receive the notifications, instead of text messages. How-
ever, others prefer text messages, and SmartThings recommends them when it needs to shut
down non–text-based notifications for maintenance, as shown in an actual announcement in
Figure 4-14. Such intervals are the perfect time for intruders to abuse the situation.
This is just one example of how such a system can be abused. A malicious person who
knows your cell phone number and knows that you rely on SmartThings products for remote
monitoring to ensure the safety of your family could abuse this situation to cause you to leave
a particular location (such as your office) and head home to check up on your family because
you’ve received an SMS from the SmartThings short code.
In addition, spammers can abuse the free sendSms functionality to use the SmartThings
short code to send free text advertisements to anyone.
The lesson here is that the incoming number associated with text messages should never
be used to establish trust or prove authenticity. One solution is to request the user to input a
four-digit number that will be reflected on every text message sent out by SmartThings. Users
can be educated to disregard messages that do not contain the four-digit prefix. However, this
places a greater burden on the users and complicates their interaction with the product. Still,
this is the price to pay if traditional protocols such as text messaging are to be used.
SMARTTHINGS 103