When last we left our intrepid, if challenged, SmartThings home hub, it was not having the best of times.

CNet picked up my previous story, and expanded on it in an article titled Samsung's smart home push hits disconnect. In addition, researchers exposed what they considered to be serious security flaws with the hub.

Multiple issues exist in SmartThings' framework, the researchers say, but most pressing are the privileges given to apps, many of which they don't need to function. A smart lock might only need the ability to lock itself remotely, for instance, but the SmartThings API bundles that command with the unlock command, which an attacker can leverage to carry out a physical attack. Another over-granting of permissions involves the way in which SmartApps connect to physical devices. When a user downloads a SmartApp, it asks for specific permissions to perform its intended purpose. After being installed, SmartThings then lists all the devices that could be used with that app because of its ability to sync with those permissions. But it also gives the app more access than it needs.

In response, SmartThings CEO Alex Hawkinson apologized in the SmartThings community forum, promising improvements. He also posts a weekly update (the latest) about what improvements have been pushed out that week. In addition, the company recently hired Amazon's former director of engineering, Robert Parker, to oversee the improvements.

As a result, SmartThing users have been seeing an improvement in the hub. We're no longer seeing the "red bar of death" that used to be so common in the Android app. In addition, performance has improved, including better detection of presence, as well as quicker response to actions. Scheduled events actually run on schedule, after months of erratic behavior.

Hawkinson also responded to the security concerns:

A research report entitled “Security Analysis of Emerging Smart Home Applications” was released this morning by a team from the University of Michigan and Microsoft Research. The report discloses hypothetical vulnerabilities in the SmartThings platform and demonstrates how, under certain circumstances, they could be exploited. Over the past several weeks, we have been working with this research team and have already implemented a number of updates to further protect against the potential vulnerabilities disclosed in the report. It is important to note that none of the vulnerabilities described have affected any of our customers thanks to the SmartApp approval processes that we have in place.

The system has stabilized enough that some of us are tentatively moving back into the world of the Smart Home Monitor—the golden child of the SmartThings network, responsible for security. It is this application that had the most faulty behavior, with frequent false alarms, and not being able to manually arm or disarm the system.

I turned on SHM last week for the first time in over two months. Unfortunately, I also had a false alarm at exactly 5:04 AM last Thursday, when one of my monitors detected movement where there was none. However, I do believe this is more the monitor (I've had some issues with SmartThings own motion sensors in the past)—perhaps reacting to a spider, or air flow eddies—and not the application or the hub. I've switched to a different motion sensor (the Fibaro Motion Sensor), and so far no additional false alarms.

We can now easily arm and disarm the SHM security system. When the security alert did go off, all the appropriate lights and alarms were triggered, and notifications sent. In addition, when I dismissed the alert, the alarms were immediately silenced, though I had to turn off all the lights manually.

There are still issues with the SmartThings Hub. The biggest concern is that most of the activity related to the Hub occurs within the cloud rather than locally. This means that if we lose internet connectivity—something that happens daily for me during the hottest part of the day in the summer—automatic actions that should still function, don't.

We also still don't have Rule Machine, the extremely popular community-developed application, and no idea if it will ever return.

Still, I'll take the improvements we've received, and the promise of more.

I'm moving the SmartThings Hub from "hold on buying" to, "OK, you can give it a try, but don't go crazy buying devices just yet".

5

One of the most popular smart home controllers is SmartThings, especially the company's newest hub, SmartThings V2. Interest in the hub was sufficient to attract the attention of Samsung, who bought SmartThings in August, 2014. Samsung recently touted SmartThings as the hub controller for many of its new smart home endeavors.

Unlike *other smart home hubs, SmartThings controls ZigBee as well as Z-Wave devices, meaning that smart home consumers don't have to choose devices of one standard over the other—opening the door to seemingly twice as many devices. It was the dual support, as well as the Samsung patronage that made me decide to invest in SmartThings.

I have a SmartThings V2 hub, as well a Z-Wave and ZigBee devices from SmartThings and other vendors. In the beginning, I was very happy with the hub, and delighted at what I could control with it. I used it to turn on and off groups of lights, set lights to come on at certain times, or based on motion or a door opening. I also used it for home security. When the outside lights came on at sunshine, the hub would also ensure my door locks were locked. Movement in certain areas at certain times would not only turn on all the house lights, it would also trigger two very loud, very irritating sirens.

All was well, until after Christmas. In January, my SmartThings experience began to go south. It started with a false alarm one night, waking the household up, and generating a frantic check of house cameras to ensure there was no intruder. Over the next month, we suffered three more false alarms, but only some of the lights would come on, and siren support was sporadic. As thankful as we were that the sirens weren't triggering with the false alarm, we contemplated what would happen if the alarm was real, and we slept through it because neither lights nor siren came on.

About a month ago, we found that the nighttime routine that was supposed to set the Smart Home Monitor application's state to armed wasn't running most of the time. When it did run, it frequently wouldn't change the armed status. Then it  became an esoteric exercise to change the application's armed state. We'd have to, first, set the device to Armed (Away), then back to Disarmed, then to Armed (Stay), to get the system to arm the home for the night.

In addition, the morning routine to disarm the routine wouldn't fire, or if it did, wouldn't disarm the home. When a House Hold Member would leave for work, the lights would come on, the alarms would sometimes go off—all of which made for a stressful morning routine. When the disarm procedure did work, it started turning on a small group of lights, for no reason. The same group, each time, including the light that shown directly in my face. There was nothing I could do to stop it.

After months of increasing aggravation, I finally followed the advice of many, and uninstalled SmartThing's Smart Home Monitor application. Now I'm using the Smart Lighting application to trigger lights and alarms, though the routine isn't as sophisticated, and doesn't send out notifications. However, it turns on lights and the alarms when motion occurs in certain areas at certain times, and it does so reliably. That's enough.

In the SmartThings community forum, the complaints about the routines not running on time, and the Smart Home Monitor failing to arm or disarm have taken over, with many customers vowing to dropkick the hub out the window.

Rather than the fix we desperately needed, a month later, a whole new set of problems are surfacing.  Cree bulbs—those lovely, affordable, reliable ZigBee gems—started failing. They still showed as active in the SmartThings Hub, but if you looked at another controller, such as Amazon's Echo, it would show the bulbs as inactive. And the routine to fix the dropped Cree bulb is bizarre: rename the device, several times if you must, and this, somehow, magically reconnect SmartThings to the bulb.

The Cree bulb issues join with problems with several other (primarily Z-Wave) devices, and the answer is typically the same: you have to remove the batteries, or reset the devices, or rename them, or some other process that more closely resembles "sacrifice a chicken at midnight" voodoo than tech troubleshooting.

The Smart Home Monitor wasn't the only application that  began to fail. Others, including one very popular community member-provided application known as Rule Machine, also began to have problems. Because of the problems, the Rule Machine author has pulled the application for now, until the SmartThings infrastructure problems are resolved.

(And how do you get access to these community-provided smart apps? First, you have to have a GitHub account. Yes, not a first step I would recommend if you want widespread adoption of your products. Reliability isn't the only functionality that SmartThings needs to improve.)

The SmartThings status page has noted the problems for several weeks, and we're assured, both in the forum and in the status page, that engineers are working on solutions that they hope to roll out. Soon. Soon. Soon.

The problems that SmartThings faces are the problems many smart home technologies face: dependence on a cloud, increasing numbers of users, and a massive number of device events. Infrastructures that worked for a small number of diehard fans don't scale for larger numbers of people, many of whom are not techs or geeks, just people trying out the new technology; people who will quickly abandon the new technology when they hit problems, rather than persevere like the earlier adopters.

I watched the events for my devices one night, using the web UI that SmartThings provides. My motion detectors not only signal activity, they also signal the room temperature every 10 minutes. So do my sensors that check whether a door is opened or closed. My Netatmo indoor and outdoor temperature sensors also update every ten minutes. When I set one of my Hue bulbs to a different brightness level, it triggered over twenty log entries, as SmartThings reviewed illumination levels, current color setting, current on/off state, and then seemingly did it again and again, several times in a row. When I turned it off, the same twenty-plus log entries were displayed.

After an hour I had to turn off the log: it was so long, I could no longer scroll to the end.

We know that many functions are handled at the device level, and don't require the internet. But when you have coordinated mobile and desktop applications, then you require the cloud. The concern then becomes: what's handled in the device? What's handled in the cloud? And what happens when you magnify all of this by several thousand or tens-of-thousands users, each with many different devices?

What happens is what we're seeing: incomplete or out-of-sync device states, orphaned devices, phantom device activation, slow responses, or non-existent and unreliable responses.

I'm not ready to dropkick my SmartThings Hub V2 out the window, yet. I have both Z-Wave devices and ZigBee, and most hubs support one or the other but not both. When I avoid routines for important functionality, use IFTTT to schedule events, and limit my smart applications to the few that show themselves to be reasonably stable, the system does work. But the functionality is severely limited—a ghost of our glorious expectations.

However, for all the technical problems the company has, it is making some good organizational decisions. SmartThings does stay connected with the users. True, support may not answer your questions for a few days, and the answers not what we'd want, but they do respond. I've found that most of the smart home technology companies have appalling support—I'm been waiting for a response from Netatmo for five months now, and don't even start me on Google's OnHub or Nest support.

In addition, SmartThings employees do respond in the community forum, even though for the most part, they're responding to increasingly irate customers. Not just customer support employees, either: company engineers have communicated from time to time, giving us glimpses into the technology that powers the SmartThings cloud (Groovy, a Java dialect from Apache, and Cassandra for event management).

Amazingly enough, the company also lets the customers vent. And vent. Not many companies would allow customers to discuss the relative merits of competitor products and jumping ships in the product's community forums. I hesitate to say such openness is unique, but it is very unusual. And, frankly, another smart organization decision.

So, I stay with SmartThings. For now. However, I don't recommend buying a SmartThings Hub until the infrastructure problems are fixed.  If this happens, I'll post an update.

* Newer hubs do have support for both ZigBee and Z-Wave. Harmony Home Hub Extender supports both, as does the new VeraPlus Advanced Home Controller.