It's been awhile since I've discussed anything security related on this blog. This is mostly because I set that ball down every day at 4:30 and don't want to pick it back until 8:00 on the next workday. However, this article on Slashdot has me spun up enough that I'm willing to gripe about it. I can see this being picked up by the mainstream media and yet another bout of fear-mongering making the rounds. Kibo help us if they rediscover that Wemo video.
As a business idea, this is really cool. The service vendor only needs to stand up one web server which accepts commands and sends them back into the user's network. Very little needs to be stored or processed on the web server, yet the vendor gets to pull in $8 or $9 from each "premium" customer. The consumer also hands over money for the hardware.
Those who use cloud based controls to manage electrical appliances, without strong authentication and strong encryption, are taking big risks (and, no, a username and password, encrypted by SSL may not meet those requirements). If you're going to manage environmental controls over the Internet, do it on your own server and require a non-split VPN to access them. Better yet, manage those controls via a network that is entirely isolated from external access.
The primary countermeasure for the mentioned direct attacks on the protocol or the devices is: maintain a baseball bat at each of the exits from your house. Z-wave and Zigbee are very low power, very low bandwidth communications protocols, meaning if there's a direct attack on your components, the attacker is probably within view of your front or back stoop. The technical term "mechanical agitation" comes to mind.
If you want to management your environmental controls and your appliances, avoid the public services. Instead stand up your own controller/gateway, and avoid putting it on the Internet. If you don't like the DIY approach, use one of the Mi Casa Verde products (or similar vendor's product). If you do like the DIY approach, build your own with a Raspberry Pi, a Razberry interface, and an XBee interface. Both approaches are cheaper than what you'll end up paying the public services and, if you're a coder, they're also more expandable/extendable.