Context: Samsung SmartThings is a very famous smart home hub/cloud-based platform, this means that it is implemented both in the local smart hub and in the cloud server.
Question: Which technique (Port forwarding UPnP, hole punching, …) is implemented by this platform to allow users to control their home devices? How does it technically work?
Most of the devices connected to the SmartThings hub will not be IP devices, so they are not controlled directly via the cloud and the concepts of port forwarding and UPnP do not apply.
Instead, the devices connect to the SmartThings hub in whatever manner they can, and the hub acts as a proxy. The hub sends/receives a command to/from the cloud and translates that into something that can be communicated to the device. So the hub really is a protocol converter, rather than a network hub.
The IoT device (e.g. wifi thermostat) usually connects/calls out to a central server, using your home ISP network, and keeps this connection alive 24/7 by sending a combination of ACK & SYN packets every few seconds at the TCP level. The IP address of the central server is coded into the firmware of the IoT device. The upper-layer protocol (HTTP, SSH, custom made, etc.) and encryption vary between devices/companies. A lot use SSL/TLS over port 443. If you port scanned the IoT device inside your local LAN, it would show no open ports (except for maybe an admin port/webpage to change settings). If you download a mobile app onto your smartphone to control this IoT device, that smartphone app calls into (sends commands to) the same central server, and that central server relays the command back to the IoT device. A similar & simple concept/technique with good documentation is called reverse SSH tunneling or reverse SSH port forwarding.
