It used to be tricky to get Control4 (Nasdaq: CTRL) and other home automation systems onto the home network and configured for remote access. Risky, too, because most consumers and professional installers alike used port forwarding for the task — a network security no-no.
A few years ago, most of the popular smart-home systems shifted to a cloud-based model where network configuration and security occurred in the cloud, rather than at the home router. The approach simplified the system onboarding process and improved network security (in theory, at least) for remotely accessible smart homes.
Control4 is one company that went that route, starting in 2013 when it launched Anywhere Access: Mobile. That was the time when Shodan and other bots started to invade connected homes, and manufacturers and installers abandoned port forwarding for VPNs, which can be tricky to set up.
Now Control4 has filed a patent application for the technology, Devices for Providing Secure Remote Access (#20160285874).
The abstract reads:
A method for providing secure remote access by a controller is described. The method includes establishing a link through a security service to a client device via a cloud server based on a security token from the client device. The method also includes receiving a command message from the client device for an application program interface (API) located within the controller. The command message is forwarded by the cloud server. The method further includes producing an automation command based on the command message. The API interprets the command message.
The application was filed on March 23, 2015 and published today. Control4 co-founder and former CTO (Wallace) Eric Smith is listed as one of four inventors.
Here's a notable passage from the application:
 There is a need for secure remote access to control systems to serve a large and growing community of end-users. The end-users may be geographically separated from the one or more controllers that they want to access. In addition, a communications mechanism may need to securely negotiate through end-user network security (e.g., firewalls) without end-user configuration.
 Remote access to control systems has traditionally been accomplished using virtual private network (VPN) connections, port forwarding, static internet protocol (IP) addresses and/or dynamic domain name system (DDNS). These approaches are problematic. For example, these approaches may require providing an installer access to the end-user's home to configure the home's router. Additionally, these approaches involve opening ports on the end-user's router, which introduces security risks to the home owner.
 The systems and methods disclosed herein may be used to provide secure remote access to a controller. When the controller is installed, it may be given credentials that may be used for remote access. Upon controller startup, an application programming interface (API) on the controller may use a communication network (e.g., the Internet), that provides the controller the ability to discover appropriate endpoints for various services. The controller may use the address server information (e.g., the endpoint information) to contact an authentication service in order to be authenticated on the network.
 When a remote user attempts to connect to the controller using a client device, the client device may use a communication infrastructure (e.g., cellular phone network, Internet, etc.) to reach the address server, which may provide endpoint information for various services. The client device may connect to the connection service, which may notify the controller about an inbound session request.