Smart home applications have been increasingly deployed to help users remotely manage smart home appliances. The communication architecture in smart home usually involves the smart home device, the user and the cloud. To enable remote access, communication between a user and a device is relayed through the cloud.In this paper, we studied security threats in the remote binding of smart home. First, we proposed a state-machine model to describe the life cycle of remote binding, and to demystify complexity in various remote binding designs. With such a state-machine model, we systematically examined 10 real-world remote binding designs and exposed their attack surfaces. On the other hand, to mitigate the security threats, we presented a new remote binding solution called IoTBinder. One fundamental cause of the remote binding risk is the nature of static device IDs used in smart home devices, which could be easily leaked by brute-forcing or through ownership transfer. IoTBinder addresses this issue by generating a dynamic device ID from the cloud and delivering it to the device through the user. Further evaluation demonstrated that IoTBinder was effective in protecting remote binding attacks with negligible performance overhead.