Who Is

watching out for you?

In today's world you need to understand a few more things...

Who Is

knocking on your virtual front door?

It could be someone down the block or from the Bloc

How secure from attack is your alarm system?

26-Feb-2015 What if your security system isn’t physically secure?

A recent HP Fortify report assessed some connected home security devices along with the accompanying cloud and mobile app components.

The report claims the studied devices used in home security contained significant vulnerabilities, including enumerable usernames, weak password policy and no account lockout. None of the systems required strong passwords or offered two-factor authentication. Some provided unsecure cloud and mobile interfaces.

It’s important to acknowledge that Interweb of Things (IoT) requires security be built into every connected device. Since that is typically lacking, it’s good that an organization focused on enterprises has made has made the effort to raise issues found in home security equipment.

No HP representative was available, so Securebuzz spoke with the president of a company that provides physical security for homes and businesses, specializing in alarms, cameras, and access control.

“In places where there is much to steal, if you have enough money to be attractive to a thief, you have enough money to make it difficult to break in,” acknowledged Vladimir Khayutin, president of BAX Security.
Few alarm systems are connected to the Internet. Most connect via telephone line or cellular dialer to a monitoring station.

“I program systems remotely, especially for customers whose locations are far away,” Khayutin said. “I accessed their systems through remote capability, but I’m authorized to do that.”

To access an alarm connected to a phone line a user needs…
1. Special downloading software
2. A modem that matches the make of the alarm system modem – you can’t use a DSC modem with a Honeywell system, for example.
3. Download codes.

An attacker would also need to know…
4. The exact model and firmware version of an alarm panel (not keypad)
5. That the default download codes weren’t changed by the installer, or
6. The changed download codes. 

“Suppose the bad guys see a BAX Security sticker, and call to see what types of systems we install,” said Khayutin. “Well, most of the systems we install are made in Canada. If they manage to get their hands on that manufacturer’s modem, they can’t use new software for older alarm panels. Even if they get several different software versions, they have to try each one. And those will work only if you haven’t changed your default download codes. We change all default codes upon installation, to make it virtually impossible for an attacker to do that.”

How easy it is to connect to a cellular network?

Alarm.com has an app for installers to connect to a system.

The TelGuard app is for arming, disarming and receiving reports. For someone to get access they have to connect to the application and have the information for a particular system. Where do they find that?

“They need account access, so if they break into Telguard, they will get that information,” Khayutin said. “Then it’s not the weakness of my system – it’s the weakness of someone’s website.”

If the attackers don’t use Internet connectivity, how else can they break in?

In movies alarm break-ins are always on the keypad. Theoretically it’s possible, if the password-cracking software works fast enough. Alarms have at least a 4-digit code. How long will it take for a laptop to calculate the right combination, considering there is usually no more than a 30-second entry delay before the siren sounds and the system dials out?

“Maybe a government can do that, but what if the alarm system isn’t connected to the Internet?” asked Khayutin. “Not many are. Then an attack requires a physical presence.”

Today many customers use VoIP to monitor their systems. While cable Internet/telephone packages have increased the popularity of VoIP, Khayutin doesn’t recommend it to his customers for alarm monitoring.

“If there’s static on the phone line, it doesn’t work all the time,” he said. “When power is out, so is VoIP. Cellular dialers are more reliable, and come with their own backup batteries.”

Another problem with VoIP is you can’t use downloading software, because the line is noisy.

If you know a land line number you can break into the big neighborhood Bell box, trace the wire, and disconnect it.

“Phone lines are insecure in my opinion, and dedicated lines as used by financial institutions and jewelry stores are too expensive for most residential customers,” Khayutin said. “I don’t understand why all of our lines don’t work that way, because it’s not expensive technology.”