In the past few months, we have addressed the security-related pitfalls of the Internet of Things. In our article “Why IoT Devices Are the Trojan Horses of Our Time. And Why Nobody Talks About It.“ we showed how IoT devices could become the gateway for various risk scenarios. Alarm systems and their security risks are increasingly emerging as another aspect of this discussion. Yet, there is need for conceptual differentiation.
Devices that are not even connected to the Internet - classic, non-digitized, 1993 kind of security systems - could pose a treacherous security threat.
Security researchers say that the best-selling home alarm systems could be easily undermined to either suppress the alarms or to generate several false alarms, which would make them unreliable.
False alarms could be triggered with a simple tool from a distance of up to 300 meters. Deactivation is possible at a similar distance to the object. Regardless of the manufacturer of the security system, there's this key problem: most radio alarm systems are based on high-frequency signals sent between door and window sensors to a control system, which triggers an alarm when one of these entries is breached. The signals are triggered each time a marked window or door is opened, regardless of whether the alarm is activated or not. But when this option is activated, the system triggers the alarm and also sends a silent alarm to the monitoring company, which contacts the residents or the police. Many systems cannot encrypt or authenticate the signals sent by the sensors to the control panels, which makes it easy for anyone to intercept data, decrypt the commands, and return them to the control panels arbitrarily.
More complex systems use different hardware, but they function practically the same. They still use the wireless communication of the 90s. The signals could also be blocked to prevent an alarm from being triggered by sending radio interference. Such interference devices can be built with less than 100$. Many systems use a remote control, which allow to activate and deactivate the alarms without entering a password on a control panel. These data are transferred in plain text, also via radio, and can be monitored. It's alarming that most of the tested systems used just one single code.
Now things get more spooky.
If, when choosing a security system, you place your confidence in a system that is integrated in the network, i.e. based on devices that fall within the IoT range, you could actually be less secure than before purchasing a security system.
Security researchers tested innovative home security systems and discovered that systems connected to IoT are full of security errors. Such home security systems are connected to a mobile device or the Internet through the cloud and have a multitude of functions such as motion detectors, door and window sensors, and video cameras with recording functions. Although the aim of these systems is to offer security to a homeowner, due to the vulnerabilities, the owner of the home security system is possibly not the only one monitoring the home.
A high number of authentication and authorization problems were found and there are concerns about mobile and cloud-based web interfaces. Of the tested systems 100% allowed the use of weak passwords and were susceptible to interception of login credentials. Ouch.
4 out of the 7 systems with cameras gave the owner the option to grant video access to additional users, which further intensified the problems during account opening. 2 of the systems allowed for local streaming of videos without authentication. As far as firmware and software, 60% had no update functions and offered no automatic update functions. One system updated firmware via FTP, which would enable an attacker to collect the login credentials and have write access to the update server.
As long as there are systems with vulnerabilities, people will figure out how to take advantage of these. Especially when it comes to IoT-enabled security systems, the Internet of Things is not yet contributing to making such systems more secure and resilient.
Bottom line: wireless security systems are inferior when compared to their hardwire counterparts. This is the decisive reason alarm companies still install wireless systems: It's easier and monitored alarm systems are a numbers game.