Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Encryption Security

IoT Home Alarm System Can Be Easily Hacked and Spoofed (cybergibbons.com) 123

An anonymous reader writes: In the never-ending series of hackable, improperly protected IoT devices, today we hear about an IoT smart home alarm system that works over IP. Made by RSI Videofied, the W Panel features no encryption, no integrity protection, no sequence numbers for packets, and a predictable authentication system. Security researchers who investigated the devices say, "The RSI Videofied system has a level of security that is worthless. It looks like they tried something and used a common algorithm – AES – but messed it up so badly that they may as well have stuck with plaintext."
This discussion has been archived. No new comments can be posted.

IoT Home Alarm System Can Be Easily Hacked and Spoofed

Comments Filter:
  • I'm not surprised (Score:5, Insightful)

    by TWX ( 665546 ) on Monday November 30, 2015 @01:19PM (#51028215)
    I've worked with security companies that do lower-end security before. They've e-mailed usernames and passwords to me across the Internet.

    There's no licensing or aptitude testing necessary to operate a security company. Anyone can form a business and call it a security business, and often people that have no technical background will do it because there's a market to be served, even if they should not be the ones serving it.
    • I spent a lot of time working for a security company that did high end enterprise systems. I hope they've changed their ways but their idea of security about 15 years ago was to just base64 encode your credentials when you log in. Once you logged in you used a token. Their digital signatures on video frames was inadequate also and it was quite possible to alter a frame and then resign it after the fact. Oh and all of the devices allowed root login and had a shared password across all networks.
    • by Lumpy ( 12016 )

      90% of all ADT alarms installed use the zipcode as the installer/backdoor access code.
      95% of all alarms installed by companies use the house address as the default code for the customer at install time and NEVER have the code changed.

      Alarm systems typically are only used for notification to the homeowner that they need to call the insurance company for a claim.

    • No licensing required... but how about making them liable? I'm not a big fan of a litigious society of ambulance chasers (or lawyers in general), and I don't think IT or "security" firms should pay damages for every single thing that can possibly go wrong, but in a case of gross negligence like leaving default passwords or having no encryption whatsoever on links, they should be at least held liable for damages suffered.
      • by TWX ( 665546 )

        No licensing required... but how about making them liable? I'm not a big fan of a litigious society of ambulance chasers (or lawyers in general), and I don't think IT or "security" firms should pay damages for every single thing that can possibly go wrong, but in a case of gross negligence like leaving default passwords or having no encryption whatsoever on links, they should be at least held liable for damages suffered.

        When one relatively faceless organization works with another relatively faceless organization it requires the victim-company to have someone on staff who cares about the problems with enough seniority and clout to make a big deal of those problems. If that person doesn't exist then nothing will be done about it.

    • by Anonymous Coward

      This is how they have a product designed for security guaranty a profit to the investors. Hire a chinese factory to mass produce some crap hobbled together in a nice new shiny package with "SECURITY" stickers all over it. Include an 'instruction manual' detailing the tedious process of actually using it, but never once actually hire anyone who knows anything about security, which is of course where all the value is supposed to lie.
      Tbh it is not that difficult to build and install a secure system, but you mu

      • A fundamental feature of security is that it is opposed to convenience. Adding convenience subtracts from security. Passwords are inconvenient, dongles are inconvenient, PINs for the debit cards are inconvenient, little metal keys to the front door are inconvenient. But if you want to sell to customers then you need to increase convenience. The result is that if customers are not specifically asking for security and verifying the security actually exists, companies aren't going to bother too much about

    • It's also a startup mentality. Get an entrepreneur with zero skills, but with an "idea". Then watch as a company is created to turn that idea into a product despite the lack of competence to create such a product. That's because the goal of a company is to make money. Without customer or inevestor demand there is no need for quality.

  • by QuietLagoon ( 813062 ) on Monday November 30, 2015 @01:24PM (#51028251)
    Over the past year or so, I've been seeing far too many of these shoddy security implementations with IoT devices.

    .
    Are the developers of such devices really this incompetent?

    Are they really so focused on jumping on the IoT revenue bandwagon that they give the actual security of their devices a passing glance, if that?

    Some of these security lapses seem to border on criminality...

    • Are the developers of such devices really this incompetent?

      My guess would be that they were told to implement it in a certain way. They may have had objections but were overruled by managment.

      Are they really so focused on jumping on the IoT revenue bandwagon that they give the actual security of their devices a passing glance, if that?

      Yes. I find this is the most plausible explanation: "Make it work on the interwebs! By next week!"

      • They may have had objections but were overruled by managment.

        In my experience, that would be a correct assessment.

      • My guess would be that they were told to implement it in a certain way. They may have had objections but were overruled by managment.

        To the consumer, incompetence by managerial decree is impossible to differentiate from incompetence technical design.

        The product's security is shit. Why it's shit is irrelevant.

        So, sure, blame whoever you want. The key thing is here that as many people as possible should be told the product is so terribly insecure as to defeat its entire purpose.

        Unless, of course, actual sec

        • The purpose of the system is to keep you from being robbed. Until burglars learn that a sticker like "security by X" is a joke, they'll move on to a house with no sticker. So there's probably still some value for now.

          • by SQLGuru ( 980662 )

            Just buy the sign. It's probably MORE secure because regular burglars will by-pass because you have a system.....and hackers will spend half a day trying to hack into a non-existent alarm system.....hopefully enough time for someone to come home and notice them so they get scared off.

          • "The purpose of the system is to keep you from being robbed."

            Wrong. The purpose of he system is to make money.

            "Until burglars learn that a sticker like "security by X" is a joke, they'll move on to a house with no sticker. So there's probably still some value for now."

            Oh, you meant the purpose... of the customer. Well, a friend of mine did exactly that: he put a sticker of a reputed security company on his door and done with it. Same security level at a lower cost.

      • "So, we've got an IoT module, so let's plug it into a home security system and see if we can sell it."

    • IoT is new and comes along at a time when the technology it sits on top of is also relatively new.

      We do not yet know how to make truly secure systems. Even really smart people have trouble with this because there just aren't enough examples yet of systems "done right".

      • Security is new? These security devices fail because they make unacceptable tradeoffs generally from rolling their own implementation. There is a reason for standards. In the move from NO/NC devices these guys are trying to get device lock in. Reality is a pir motion sensor is a few bucks but they realy want to sell one for 50. If they conform to a legit standard like zwave they would have to work with other bits of kit and thus compeat. Zigbee is a cluster because it does not define a high level and

        • Zigbee is a mess at the low level too. Industry consortiums can create standards without ever having experts involved.

        • For physical security including access and lockout, having *any* wireless sensor is downright stupid, nevermind if it is zwave, zigbee or $FOO-FROM-2025. Wireless listeners can be DOSed very easily, very cheaply and very reliably.

          Dumb NO/NC wired listeners are incredibly hard to DOS and require actual breaking and entering to achieve. And when you do, you only manage to kill a single sensor at a time. When you flood the airwaves with junk signal of the correct wavelength, you effectively shutdown the liste

          • In general at the home level security is for the discount on your homeowners policy, unless the insurance companies stop giving that for wireless installs not much will change. Reality is the quick smash and grab will be in and out before anybody shows up response times in the 5+ minutes give a lot of leeway.

            Hate to break it to you but wired alarms are easily defeated with stock cellphone jammers and some wire cutters, no internet/landline and no cell phone means no way to alert anybody outside a local sir

      • ...We do not yet know how to make truly secure systems...

        While that could be debated from now until doomsday, I'll take a different approach...

        .
        We do know how to create systems that are very significantly more secure than the insecure garbage that is currently being sold.

        The fact that many (most?) IoT companies don't even meet a minimum level of security is bordering on criminality, imo.

        • This is a massive part of it. It's easy, even trivial, to develop a system more secure than this. You can just use HTTPS and any API. Even if you completely forget certificate pinning etc. it is still more secure than this.
      • "We do not yet know how to make truly secure systems"

        Just how many banks do you think there are in the world? You seem to think there are few or none. There are many, many truly secure systems. There are also many more hacks who don't understand security, but want to get in on the IoT wave early in the game; competence be damned.

    • by RobinH ( 124750 )
      At a previous company we were making kiosks for securing some rather high value items. The storage lockers and the kiosk used an off-the-shelf Bluetooth board to communicate. My boss defined the communication spec, and part of it was that the kiosk had to use a hard coded password to the lockers in order to "authenticate." I had several arguments with him about how this wasn't really secure, and I proposed other ways to do it. Eventually he got annoyed (nobody likes being told they might be wrong). He
      • If you are willing to share privately, please contact me via the contact form on the website cybergibbons.com What you are describing sounds right up my street.
    • New technology market deployments go in stages, including the following:
      1) The underlying technology becomes available and financially viable. The window opens.
      2) An explosion of companies introduce competing products and try to capture market share. They are in a race to jump through the window.
      3) There is a shakeout: A handful become the dominant producers and the rest die off or move on to other things. The window has closed.

      We've seen this over and over. (Two examples from a

      • Give it some time and you'll see better security - either from improvements among the early movers or new entrants who took the time to do it right and managed to survive long enough to get to market.

        ...or there will be some public exploit that makes the news and suddenly makes it a priority over some really cool demo-able feature that has to be added before the next trade show.

    • by Anonymous Coward

      I worked for this sort of small company. Three tech staff, two bosses - one highly "agile" (read: massively over-caffeinated), one indifferent. Bosses negotiate contracts from wherever the hell they can, all manner of areas, so long as they think they can make money. The first you hear about the new product is when they send you an email saying "do this by *insert ridiculously short deadline*" and you have entirely too little time to research, learn, price and implement something you are entirely unfamil

    • You confuse "developers" with "management" and "architects". The developers almost never have any control over the product except to implement it as directed from above. If the management never hired security experts then there won't be any security of note. If the architects never considered security then it won't exist. Many of these companies probably just had someone at the board meetings wave their hands saying "yes, yes, our developers will add security, now let's not worry about such details and

  • by gstoddart ( 321705 ) on Monday November 30, 2015 @01:43PM (#51028423) Homepage

    today we hear about an IoT smart home alarm system that works over IP. Made by RSI Videofied, the W Panel features no encryption, no integrity protection, no sequence numbers for packets, and a predictable authentication system. Security researchers who investigated the devices say, "The RSI Videofied system has a level of security that is worthless.

    So, the makers of the "W Panel" are lazy, incompetent people who have no business making a security system? Or they're greedy, cheap people who have no business making a security system?

    Blah blah blah Insecurity of Things written by people who are either incompetent or indifferent to security, yet another product which is more marketing than substance, and yet another product which sounds like it's utterly useless.

    Tell you what, can we assume all IoT shit is broken, defective, and insecure ... and then only have the stories when someone builds one which isn't?

    Yet another product created purely by the marketing and sales people, and stunningly incompetently done at the tech level.

    They make know something about video. But apparently they don't know a damned thing about security. This is worse than vaporware ... this is a product which is so utterly unfit for the purposes it's being sold for as to be dangerous.

    • All of the Sturm und Drang aside, these sorts of devices are probably OK for much of their intended use - getting some pics of the the teenage lowlife that trashes your apartment looking for something to fence. These people are not even going to unplug the phone or power. They're going to grab and run.

      No, it won't protect your million dollar stamp collection from the Ukrainian mafia boss who has been salivating about some particular bit of old paper. It's not designed for that. Of course, adding some r

      • No, I'll make this explicit: this is a web-cam, pretending it's a security/alarm system.

        Buy a nanny cam. Buy a better door lock. Buy a dog.

        This is about the same level of protection that a typical alarm company offers you.

        I very much doubt a typical alarm company is providing you with something which is broken on the level of this thing

        The entire authentication process is decoupled from the actual device, and attackers can easily spoof device IDs and gain access and control over someone else's alarm syst

        • The system is actually quite different to a web-cam. It's been built from the ground-up to provide very small clips when a PIR has been detected. It's not really any more broken than anything else on the market. A week prior, I published issues in a much more critical alarm system: http://cybergibbons.com/securi... [cybergibbons.com]
    • IoT is a party. It makes DEFCON so much more interesting. I love it.
      • by KGIII ( 973947 )

        I've not been to DEFCON in a while, three years ago actually, is "Spot the Fed" still a thing? One year a few of us made an effort to get 'em all in photos without being noticed and we'd compare and contrast and had special names for 'em. I don't remember the points value we had but we'd made a bit of a drunk-game out of it.

        • is "Spot the Fed" still a thing?

          I didn't see it there. Attendance has grown so dramatically that I think it would be easy for a fed to blend in now.

  • by AndyKron ( 937105 ) on Monday November 30, 2015 @01:49PM (#51028463)
    If I want IoT I'll make it myself. It will be safe because only I will know I have it, and how it works.
    • About 5 years ago I built a little relay box to control household outlets (inspired by http://www.tldp.org/HOWTO/Coff... [tldp.org] ). So I can control my lights/stereo amplifier/etc. with a dinky web interface or via SMS (through Google Voice emails). Security is dubious (to say the least!), and yet somehow, I haven't been the victim of an attack, "friends" aside ;)

      Also, the HDMI CEC on the Raspberry Pi allows me to control basic features of my A/V system remotely (my TV and receiver are not internet-enabled). Rea
  • CERT has published the researchers' security disclosure. In case someone wants to read it. http://www.kb.cert.org/vuls/id... [cert.org]
  • It's usually* not [BUZZWORDOFTHEDAY]'s fault, it's usually the fault of incompetent, cheap, or lazy people.

    The same thing can happen with yesterday's [BUZZWORDOFTHEDAY] and the same thing will probably happen with tomorrow's [BUZZWORDOFTHEDAY]. Sigh.

    ----
    *Sometimes it is the fault of [BUZZWORDOFTHEDAY]. In that case, it might actually be "news for nerds," assuming [BUZZWORDOFTHEDAY] is a tech-related buzzword.

  • by geekmux ( 1040042 ) on Monday November 30, 2015 @01:58PM (#51028525)

    This just goes to show you that even with a security-centric product like an alarm system, even basic security features cannot seem to be prioritized over cost or first to market.

    Expect thousands more shitty products that lack even the most basic security to hit the IoT market before consumers pull their head out of their a...ah, what the hell am I thinking? Consumers have never given a shit about security or privacy.

    It's the very reason shitty IoT is thriving.

    • This just goes to show you that even with a security-centric product like an alarm system, even basic security features cannot seem to be prioritized over cost or first to market.

      You know, looking at their company history [videofied.com], I'd say they're a video-centric product, which some ass in marketing decided to start selling as a security-centric product.

      "The RSI Videofied system has a level of security that is worthless," concluded the Cybergibbons team. "It looks like they tried something and used a common algorith

    • ...before consumers pull their head out of their a...ah, what the hell am I thinking? Consumers have never given a shit about security or privacy.

      Exactly. Just look at how popular Facebook is.

    • by nnull ( 1148259 )
      Consumers? I see all these devices now in the industrial and professional world. I had a company call me about their lines shutting down randomly. Guess what I discovered? Someone was logging into these machines remotely from another plant and sabotaging the lines just so the plant they were working at would look better in efficiency. They weren't logging into the machine directly, but they were logging into a random display device to access the machine. And then you have all these wonderful vulnerable PLC'
  • I'm quite tired of the hi-tech this-security-is-hackable discussion. Of course it's hackable. Everything is. That this product doesn't require ethan hunt just makes it worthless for bank vaults.

    I highly doubt that this product is being sold as a replacement for secure systems. It's being sold as a supplement to, wait for it, a lock and key.

    It's better than the fake camera with the blinky light.

    This isn't slashdot-worthy news. There are lesser products out there. That's never news.

    • I'm quite tired of the hi-tech this-security-is-hackable discussion. Of course it's hackable. Everything is.

      If you think so and can prove it, then you can earn $1000 and eternal fame by hacking DJB's qmail. Over 15 years and still hasn't been hacked.

      That this product doesn't require ethan hunt just makes it worthless for bank vaults.

      Even then, there are different levels of "hackable." Some things (like uefi) take six months of work to hack, but that's not what we're talking about here. Some of these IoT devices literally are running their own wifi server, with an open telnet port. When I say open, I mean it doesn't even have a password. This is how much these companies care about security.

      We'r

      • I'm quite tired of the hi-tech this-security-is-hackable discussion. Of course it's hackable. Everything is.

        If you think so and can prove it, then you can earn $1000 and eternal fame by hacking DJB's qmail. Over 15 years and still hasn't been hacked.

        Actually, it has been hacked, and it's relatively easy to do.

        Functional decomposition is a really poor way of abstracting complexity, when it's being used in isolation, and does not include mandatory boundary layer order and direction of operations over said boundary.

        I really don't need to spend $1,000 worth of my time to argue with DJB, when he'll happily argue with anyone for free.

        • Actually, it has been hacked, and it's relatively easy to do.

          [citation needed]

          • Actually, it has been hacked, and it's relatively easy to do.

            [citation needed]

            http://marc.info/?l=qmail&m=14... [marc.info]

            • Meh, qmail could probably do better in its handling of .forward, but if you upgrade your bash then it's not a problem anymore. the worst you can say is that qmail relies too much on things in the unix environment when it shouldn't. Which is a problem, but only because other things are not secure.
            • btw, I'm pretty sure you have an interesting point here when you said this:

              Functional decomposition is a really poor way of abstracting complexity, when it's being used in isolation, and does not include mandatory boundary layer order and direction of operations over said boundary.

              but I'm not entirely sure what you meant. Could you clarify? What other option is there besides functional decomposition?

              • btw, I'm pretty sure you have an interesting point here when you said this:

                Functional decomposition is a really poor way of abstracting complexity, when it's being used in isolation, and does not include mandatory boundary layer order and direction of operations over said boundary.

                but I'm not entirely sure what you meant. Could you clarify? What other option is there besides functional decomposition?

                DJB's philosophy is to minimize individual attack surfaces by reducing code complexity. This has three components, of which DJB himself is a proponent of two of them. I'm not sure whether this is because he doesn't realize that it's a consequence of his implementation paradigm, or whether he simply thinks it's too obvious to talk about. These are the components:

                (1) Reduce complexity by separating the problem domains into individual processes. This separates necessary privilege escalations from other cod

                • I'm not going to write an entire paper here on Slashdot.

                  You already kind of did lol. This is good stuff though. I have some follow-up questions if you don't mind:

                  1) How are you aware of (and able to control) lower-level things like the page size, or which functions go into which groups of pages?
                  2) Why is it called "container-in-a-mailbox?"
                  3) you wrote, "Most modern (predominantly research) security architectures" who is doing this research, and where can I find it?

                  As part of this, you define an interface contract: you are permitted to call down to the interfaces below yourself, and you are permitted to call across, within the same layer to auxiliary functions, but under no circumstances are you permitted to call upward.

                  That would ruin (or improve) a lot of modern OO techniques.

                  The reason I like DJB's work is

                  • I'm not going to write an entire paper here on Slashdot.

                    You already kind of did lol. This is good stuff though. I have some follow-up questions if you don't mind:

                    1) How are you aware of (and able to control) lower-level things like the page size, or which functions go into which groups of pages?

                    In a general, hand-wavy fashion, things like page size are an attribute of the compilation environment, and do not vary.

                    In practice, there are some older MIPS systems and the original NeXTStep which would "gang" 4K pages into 8K pages, and of course there's the Intel variety of superpages, depending on operating mode and contents of CR4, and the PSE bit being set, with or without the PAE bit being set, to give you either 4M or 2M pages. There are also some other architectures that allow even weirder varian

                    • This wouldn't entirely preclude layering violations, but it would certainly make them more difficult. That would improve security, but whether it improved the techniques?

                      Here I was referring to the fact that dependency injection and callbacks and closures often make code hard to read. Java code with threads and closures with mutable variables can be inscrutable sometimes....increasing the amount of time it takes to add features (or find bugs) by an order of magnitude or two. (Of course you can use dependency injection and callbacks and still have readable code, but a lot of times that doesn't happen).

                      3) you wrote, "Most modern (predominantly research) security architectures" who is doing this research, and where can I find it?

                      Wow. Pretty much everyone in OS software who cares?

                      IBM and Microsoft are players, OpenBSD is, for some types of things. Apple is; Linux people (though I think it was a DARPA project run by IBM?) were the first to implement ASLR; I think Apple was the first to ASLR absolutely everything? And to do page level executable signature verification in the paging path? Though I think they mostly did it for DRM reasons, rather than to be helpful to users. I think compiler stack probes came from the LLVM folks?

                      I know about ASLR and page level executable signature verification lol (an

          • Here's your citation [ycombinator.com]
            • That's a cool one, but it's in djbdns, not in qmail, which is what I was asking about.

              (Also, the world would be a better place if Microsoft and other large companies apologized every time they released software with a security flaw)
    • Your average (or even top of the class) housebreaker is not a criminal mastermind. They do not keep up to date on security vulnerabilities and won't spend much time trying to spoof, or tap into an internet-based alarm system. they will smash your front door or window, grab what they can and be gone before the cops arrive.

      If you want to protect against them, get a metal door or a large dog (always the best deterrent). If you want a home security system and you think that your attacker will have disabled it

    • This product is being sold as a replacement for secure products. The company very much pitch themselves as secure from advanced attackers. They've even boasted how their wireless side is secure: https://www.videofied.com/_ass... [videofied.com]
  • A company called DOJO labs sells what looks to me to be a pretty good one.

    Because it's third party, you know they can't put any special back doors allowing their company access to your equiptment.

    http://techcrunch.com/2015/11/... [techcrunch.com]

  • by Lumpy ( 12016 ) on Monday November 30, 2015 @02:27PM (#51028761) Homepage

    Then you are a moron. Relying on the cloud for anything important and time sensitive is 100% foolish and borderline stupid.

    It's great for toys like Smartthings and Hue lights. but only a complete moron will rely on their internet and the cloud service for something like an alarm system.

    • Dumb ideas that are cheap persist. That is, until there's a watershed event that puts all the stupid into sharp relief. We haven't had such an incident for IoT; give it time.

      Thanks to movies and TV, people think that encryption is something you "bypass" by letting somebody who looks nerdly typing furiously in front of 3 or 4 screens in an office with lots of glass and neon lights. When it's exploited by thugs who downloaded an exploit and stole their stuff by using their security system to verify that they

    • Way to speak authoritatively on a subject you have no actual clue about!
  • I'm thinking of investing in devices that connect via Apple's Homekit system. I read that a strength of these is that the protocol puts a good layer of security on all the communications. Any opinions / thoughts on this?

  • Comment removed based on user account deletion
  • Enough with the IoT of hype ..
  • Do I assume they have the same weak security problems too?

  • I have some level of expertise in this field. I've been involved with numerous start-ups and IPO's. I can assure you that this is completely and 100% all due to incompetent management. Without any question or doubt.

  • EnduranceRobots.com is looking for enthusiasts and hobbiests in robotics and laser industry. We are looking for tech smart people who would like to help us to improve our products and positioning on the markets. We are still very early startup and can not pay big salaries but we can pay some. Please have a look our web site: endurancerobots.com youtube channels: http://www.youtube.com/channel... [youtube.com] http://www.youtube.com/channel... [youtube.com] and our facebook: https://www.facebook.com/Endur... [facebook.com] We are very open to all

Avoid strange women and temporary variables.

Working...