> What does this mean for iSmartAlarm? Not much probably. People will continue to purchase "Smart" devices as long as it is popular and trendy.
An interesting read but isn't it kind of missing the point? Most people running a home grown security system via one of the main IoT hubs just want basic security against your average smash and grab criminal. They aren't doing it because it's "popular and trendy" - it's a relatively easy way to monitor your home without the cost of traditional home security systems.
To be clear (i.e. avoid the usual negativity of IoT thread on HN - "No one should use IoT because it's so insecure!" etc), personally I think this type of breakdown is something that should be encouraged - hopefully it'll push device manufacturers towards making more secure products. iSmartAlarm is being sold specifically as a security system so they should be open to criticism if they aren't any more secure than a basic IoT hub with a few sensors...
It would also be interesting to see similar analysis against COTS/commercial grade security systems.
Yes and even beyond smash and grab, the more serious crim would still need prior knowledge of the target system in order to know whether to "bring their RF jammer" and so on.
It's good to expose the flaws, but criminals don't know whether the relay switch on the window frame is hard-wired or not, or whether a camera is hidden which records to its memory card and not even part of the IoT. The array of cheap devices we have available to protect, deter and monitor our homes is awesome.
This is the best point. Police officers I have talked to advised against using the "Protected by ____" signs and use a generic "Alarm system installed" sign so criminals wouldn't have an idea what you are using. The best criminals can get into anything, and if you tell them what system they're using it's just going to make it easier for them. You can have one of these "cheap" systems but it may take the criminal just as long to figure out how to break into your house "safely" if they don't have that knowledge before.
> just want basic security against your average smash and grab criminals
I think the concern here is stated in the article;
"I'm attacking a established radio network protocol developed by TI that is used in hundreds, if not thousands of other products that could have also made the same fatal implementation mistakes."
The problem is this device protects against smash and grab criminals, but it literally opens the door and reduces the barrier of entry for more sophisticated, remote attackers. Adding this type of vulnerability to Shodan would mean these devices can be identified, attacked and remotely controlled by any remote attacker, giving them information about the target they never had originally.
I don't think it's too far fetched to imagine an "AirTasker" criminal network, where a remote (sophisticated) attacker links up with a "smash and grab" criminal for hands-and-feet on the ground, agrees to split proceeds and work as a team on something like this.
Personally, I find this very disturbing. A security device manufacturer should take their security, and the responsible disclosure of vulnerabilities, far more seriously than they appear to be to-date.
You know, as you described this scenario, I'm now seeing all those tv shows and movies suddenly seem more possible. I'm talking about the scene where the one guy is sneaking around and talking to their remote hacker friend who is at their computer disabling cameras, silencing alarms, and unlocking doors.
The "smash and grab" criminal would have some pre-built arduino/raspberry pi/sdr combo that has to be within radio proximity of the building, but once in signal range, the remote person can work their magic.
And why would someone with this skill set risk prison time over something like burglary? You could make a lot more money with a lot less risk doing any number of legitimate or illegitimate activities.
A person with this skill set would not be the same who do burglary. More likely, burglars would just license the software / hardware for disabling alarms the similar way how car thieves probably do this now. I doubt car thieves are security experts, but they somehow know where to plug in their comuter into CAN network and how to run an exploit to reprogram the ECU and disable any security.
The OBD-II port under the dashboard on the left side of the driver's footwell. Its federally mandated to be in that exact position and on almost all cars it shares the same CAN bus as everything else in the vehicle.
Because it is easy. With those skills you also know how to hide your origin, and collaborating with a burglar to identify and disable systems. I can see talented people choosing the easy job over hard but legitimate work.
maybe the live in an unfair country and while they could gain success with a legitimate job they wouldn't be sticking it to their class enemies in the same way. There are lots of potential motivations.
It's not even that sophisticated. I mean, it's trivial to do with gnuradio, so I expect prepackaged solutions to pop up soon. This happened in the past with simple remote car keys.
This is happening currently as well, even with very sophisticated remote car keys in cars from 2016-2017. Most modern systems have exploitable vulnerabilities and thieves are probably the first to learn them.
I'm admittedly not a security engineer, but I did have a blast reading Ross Anderson's Security Engineering.
The chapter on physical security and alarm systems is riveting.
Physical security systems are best thought about holistically (barriers, locks, surveillance, alarms, response force, their interactions, etc.) and in terms of what they are protecting from whom.
In terms of his threat model, an alarm like this would protect against Derek and Charlie, and maybe make Bruno do some work, and stand no chance against Abdurrahman's PhDs. That's okay. Most targets interesting to Derek and Charlie aren't interesting to Bruno, so there is no need to engineer for him.
For targets that are interesting, the military and the insurance industry have some very sophisticated work on specifying and certifying the protection systems for high-value objects such as priceless art and plutonium. They won't buy iSmartAlarm, and that's okay.
>IMO, cameras don't get you much beyond giving you some after-the-fact information. And smart-locks don't get you much of anything.
Easy insurance claim when I'm out of the house and an audible alarm when I'm home. That's all I want really. Things can be replaced, and for the most part, by someone else if I can prove it. If your alarm goes off and you yell 'get the fuck out of my house', they probably will.
If they don't, at least you aren't supprised or unaware when they get to you.
Many of the points in this article are only relevant to solutions that network wirelessly, with poorly implemented custom RF solutions at that. WPA2-supporting devices are very secure against many of these attacks, except for RF jamming. Is WPA2 more expensive for the device to implement? Yes, but this is the kind of performance trade-off you have to make if you want security.
If you're serious about home security, then you may want to hardwire your devices and VLAN isolate your security/control network to give some semblance of closed-circuitness. I will always hardwire when possible and concentrate on physical attack vectors.
When you're going up against someone who knows how to use a spectrum analyzer and jammer, then you might have bigger problems.
I don't disagree with your main parts, but this wasn't a "poorly implemented custom RF solution." This was a lightweight wireless protocol and system from TI, exactly designed for building relatively simple and cheap RF products.
In the same way that web developers grab Bootstrap and get a beautiful-enough site working out of the box, this company found a Bootstrap-for-wireless-communications framework and chip from TI.
What they didn't do is customize it for their needs (security-hardening) nor use any non-default configuration.
Point is, using a pre-built building-block component to speed up your go-to-market isn't inherently bad. In fact, you might even argue that an alarm company who rolled their own fly-by-night wireless protocol would raise more eyebrows.
Good point. I wish we knew how to convince vendors to use secure defaults and actually care about their users' security. Public shaming seems to be one way that's working, so thanks for the post! :)
RF jamming can be detected with heartbeat protocol (no heartbeat -> alarm). Biggest downside of WPA2/wifi is its energy consumption compared to "lightweight custom RF protocols", making it impractical for battery powered devices.
(Btw, I'm building DIY home automation around esp8266-based iTead Sonoff sensors.)
Working in the space (Disclaimer: I work for Honeywell) I can tell you this is one of the things that is really hard to communicate to customers in terms of IoT:
You get what you pay for in some respects.
Some of these products are more expensive than their counterparts because of the amount of time and effort put into security and overall design of the product.
But if I see a deal online for $200 home security DIY and my closest pro install costs $X over Y years, the actual technical security of the product doesn't come first in a consumer's mind. I know until I worked in the space, I can't say I thought of it either.
Is that the case? It was my impression that the lack of security is pretty much ubiquitous in the IoT space and expensive brands basically do all the same crap. Is there any vendor that stands out, e.g. by saying "we'll do security reviews and guarantee updates when vulnerabilites show up for at least X years"?
One example I like to use (personally, not as Honeywell) is Blackhat/Defcon from a year ago (I forget which).
They showed a ransomware takeover of a thermostat. Everyone started freaking out. Here is what they didn't say though:
- You needed physical access
- Thermostats are replaceable (as in put a new one on the wall)
- It was not a major brand to my knowledge.
Something you have to think about is path of least resistance.
<moan>
I'm on 4.3.0 of the Total Connect Comfort Intl app on Android. You should really stop it jumping to focus (when I'm in another app) and telling me it's lost network connection every time I jump from wi-fi to 4g and back.</moan>
You should have a nice open road map and feature request site for the app.
An open documented rest API would be great. Android app Intents would be handy.
Your support guys are exceptionally good at communication and have great patience. Especially Adrian G!
Our security systems having an Open API is half a technical problem and half a legal/PR one, as you can imagine. That being said.. there are some scraped projects out there.
Oh, and I believe I saw a really slick looking HTML5 version of Total Connect. I can ask.
When I bought my current house it had a hardwired Vista system (ADT branded) but the main board seems to be burned out. I thought it might be the capacititors on the power supply, but after removing them it seems they check out on the meter. It's the 2008 firmware and ADT wants a fortune. Am I better off wiring up a Raspberry Pi to the wired sensors and getting started with my own software defined system or buying a new Vista Ademco board on ebay? If I get the system working again, I have options for more affordable monitoring. The idea of self monitoring via email alerts from the Raspberry Pi is appealing.
It is my understanding that they behave like a simple switch so perfect for easy use with the GPIO pins. There are a few wireless sensors (window and sliding glass door) and I don't know how they will behave. There is a board that was connected to the burned out main board with the antennae for it. There are 3 keypads and it is unknown what it would take to communicate with them. If I go the Pi route, I can just make a SSL encrypted page for my wife and I to access via our smartphones.
I used to work on a product that was integrating with Honeywell security grade 2-3 panels. These are panels that are used for businesses and airports (grade 4 is the highest). Those panels were using an encoding scheme (s-box at best) to relay data on the peripherals (rs485, rs232) and over the phone line, and if you had a network card (fancy) the same was going on over the network. The user had the option to enable "encryption" from the panel, but his installer could dial in over the phone line supply a 4 digit pin and disable encryption!!!
Bad crypto key handling, again. The big problem here is the lack of a secure way to introduce all the devices to each other. You can't securely do this over wireless alone. But you should at least have a system which doesn't allow adding or deleting devices from the network while armed.
If you want to incorporate physical security, you need the devices to be physically linked to be paired. I suppose you could use a custom made USB device to simply transfer the keys from the devices to the hub.
That would work. It can be a problem if you have to re-key and the device is in a hard to reach location, such as a building-mounted camera.
The problem with many of these devices is that they're all too willing to talk to things that don't have their key. That makes them vulnerable to attacks.
>Saleae returned a result of 58173 baud for the UART port, which is very close to the common rate of 57600 baud which I will use when hooking up a UART to USB converter.
I've used Saleae autobaud before and it really likes to end up a few percent off from the actual bitrate. I'm guessing it actually was 56700, but there was enough slack that it worked anyway.
A tangent, but did "DIY" changed its meaning recently? How is off-the-shelf IoT crap a DIY solution? That's just a shitty product, not something one does themselves.
Beyond that, a great article. Highlights well the complexities of securing wireless devices.
An interesting read but isn't it kind of missing the point? Most people running a home grown security system via one of the main IoT hubs just want basic security against your average smash and grab criminal. They aren't doing it because it's "popular and trendy" - it's a relatively easy way to monitor your home without the cost of traditional home security systems.
To be clear (i.e. avoid the usual negativity of IoT thread on HN - "No one should use IoT because it's so insecure!" etc), personally I think this type of breakdown is something that should be encouraged - hopefully it'll push device manufacturers towards making more secure products. iSmartAlarm is being sold specifically as a security system so they should be open to criticism if they aren't any more secure than a basic IoT hub with a few sensors...
It would also be interesting to see similar analysis against COTS/commercial grade security systems.