> What does this mean for iSmartAlarm? Not much probably. People will continue to purchase "Smart" devices as long as it is popular and trendy.
An interesting read but isn't it kind of missing the point? Most people running a home grown security system via one of the main IoT hubs just want basic security against your average smash and grab criminal. They aren't doing it because it's "popular and trendy" - it's a relatively easy way to monitor your home without the cost of traditional home security systems.
To be clear (i.e. avoid the usual negativity of IoT thread on HN - "No one should use IoT because it's so insecure!" etc), personally I think this type of breakdown is something that should be encouraged - hopefully it'll push device manufacturers towards making more secure products. iSmartAlarm is being sold specifically as a security system so they should be open to criticism if they aren't any more secure than a basic IoT hub with a few sensors...
It would also be interesting to see similar analysis against COTS/commercial grade security systems.
Yes and even beyond smash and grab, the more serious crim would still need prior knowledge of the target system in order to know whether to "bring their RF jammer" and so on.
It's good to expose the flaws, but criminals don't know whether the relay switch on the window frame is hard-wired or not, or whether a camera is hidden which records to its memory card and not even part of the IoT. The array of cheap devices we have available to protect, deter and monitor our homes is awesome.
This is the best point. Police officers I have talked to advised against using the "Protected by ____" signs and use a generic "Alarm system installed" sign so criminals wouldn't have an idea what you are using. The best criminals can get into anything, and if you tell them what system they're using it's just going to make it easier for them. You can have one of these "cheap" systems but it may take the criminal just as long to figure out how to break into your house "safely" if they don't have that knowledge before.
> just want basic security against your average smash and grab criminals
I think the concern here is stated in the article;
"I'm attacking a established radio network protocol developed by TI that is used in hundreds, if not thousands of other products that could have also made the same fatal implementation mistakes."
The problem is this device protects against smash and grab criminals, but it literally opens the door and reduces the barrier of entry for more sophisticated, remote attackers. Adding this type of vulnerability to Shodan would mean these devices can be identified, attacked and remotely controlled by any remote attacker, giving them information about the target they never had originally.
I don't think it's too far fetched to imagine an "AirTasker" criminal network, where a remote (sophisticated) attacker links up with a "smash and grab" criminal for hands-and-feet on the ground, agrees to split proceeds and work as a team on something like this.
Personally, I find this very disturbing. A security device manufacturer should take their security, and the responsible disclosure of vulnerabilities, far more seriously than they appear to be to-date.
You know, as you described this scenario, I'm now seeing all those tv shows and movies suddenly seem more possible. I'm talking about the scene where the one guy is sneaking around and talking to their remote hacker friend who is at their computer disabling cameras, silencing alarms, and unlocking doors.
The "smash and grab" criminal would have some pre-built arduino/raspberry pi/sdr combo that has to be within radio proximity of the building, but once in signal range, the remote person can work their magic.
And why would someone with this skill set risk prison time over something like burglary? You could make a lot more money with a lot less risk doing any number of legitimate or illegitimate activities.
A person with this skill set would not be the same who do burglary. More likely, burglars would just license the software / hardware for disabling alarms the similar way how car thieves probably do this now. I doubt car thieves are security experts, but they somehow know where to plug in their comuter into CAN network and how to run an exploit to reprogram the ECU and disable any security.
The OBD-II port under the dashboard on the left side of the driver's footwell. Its federally mandated to be in that exact position and on almost all cars it shares the same CAN bus as everything else in the vehicle.
Because it is easy. With those skills you also know how to hide your origin, and collaborating with a burglar to identify and disable systems. I can see talented people choosing the easy job over hard but legitimate work.
maybe the live in an unfair country and while they could gain success with a legitimate job they wouldn't be sticking it to their class enemies in the same way. There are lots of potential motivations.
It's not even that sophisticated. I mean, it's trivial to do with gnuradio, so I expect prepackaged solutions to pop up soon. This happened in the past with simple remote car keys.
This is happening currently as well, even with very sophisticated remote car keys in cars from 2016-2017. Most modern systems have exploitable vulnerabilities and thieves are probably the first to learn them.
I'm admittedly not a security engineer, but I did have a blast reading Ross Anderson's Security Engineering.
The chapter on physical security and alarm systems is riveting.
Physical security systems are best thought about holistically (barriers, locks, surveillance, alarms, response force, their interactions, etc.) and in terms of what they are protecting from whom.
In terms of his threat model, an alarm like this would protect against Derek and Charlie, and maybe make Bruno do some work, and stand no chance against Abdurrahman's PhDs. That's okay. Most targets interesting to Derek and Charlie aren't interesting to Bruno, so there is no need to engineer for him.
For targets that are interesting, the military and the insurance industry have some very sophisticated work on specifying and certifying the protection systems for high-value objects such as priceless art and plutonium. They won't buy iSmartAlarm, and that's okay.
>IMO, cameras don't get you much beyond giving you some after-the-fact information. And smart-locks don't get you much of anything.
Easy insurance claim when I'm out of the house and an audible alarm when I'm home. That's all I want really. Things can be replaced, and for the most part, by someone else if I can prove it. If your alarm goes off and you yell 'get the fuck out of my house', they probably will.
If they don't, at least you aren't supprised or unaware when they get to you.
An interesting read but isn't it kind of missing the point? Most people running a home grown security system via one of the main IoT hubs just want basic security against your average smash and grab criminal. They aren't doing it because it's "popular and trendy" - it's a relatively easy way to monitor your home without the cost of traditional home security systems.
To be clear (i.e. avoid the usual negativity of IoT thread on HN - "No one should use IoT because it's so insecure!" etc), personally I think this type of breakdown is something that should be encouraged - hopefully it'll push device manufacturers towards making more secure products. iSmartAlarm is being sold specifically as a security system so they should be open to criticism if they aren't any more secure than a basic IoT hub with a few sensors...
It would also be interesting to see similar analysis against COTS/commercial grade security systems.