captain-midnight

Without doubt, there'll be either known or currently unknown, unreported, undivulged or unrealised vulnerabilities and viable attack vectors in the current range of IoT connectable alarm systems - all generations, as threats never really disappear they just evolve and mutate over time. Attack vectors against individual stand-alone installations on their own are relatively low, but only through their relative obscurity on the internet and limited ability to identify individual locations based on purely the ISP's host DNS identifiers. Meaning if you found it's presence on the internet it would be much more difficult to identify the actual physical site location without access to ISP documentation/systems. But still the potential to make the system at least unavailable from legitimate remote access would be a trivial matter that would require minimal knowledge. Where as any alarm systems that use a manufacturer's central servers/services to aid remote connectivity by mobile phone apps for example (eg to remove the requirements for the installer/user setting up of host to dynamitic dns services) are prone at the very least to denial of service attacks if the manufacturer's central system is compromised. This could result in an alarm system becoming unaccessible to remote management/reporting all the way through to possible disruption at the individual alarm system locations i.e the building alarm could be activated if the individual systems are then compromised. As long as you still have onsite manual hardware protection i.e mechanical door locks - it'll just possibly be an inconvenience - but when electronic door locks become more available/common and these themselves become interlinked to online services or internet connected alarm systems the game is definitely on for a would-be attacker whoop! whoop!

Replying to the topic question .... as safe as the risk assessment, installed hardware design and it's software configuration can make it, with reference to customer requirements, solution design and level of funding they want to pay - it's always a trade off. I've worked on customer sites that have had no network security and their internal network is completely using public IP addressing without a firewall in sight, technically just hanging off the internet - vs - a soho customer who's paid for the latest cutting edge network security only to be virtually taken out by their own users due to a lack of internal security policies and procedures. What I'm trying to convey is hardware/software vulnerabilities are important but misconfigurations and/or lack of network user security policies and procedures have the greater potentail of damage.

Thanks guys, currently just having a look around the forums and inevitably reading old posts but potentially finding some nuggets of information, to build on moving forwards.

I'm just a seasoned Network Security Engineer that's branched out into the world of premises alarm systems - if your physical environment isn't secure, what's the point of securing your network as any highly secure network is vulnerable when the attacker has physical access.

..... maybe this thread should be updated or deleted as it just appears to be clickbait