matthew.brough Posted April 24, 2013 Share Posted April 24, 2013 The reality is, most people don't care. The manufacturer doesn't. The installer only usually is bothered about being able to prove the kit is compliant, the insurer is only bothered about it being compliant and the installer and arc being approved. The vulnerabilities you discus,, 99.9999% of engineers in the industry would think you're talking a foreign language. They understand how to fit it, not how it works. www.securitywarehouse.co.uk/catalog/ Link to comment Share on other sites More sharing options...
norman Posted April 24, 2013 Share Posted April 24, 2013 Probability is key here, especially when talking about residential properties. Nothing is foolproof to a sufficiently talented fool. Link to comment Share on other sites More sharing options...
cybergibbons Posted April 24, 2013 Author Share Posted April 24, 2013 So, to paraphrase, manufacturers and installers don't care that the alarms they fit have vulnerabilities which could easily be fixed? I have a blog, some of which is about alarm security and reverse engineering:http://cybergibbons.com/ Â Â Â Link to comment Share on other sites More sharing options...
norman Posted April 24, 2013 Share Posted April 24, 2013 Again, probability, I cannot think of an electronic device that can't be hacked. Nor am I aware of any instance of any radio security system being compromised on purpose. You say this could be sorted cheaply yet are unwilling to elaborate. Whole thing seems pretty pointless to me then. Nothing is foolproof to a sufficiently talented fool. Link to comment Share on other sites More sharing options...
matthew.brough Posted April 24, 2013 Share Posted April 24, 2013 Again, probability, I cannot think of an electronic device that can't be hacked. Nor am I aware of any instance of any radio security system being compromised on purpose. You say this could be sorted cheaply yet are unwilling to elaborate. Whole thing seems pretty pointless to me then. Glad to see you're spending your second day of paid relaxation wisely on tsi I'm not quite sure what i'd do if I had a week off work www.securitywarehouse.co.uk/catalog/ Link to comment Share on other sites More sharing options...
norman Posted April 24, 2013 Share Posted April 24, 2013 Out with the dog on the phone sadly on my own. Nothing is foolproof to a sufficiently talented fool. Link to comment Share on other sites More sharing options...
cybergibbons Posted April 24, 2013 Author Share Posted April 24, 2013 Again, probability, I cannot think of an electronic device that can't be hacked. Nor am I aware of any instance of any radio security system being compromised on purpose. You say this could be sorted cheaply yet are unwilling to elaborate. Whole thing seems pretty pointless to me then. That skirts around the question though. If the manufacturer is made aware of the problem and chooses not to fix it, or not to disclose it, then there is no way for installers, consumers or insurers to take this into account. That's in stark contrast to most other electronic security products, where open disclosure is welcomed. If you want specific fixes: 1. Replay attacks have not been possible against most car keyless entry systems for 10+ years. The methods to prevent against this are widely documented, but aren't mandated in the standards and aren't used in all systems. This is a software function. 2. Some systems use FHSS, presumably to avoid issues with jamming. They hop over a very small number of frequencies very slowly and in a predictable manner. There are remote control systems for model planes that use FHSS more effectively. Can be fixed in software, the alarm I am referring to uses a chip I am familiar with and it is capable of a lot more. 3. Sending a PIN code in the clear is easily fixed by encryption. Software again. 4. When encryption is used, keys are often fixed and are frequently too short to be worth much. There are also implementation errors. 5. It's assumed that encryption solves problems with replay attacks - it doesn't. It simply means I need to replay an encrypted packet. 6. Watchdog timers aren't used enough in these products, so if you hang the panel, it will not recover. 7. Anything IP connected needs a mechanism to patch the code as there will always be vulnerabilities. It goes on. Discussing these with other involved in reverse engineering, these would have been easily picked up in a good independent audit. What extra detail do you want? I have a blog, some of which is about alarm security and reverse engineering:http://cybergibbons.com/ Â Â Â Link to comment Share on other sites More sharing options...
Boxshifter Posted April 24, 2013 Share Posted April 24, 2013 This is getting a bit touchy. CG is right that what we a fitting are inadequate when it comes to vulnerability. Data information security far exceeds that of alarms and it could be perceived as being blasé not have considered them but they are not deemed as common attack types for the industry. i would be pleased to hear of the preventative measures you could recommend/suggest especially to existing systems already installed. Link to comment Share on other sites More sharing options...
matthew.brough Posted April 24, 2013 Share Posted April 24, 2013 Out with the dog on the phone sadly on my own. Mrs norman not got time off? www.securitywarehouse.co.uk/catalog/ Link to comment Share on other sites More sharing options...
norman Posted April 24, 2013 Share Posted April 24, 2013 She only works a couple of hours a day, works out less that Santa tbf. Nothing is foolproof to a sufficiently talented fool. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.