Jump to content
Security Installer Community

Hello From A Security Researcher


cybergibbons

Recommended Posts

The reality is, most people don't care. The manufacturer doesn't. The installer only usually is bothered about being able to prove the kit is compliant, the insurer is only bothered about it being compliant and the installer and arc being approved.

The vulnerabilities you discus,, 99.9999% of engineers in the industry would think you're talking a foreign language. They understand how to fit it, not how it works.

www.securitywarehouse.co.uk/catalog/

Link to comment
Share on other sites

Again, probability, I cannot think of an electronic device that can't be hacked. Nor am I aware of any instance of any radio security system being compromised on purpose. You say this could be sorted cheaply yet are unwilling to elaborate. Whole thing seems pretty pointless to me then.

Nothing is foolproof to a sufficiently talented fool.


Link to comment
Share on other sites

Again, probability, I cannot think of an electronic device that can't be hacked. Nor am I aware of any instance of any radio security system being compromised on purpose. You say this could be sorted cheaply yet are unwilling to elaborate. Whole thing seems pretty pointless to me then.

Glad to see you're spending your second day of paid relaxation wisely on tsi :proud:

I'm not quite sure what i'd do if I had a week off work :hmm:

www.securitywarehouse.co.uk/catalog/

Link to comment
Share on other sites

Again, probability, I cannot think of an electronic device that can't be hacked. Nor am I aware of any instance of any radio security system being compromised on purpose. You say this could be sorted cheaply yet are unwilling to elaborate. Whole thing seems pretty pointless to me then.

That skirts around the question though. If the manufacturer is made aware of the problem and chooses not to fix it, or not to disclose it, then there is no way for installers, consumers or insurers to take this into account. That's in stark contrast to most other electronic security products, where open disclosure is welcomed.

If you want specific fixes:

1. Replay attacks have not been possible against most car keyless entry systems for 10+ years. The methods to prevent against this are widely documented, but aren't mandated in the standards and aren't used in all systems. This is a software function.

2. Some systems use FHSS, presumably to avoid issues with jamming. They hop over a very small number of frequencies very slowly and in a predictable manner. There are remote control systems for model planes that use FHSS more effectively. Can be fixed in software, the alarm I am referring to uses a chip I am familiar with and it is capable of a lot more.

3. Sending a PIN code in the clear is easily fixed by encryption. Software again.

4. When encryption is used, keys are often fixed and are frequently too short to be worth much. There are also implementation errors.

5. It's assumed that encryption solves problems with replay attacks - it doesn't. It simply means I need to replay an encrypted packet.

6. Watchdog timers aren't used enough in these products, so if you hang the panel, it will not recover.

7. Anything IP connected needs a mechanism to patch the code as there will always be vulnerabilities.

It goes on. Discussing these with other involved in reverse engineering, these would have been easily picked up in a good independent audit. What extra detail do you want?

I have a blog, some of which is about alarm security and reverse engineering:
http://cybergibbons.com/

 

 

 

Link to comment
Share on other sites

This is getting a bit touchy. CG is right that what we a fitting are inadequate when it comes to vulnerability. Data information security far exceeds that of alarms and it could be perceived as being blasé not have considered them but they are not deemed as common attack types for the industry. i would be pleased to hear of the preventative measures you could recommend/suggest especially to existing systems already installed.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.



×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.