Hello From A Security Researcher

[norman]

I don't think it's as obvious as it being self-explanatory.

come on CG, you're better than that.

[cybergibbons]

come on CG, you're better than that.

No, but I don't. I'm noticing a lot of things in the alarm industry are like they are because they always have been like that. Change can be good!

You make quite a valid point re updating.

The panels we use would mean a physical chip change for a firmware upgrade, most panels need a flasher but no remote upgrading. The signalling kit we use can all be done remotely very easily without any disruption, even over GPRS.

You have to remember though, the security industry isn't the it industry. We still think the fact we can talk to a panel remotely via a modem is still considered by many as hi tec.

Yes - to be clear, I am not saying that the two industries are the same or should aspire to the same things. But as IP signalling and more advanced functionality becomes available, they are starting to converge. Could lessons learnt in IT security help in the alarm industry?

The SCADA/industrial control industry used to bury their head in the sand with vulnerabilities. The best practices said that a control network should never be on the internet. The firmware could be updated, but it was too hard to do for most users. The Stuxnet came along and owned entire large networks of PLCs. It took manufacturers by surprise, but not the security researchers who had been saying this would happen for years.

[matthew.brough]

No, but I don't. I'm noticing a lot of things in the alarm industry are like they are because they always have been like that. Change can be good!

That's quite a valid point and the mindset of a good majority of alarm companies is we have always done x and will continue to do x,

I think we are one of the few that likes to do something new but that has come more from me being it savvy which quite a lot of engineers would think active directory is maybe a competitor to the yellow pages.

[james.wilson]

cg, i think your info may be interesting. Send me your findings and if objective with evidence i may publish it. Not in public on tsi but i feel its of interest to the trade side of tsi

plus i would like to send you some gear to test, but i would like to know your angle here.

[cybergibbons]

James,

 

I'd be happy to do that. I have some small documents on vulnerabilities in a system, but I need them to be checked so that I don't open myself up to defamation action. It's a tricky one - my work is freelance and some of the manufacturers are quite large. 

 

Friedland and Yale have essentially said that I can openly blog about their alarms. One of the other alarm manufacturers immediately responded with a cease and desist, which is an empty threat, but still causes me concern. This work is freelance, so regardless of who I am doing work for, they will not back me up in legal action.

[james.wilson]

as i said. you send me the data that i need to defend this ill be open with it. but id like it to have more info. Ill send you the gear to test from the manufactures you havnt listed. Im not overly concerned about the **** stuff you have tested but the proper stuff should be up to it.

[Joe Harris]

Would certainly be worth sending some spare signalling devices.  In particular those where the same board is used by different providers.

[matthew.brough]

Would certainly be worth sending some spare signalling devices.  In particular those where the same board is used by different providers.

He won't be able to test it, not enough PSTN lines.

[cybergibbons]

TBH, if anyone has a broken DC or PIR from any wireless alarm system, it normally gives me enough of a starting point.

[Lwillis]

Possibly got powermax gear somewhere