Hello From A Security Researcher

[AdrianMealing]

Adrian - I'd really like to hear your thoughts in a few of the things raised in this thread. I'm still open for discussion, as are a lot of the other users here.

Just a recap:

1. I don't think the current standards allow any differentiation between a good grade 2 alarm (e.g. the Texecom Ricochet, which has a number of features only required for grade 3 alarms) and a bad one (not naming names, but a recent report on one showed that it met the standard but was a long way behind more modern panels). I don't think installers, consumers, or insurers have the ability to tell what is marketing fluff and what isn't.

2. Without independent audits of this functionality, it's perfectly possible for an alarm to meet a spec on paper, but not in reality. Will the new standards address this?

3. You represent a large number of manufacturers - is there any take on the process of vulnerability reporting and disclosure?

4. You implied reverse engineering an alarm protocol could result in court action. What would this be under?

 

Hi Andrew,

 

I know I said I was "outta here" and would not comment, however now we have exchanged some more information by PM I am happy to throw my two cents back into this discussion.

 

1. There is a simple method for manufacturers to prove compliance with standards, and that is to have the equipment tested and certified against the standard by an independent test house. We as a manufacturer have done this with al of our products where a standard exists. Self declaration IMHO is not worth the paper it is written on.
2. The new standards will not address this, but the EU Industrial Policy may, huge topic and far to complex to discuss hear, but the bottom line is there wil be a requirement across the EU for manufactures of security systems to have equipment independently tested and certified so they can carry an EU quality mark, this will be a requirement under EU law probably enforced by a Regulation. An example of such a scheme is Certalarm. We are going through this process at the moment at System 5 level, which means factory audits and random product sampling from the market by the certification body.
3. We are constantly obtaining feedback about our products from our customers and internal test engineers, to this end we have a bug reporting system, a triage methodology and a fixing and re-testing process. Critical bugs are fixed ASAP and software updated and made available, interim fixes and feature requests will be dealt with on a priority/complexity basis and periodic updates released. We always come clean and let people know what is going on if we have a major issue, depending on the impact we may or may not notify customers before a fix is in place, usually if we have a workaround. In all cases we let people know the issues, and what has been fixed. This is done via email for registered installers.
4. I think we discussed this via PM, suffice to say if Reverse Engineering activity resulted in a product being put on the market with our IP or patents infringed, we would definitely see you in court. If you are doing this for fun, because it interests you or because you think you can make a difference, probably not a lot we can do.

[matthew.brough]

To be fair to Adrian and Texecom, when we used their products and there were some issues they didn't bury their head in the sand or try to cover up the issue. The communication and support was very good and a fix forthcoming. This ime is completely opposite to most manufacturers I've had experience with and they are happy to leave the installer out in the cold and deny any issues with their products.

[Joe Harris]

Well said Adrian - The new measures sound very encouraging and will give a real shot in the arm for quality compliance.

[cybergibbons]

Thanks - this is great stuff. Bit busy right now but will come back and reply in full later!

[al-yeti]

Old discussion, but I just read it all, having an electronic s background none of this will matter much until the pro thief gets these gadgets to do there so called jamming and crashing of panels

By then we will be retired and all the panels will have to be slowly replaced because no one listened about the flaws, so installers and manufacturers make loads of more money selling new equipment

But very interesting read, best bit was about the cat! But then I do have a cat and his breath does smell of cat food