Hello From A Security Researcher

[james.wilson]

There are many ways to get comment into the committees, and maybe drafts are available to purchase. Are any EN standards in draft form for comment available for open debate?

[cybergibbons]

I don't know - I had to pay to get the old standards. I don't think that historical reasons are a good reason for things to remain closed though.

[Joe Harris]

I think a lack of openness is a big reason that many of the flaws I find exist.

 

This ^^   and also underfunded development teams due to "economic pressures" seeing this as a less critical area of businesses.

 

I have lost count of who many suppliers I have now seen who have spaghetti code and/or poor obfuscation techniques used in place of genuine encryption methods.

[james.wilson]

Not saying that but there will be reasons. I wondered if the restricted access was just to security standards and if other EN's were available.

[cybergibbons]

Hi CG - Welcome to the forum.  You will find many others here who are also close followers of potential vulnerabilities in equipment as alluded to in some of the blog entries here on tsi.

 

The electronic security industry has traditionally had some good practise implementations which have helped improve security protocols in the past, however with some irony these same non-standard, non-proprietorial code sets now become a point of weakness as other industries improve their approach and ours remains somewhat stagnant.

 

There are some clued up suppliers but also some who seem to ignore the risks highlighted to them.

 

I think far too few people are looking at these devices from the pen testing perspective (Physical and comms based) and I welcome more eyes on this issue.  There is much to be done.

 

I really hope to try and change this. So far my response to (responsible) disclosure has been pretty lacklustre. Some responses are "well, it meets standards". Others are "we've never seen this happen" (bury head in sand). Totally ignored by others. Frustrating at times.

Not saying that but there will be reasons. I wondered if the restricted access was just to security standards and if other EN's were available.

 

I'd be interested to see really. Maybe Adrian can comment.

[AdrianMealing]

I would be interested to know who you spoke to in the group, and how their opinion differs from mine. Restriction of standards is IMHO a good thing, it should be restricted until the document is available for comment, at that point providing you have access to organisations who are members of the relevant national bodies, like BSI and BSIA in the UK then no reason why you cannot comment. All comments are reviewed by the WG before the standard is published. Some will get in, some won't.

 

The biggest problem with the standardisation process is that many of the working groups have people who claim to be experts on them, the truth however is they are sometimes there for their own interest, or even worse, they are just there to report back to their own national committee about what is going on. I see them in many groups i attend, they just sit, don't comment and take notes.

 

As for Encryption at Grade 2 why? It all depends on the level of risk to the property and contents, therefore if Grade 2 is not suitable either don't use wireless or pay for Grade 3 wireless, it is available. With a Grade 2 risk i would not expect the intruder to have the knowledge to do anything to the system.

 

 

Out of interest which requirement and test methods are you referring too.

[cybergibbons]

I don't understand why keeping the standard closed is a good thing though. Time and time again, closed source and closed standards have been shown to foster security vulnerabilities. The only thing that keeping something closed can do is provide a degree of obfuscation, and by definition, once that obfuscation is removed, the system is vulnerable.

 

For encryption on grade 2, why not? Several grade 2 systems provide encryption. It's a software based function, and with the hardware used in all of the currently available alarm systems, it's perfectly possible to implement. "pay for Grade 3 wireless" just backs up the product differentiation argument. 

 

"Out of interest which requirement and test methods are you referring too."

 

Sorry - I don't understand what this is referring to?

[AdrianMealing]

Sorry but i have to disagree, if standards were open for debate during the whole process, we would never actually end up with anything. Getting decisions with 11 people is bad enough.

 

Agree about the encryption, but that is a commercial decision for the manufacturer at Grade 2, nothing to do with standards as the requirement for encryption is at Grade 3 and higher, like i said based on risk.

 

A for security vulnerabilities, I take it you mean on your other topic of transmission systems, not my area of expertise, however to get 27 countries to agree on a standard, sometimes you have to peg the requirements back to make sure all will and can adopt the standards. This is unfortunate for a more advanced market, but it is what it is.

 

The requirements and test methods I was referring to relate to which specific clauses are you looking at in 50131-5-3 and why do you thin encryption is a requirement at Grade 2?

[cybergibbons]

Sorry but i have to disagree, if standards were open for debate during the whole process, we would never actually end up with anything. Getting decisions with 11 people is bad enough.

The IETF manages to deal with an open process of standards publication, approval and adoption. It's certainly possible, and I think something that security standards should aspire to.

I don't know if the standards are technically closed one they are finalised, but they are certainly not easily accessible to the public.

Agree about the encryption, but that is a commercial decision for the manufacturer at Grade 2, nothing to do with standards as the requirement for encryption is at Grade 3 and higher, like i said based on risk.

 

A for security vulnerabilities, I take it you mean on your other topic of transmission systems, not my area of expertise, however to get 27 countries to agree on a standard, sometimes you have to peg the requirements back to make sure all will and can adopt the standards. This is unfortunate for a more advanced market, but it is what it is.

 

The requirements and test methods I was referring to relate to which specific clauses are you looking at in 50131-5-3 and why do you thin encryption is a requirement at Grade 2?

I know that encryption is a requirement at grade 2, but I feel that it should be. Well - that isn't strictly true. I think that MAC and protection against replay attacks should be mandatory at all grades.

The current state of play is that I can use a CC1110 SoC RF chip to either jam, disarm, or disable a large number of the commonly available alarms. This device could easily be sold on ebay, or via less overt channels, and end up in the wrong hands. It would require no skill to operate, and I think would massively change the playing field when discussing "unskilled" attackers. I'm surprised this hasn't happened before, really.

[matthew.brough]

Maybe I've completely missed something here but why would I be so concerned about RF jamming? The panel will report RF jam and any polling failures so I'm not sure if it is such an issue?

 

Same with GPRS on the signalling devices. Yes it can  be jammed, but it will take only 3 minutes before a warning of the path failure has occurred so the fact someone can do it, doesn't over bother me?

 

I think this is a really interesting topic and keen to be guided if I've missed something. I share the view with regarding encryption, I don't see why anything should be sent in the clear.