Hello From A Security Researcher

[sjsturner]

I think you've got quite a valid point. Don't fancy time in prison myself. I don't think they would be very nice to me.

Shawshank

[james.wilson]

Plenty to go round?

[MrHappy]

Shawshank

I'm thinking a tin of boot polish & greenmile ?

[sjsturner]

I'm thinking a tin of boot polish & greenmile ?

Ouch

[cybergibbons]

I think I have now missed the point, just because the standard says 120 min, it does not mean that you have to do it then, that is the MAX time allowed,

So I have to question, why is the maximum so large? There is clearly advantage in it being lower - grade 3 is 100s and grade 4 is 10s. Lower values are more secure. If this is left to the installer to decide, what other parameters of the communications protocol can be altered and set to undesirable values?

 

also with regards to the test, and the requirement, they are designed in all standards (or at least should be) to not be prescriptive about HOW something should be achieved, this does two things, stifles technology development and opens up the methods to defeat equipment to anybody who can buy the standard.

I understand how standards can stifle development, but carefully drawn up standards can help build secure systems whilst allowing flexibility.

I'm not sure how a standard could open a system up to methods of defeat though. If a system relies on the secrecy of a published, but lightly restricted, document to remain secure, it is not a secure system.

 

Your point about the RF chip you can buy is sort of valid, but in a standard Grade 2 risk Mr Burglar is not going to go to those lengths, regardless of how easy you think it may be. He will simply break in anyway, or move on. Risk is all about probability, and what actually happens in the real world, again I go back to my original point, it's all about the risk assessment and the commercial angle manufacturers want to put on equipment, "can i sell my stuff easier or for more money if it has x"

 

You can buy GSM jammers on ebay but jamming GSM diallers is not prolific.

The ease of use would literally be leaving the device near to the property for a short length of time. No skill outside of buying it and inserting the battery the right way round.

This is exactly analogous to DeCSS. Before it came along, it was difficult to digitally copy DVDs. A very small number of clever people cracked the encryption and distributed a means of doing this to the wider internet. Now anyone can rip a DVD to a file on their PC. They didn't need to know how it was done - they just downloaded something that did it.

I really don't think it is unreasonable to assume such a device could become available in the near future, rendering a number of wireless alarms useless.

[PeterJames]

I think a lack of openness is a big reason that many of the flaws I find exist.

To be fair this is security, if all the flaws were open knowledge there would be no security. You also have to remember that not all burglaries are commited by nerds like us, opportunists are less likely to know about flaws or have the know how to get around a burglar alarm.

 

Customers that are likely to be targeted by proffesional burglars are more likely (You would hope) to have a proffesionally installed alarm system, probably hard wired (The proffesional installers preffered method). There are alsorts of flaws in this industry I can think of several that you are unlikely to of come across yet, but I am not about to publish them anywhere for obvious reasons

 

In an ideal world burglar alarms would be burglar proof, but this is not an ideal world is it

[james.wilson]

Yes but remember the grade choice is determined by the risk assessment. Grade 3 is for higher risks and if explained correctly a lot not all go for a higher grade.

[matthew.brough]

I think most nerds could compromise most security measures, not just alarms if they really wanted to.

Yes but remember the grade choice is determined by the risk assessment. Grade 3 is for higher risks and if explained correctly a lot not all go for a higher grade.

That's because of the ca$h. How many end users really care if its not encrypted. I think most are more fussed about what's going on on facebook than their alarm system.

[AdrianMealing]

Yes but remember the grade choice is determined by the risk assessment. Grade 3 is for higher risks and if explained correctly a lot not all go for a higher grade.

 

What he said, and many others, I think you are missing the point. It is all down to risk based on probability, as i have already said, and if a device becomes commercially available that will allow the user to defeat a system, then the proper manufacturers will just come up with a way of stopping that happening.............................oh wait hang on there already is a way its called encryption, some do it some don't and how we do it should not be mandated in anyway, all we need to prove is that it works.

 

As Peter has pointed out professionals choice is Wired, consumer choice is wireless, if explained properly when the risk is high enough, it is down to the professional installer to advise accordingly, and the customer makes his choice. If he wants Joe Bob from the pub to fit his wireless alarm bought from ebay, that is his choice. Nothing written in a standard will change that.

 

Consumers want everything to be wireless, because their whole world is wireless, and most of that technology can be compromised if you know what you are doing, the point is few know, even fewer can be bothered and Mr Scroat the burglar, will 9 times out of 10 break in and rob you anyway, regardless of what alarm system you have.

[cybergibbons]

To be fair this is security, if all the flaws were open knowledge there would be no security. You also have to remember that not all burglaries are commited by nerds like us, opportunists are less likely to know about flaws or have the know how to get around a burglar alarm.

 

Customers that are likely to be targeted by proffesional burglars are more likely (You would hope) to have a proffesionally installed alarm system, probably hard wired (The proffesional installers preffered method). There are alsorts of flaws in this industry I can think of several that you are unlikely to of come across yet, but I am not about to publish them anywhere for obvious reasons

 

In an ideal world burglar alarms would be burglar proof, but this is not an ideal world is it

This highlights another issue with the standards. My understanding is that the grades for wired and wireless alarms are the same, but it really seems that this doesn't enforce a parallel level of security between the two.

I really don't think that it argues the case for keeping everything closed though. As more alarms become internet connected, it's going to be vital that there are ways of dealing with and patching issues, rather than simply trying to keep them covered up.