Hello From A Security Researcher

[AdrianMealing]

This highlights another issue with the standards. My understanding is that the grades for wired and wireless alarms are the same, but it really seems that this doesn't enforce a parallel level of security between the two.

I really don't think that it argues the case for keeping everything closed though. As more alarms become internet connected, it's going to be vital that there are ways of dealing with and patching issues, rather than simply trying to keep them covered up.

The grade of the system is important, not the interconnection between devices. And what has an internet connection got to do with this? And what is being covered up?

 

The parallel issue is bound to exist as the System Standard and Product standards do not differentiate between the medium used to provide the notification and indication.

 

So why the great interest and why don't you have access to what you perceive to be a closed industry, everything is available at the right time to those of us that commit to the cause, my company pays for me to be involved, not an industry body or anybody else, it is a commercial decision, same as everything else in the business world.

[matthew.brough]

You do talk a lot of sense Adrian.

[PeterJames]

You do talk a lot of sense Adrian.

Even if it does sound a litte angry LOL!

[cybergibbons]

What he said, and many others, I think you are missing the point. It is all down to risk based on probability, as i have already said, and if a device becomes commercially available that will allow the user to defeat a system, then the proper manufacturers will just come up with a way of stopping that happening.............................oh wait hang on there already is a way its called encryption, some do it some don't and how we do it should not be mandated in anyway, all we need to prove is that it works.

I think you've made some assumptions there that aren't true.

Encryption in and off itself will not prevent replay attacks. There is one system out there that assumes it does, and as a result, the encryption fails to add anything to the security.

A robust, secure encryption system can have every aspect of it's working documented and still be entirely secure. This isn't done in the alarm industry - I've got no idea if the system is using a decent implementation of AES or some half-baked encryption scheme implemented by a designer who vaguely remembers a course he did at uni 10 years ago. This does happen - recent research on the SIA-HS protocol used for alarm notification showed that XOR with a fixed 8 bit key was being used. That's something an A-level computing student can crack.

There doesn't seem to be any independent testing done on alarms. Consumers need to take everything on the manufacturers word. There isn't any proof that it is secure, just that it works. I really don't think this is enough.

You can use other methods to prevent replay attacks. These come at no hardware cost and are available in higher grade systems. So why are they not used in lower grade systems? The only reason I can see is product differentiation, and I don't feel that this is ethical in a security product.

As Peter has pointed out professionals choice is Wired, consumer choice is wireless, if explained properly when the risk is high enough, it is down to the professional installer to advise accordingly, and the customer makes his choice. If he wants Joe Bob from the pub to fit his wireless alarm bought from ebay, that is his choice. Nothing written in a standard will change that.

Isn't a grade 3 wireless alarm under the standards meant to be equivalent to a grade 3 wired alarm though, in terms of the risk to the property?

[matthew.brough]

Self certification is allowed sadly. The 2 manufacturers we use don't self certify and send it to a 3rd party but they certainly don't have to, they just decide to.

[Scotmod]

First of welcome. You'll certainly get alot of 2p's chucked in with your time here. This place is full of experience. Secondly kudos for tinkering with the wireless side of things. 

 

However I do have some questions. What manufacturers have you purchased so far and what are the scenarios you are simulating? What are your parameters that your measuring your results by?

 

On the subject of grading and the standards you'll find that the documents are very loose and open for interpretation. While this cuts back on their strictness it does give people much needed leeway in terms of compliance and installation. Vital in my opinion. 

 

Also is the product grading relevant for the attacks you are trying to simulate? I don't think it is but i'm interested to know if you think it is?

[cybergibbons]

The grade of the system is important, not the interconnection between devices.

Except there seems to be a general distrust of wireless systems over wired, even of the same grade. So clearly the interconnection is a factor.

And what has an internet connection got to do with this?

Many alarms are now using the internet or PSTN for signalling. This opens up a whole new avenue of attack. If there is no means of patching issues, the only mechanism to protect against them is secrecy. Time and time again this has been shown to be a really poor method of providing security.

And what is being covered up?

Alarm manufacturers do not respond well to disclosure of vulnerabilities.

A specific example is the recent SIA-HS research again. The protocol is totally rotten - anyone on the public internet can cause an alarm event for every single alarm connected to the reporting centre. That's shoddy. Alphatronics only response was to ask for the research to be taken down, and they have done nothing to fix the problems. Is this because they don't want to? Is it because they can't because there is no means of patching the panels? I don't know, but simply hiding it is not the solution.

 

So why the great interest and why don't you have access to what you perceive to be a closed industry, everything is available at the right time to those of us that commit to the cause, my company pays for me to be involved, not an industry body or anybody else, it is a commercial decision, same as everything else in the business world.

I don't perceive the industry as closed, I haven't said that. I have said that closed standards don't promote secure systems.

Self certification is allowed sadly. The 2 manufacturers we use don't self certify and send it to a 3rd party but they certainly don't have to, they just decide to.

Matt - can you mention who they are, or who the third party is?

[MrHappy]

Alphatronics only response was to ask for the research to be taken down, and they have done nothing to fix the problems.

never heard of them...

[PeterJames]

I dont think there is a grade 3 wireless system

[MrHappy]

GSD, but not quite current G3?