How Secure Are Smart Security Systems?
Smart security systems promise to simplify keeping homes and properties secure with artificial intelligence, remote views of active cameras, voice commands and more. But cybersecurity researchers also are find another feature of these systems: security weaknesses, which suggests smart security suites are not as locked down as purchasers may believe.
Systems Often Use Old Technology
A pair of researchers looked at popular smart security systems sold in the United States and Australia by brands including ADT, Swann and Vivint. The investigators discovered that, regardless of brand, the setups used outdated wireless communications technology developed in the mid-1990s.
More specifically, the systems broadcast radio frequency signals between door and window sensors. If an intruder comes into a house through any of the entryways containing a sensor, the security system’s control panel sounds an alarm and alerts the monitoring company to contact a home’s occupants, and law enforcement officials when needed.
The sensors continue to send data whenever a door or window is opened, even if the occupant disables the alarm. The researchers discovered that these signals were not encrypted or authenticated. A hacker could easily intercept the data, decipher the commands and send them back to the control panel in manipulated states. This would allow thieves to enter homes and turn off the alarms, making the security system perform as though no one was there.
This research was done several years ago, which means these vulnerabilities may not still be present in most systems. However, that doesn’t mean security systems are locked down tight, even in 2018.
Hackers Could Easily Gain Access to User Details
Most people create usernames and passwords without thinking of the possible consequences or how those details might be stored in a device such as a smart home security system. It’s relatively easy for hackers to get device serial numbers through brute-force attacks. Some users even post photos of their equipment online and don’t realize when those snapshots contain serial numbers.
Security professionals tested a smart hub for internet of things (IoT) gadgets, which include smart security systems. The researchers hacked into the config.jar file archive of the hub, which contains most of the device configuration information, including details for accessing the gadget. Although the password was encrypted, it was easy to break with publicly accessible tools—a task made even easier because the device’s manufacturer did not enforce complexity requirements.
High-tech sensors, including those used for home security systems, can track an assortment of characteristics such as movement, size and temperature. Besides gaining access to user login details through their IoT hack, the researchers obtained information about the sensors, giving them the ability to make changes associated with them.
The researchers concluded that by generating and sending the correct content to the server, hackers could open a residence’s doors or manipulate the lights and water supply. They reported the flaws to the device’s vendor.
Some Companies Ignore Vulnerability Reports
Many security researchers who uncover problems make speedy disclosures to the manufacturers to reduce the risk to consumers and companies’ reputations. However, the product manufacturers don’t always take prompt action.
Researchers at security research firm BullGuard found numerous authentication bypass bugs in a product called the iSmartAlarm Cube. Those weaknesses allowed unauthenticated users to control the entire network of cameras and sensors in a home, plus access the complete database of product users.
However, when BullGuard made a private disclosure of what its researchers found, the company did not respond. Additionally, a look at the brand’s available firmware showed a lack of recent updates that could have patched the issues.
IT professionals investigating potential smart security systems should research the track records of particular companies and see whether there have been any known security risks associated with the products—and, if there are, whether the company responded and remedied the issues.
Security Shortcomings Also Extend to Complementing Apps
Most smart security systems come with smartphone or tablet apps, with the idea that users can monitor homes from wherever they are, even while on vacation. Users are discovering that they need to change their passwords to revoke access to users.
A report about Ring video doorbells noted the mobile app never required people to log into the application interface again after the password was changed. That means a user who remained logged into the app still would have access to the system, even without the correct password. The problem was reported to Ring in January, and the company reportedly fixed the issue in the app.
However, months later, unauthorized users still had access to accounts, including administrator options and live or archived video footage, for several hours after a password change, which suggested the patch wasn’t sufficient. Ring issued a statement that it was working on making further improvements to the password-change experience.
Clearly, the Ring example shows the need for thorough testing to avoid outcomes that could reduce the overall security of a system or its app. IT professionals must dig deeper to see if there are unintended consequences of new or existing capabilities.
Vulnerabilities Are Often Extremely Extensive
One of the reasons why it’s not always easy for IT professionals to fix identified flaws is they may involve multiple vulnerabilities in a software stack. Such was the case with issues found by researchers from the University of Michigan, who examined the technology framework of SmartThings gadgets.
In 2016, the researchers were able to get the PIN to unlock a home’s front door, virtually create a spare door key and insert fake messages into an app to make a fire alarm go off. They found that more than 40 percent of the nearly 500 apps examined granted people access to too many privileges, which allowed for more extensive hacks.
Smart Security Systems Need Improvements
As these examples indicate, smart security systems often are not as intelligent as their manufacturers would like people to think.
IT professionals must be aware of the likelihood that such weak points exist and carefully research the risks before investing in systems for their companies or developing new capabilities for them.
