Few days ago, I posted an article about some vulnerabilities that happened in 2015.
As IoT has been a hot topic, small things have been forgotten from the part itself. When everyone is overwhelmed by what IoT can do, they seem to put the security aside.
PAUL DUCKLIN. Every time we talk about the so-called Internet of Things on the Chet Chat, we get rather woeful tones in our voices, don’t we? It does seem that security [takes] second place, if it’s on the list at all.
Luca Lo Castro feels awkward to start his blog in such a way where he took a look on security alarm system and the perception of security. He tested the security alarm he bought based on European Standard EN50131
He tested Security Alarm called Texecom which offers high level security in Grade 3 based on European Standard EN50131.
Grade 3 itself isn’t quite that high, but it covers places such as bonded warehouses, mobile phone shops, computer suppliers, and motor garages: locations with high-value contents where crooks are “likely to spend time planning an intrusion,” and will bring along electronic tools such as laptops.
Unfortunately, Luca was let down by finding out that their ComIP module because He found it not secure at all.
He found that:
- The alarm can be connected to the internet.
- The alarm can “call home” to the vendor’s cloud servers to log status information, such as when an alarm goes off.
- The alarm’s companion mobile app can receive reports from, and send commands to, the alarm itself.
- The alarm’s companion mobile app can receive reports from, and send commands to, the vendor’s cloud servers.
The worrying aspects that He reports are as follows:
- The vendor’s documentation recommends opening a firewall port to allow direct access to the alarm from the internet.
- The alarm “calls home” using neither encryption nor authentication.
- The mobile app communicates with the control panel, including sending the password, using neither encryption nor authentication.
You can read full review of his research here because he already explained it in detail.
Luca advised to anyone who’s using Texecom to not to open any firewall port to the control panel. A workaround to remote control the alarm system using the mobile app is to create a VPN connection from the mobile device to the local network where the control panel is installed and then run the Texecom mobile app.