Slashdot Mirror

← Back to Stories (view on slashdot.org)

IoT Home Alarm System Can Be Easily Hacked and Spoofed (cybergibbons.com)

Posted by Soulskill on from the alarming-alarms dept.

An anonymous reader writes: In the never-ending series of hackable, improperly protected IoT devices, today we hear about an IoT smart home alarm system that works over IP. Made by RSI Videofied, the W Panel features no encryption, no integrity protection, no sequence numbers for packets, and a predictable authentication system. Security researchers who investigated the devices say, "The RSI Videofied system has a level of security that is worthless. It looks like they tried something and used a common algorithm – AES – but messed it up so badly that they may as well have stuck with plaintext."

123 comments

  1. I'm not surprised by TWX · · Score: 4, Insightful

    I've worked with security companies that do lower-end security before. They've e-mailed usernames and passwords to me across the Internet.

    There's no licensing or aptitude testing necessary to operate a security company. Anyone can form a business and call it a security business, and often people that have no technical background will do it because there's a market to be served, even if they should not be the ones serving it.

    --
    Do not look into laser with remaining eye.
    1. Re:I'm not surprised by jittles · · Score: 2

      I spent a lot of time working for a security company that did high end enterprise systems. I hope they've changed their ways but their idea of security about 15 years ago was to just base64 encode your credentials when you log in. Once you logged in you used a token. Their digital signatures on video frames was inadequate also and it was quite possible to alter a frame and then resign it after the fact. Oh and all of the devices allowed root login and had a shared password across all networks.

    2. Re:I'm not surprised by Lumpy · · Score: 2

      90% of all ADT alarms installed use the zipcode as the installer/backdoor access code.
      95% of all alarms installed by companies use the house address as the default code for the customer at install time and NEVER have the code changed.

      Alarm systems typically are only used for notification to the homeowner that they need to call the insurance company for a claim.

      --
      Do not look at laser with remaining good eye.
    3. Re:I'm not surprised by JaredOfEuropa · · Score: 2

      No licensing required... but how about making them liable? I'm not a big fan of a litigious society of ambulance chasers (or lawyers in general), and I don't think IT or "security" firms should pay damages for every single thing that can possibly go wrong, but in a case of gross negligence like leaving default passwords or having no encryption whatsoever on links, they should be at least held liable for damages suffered.

      --
      If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
    4. Re:I'm not surprised by TWX · · Score: 1

      No licensing required... but how about making them liable? I'm not a big fan of a litigious society of ambulance chasers (or lawyers in general), and I don't think IT or "security" firms should pay damages for every single thing that can possibly go wrong, but in a case of gross negligence like leaving default passwords or having no encryption whatsoever on links, they should be at least held liable for damages suffered.

      When one relatively faceless organization works with another relatively faceless organization it requires the victim-company to have someone on staff who cares about the problems with enough seniority and clout to make a big deal of those problems. If that person doesn't exist then nothing will be done about it.

      --
      Do not look into laser with remaining eye.
    5. Re:I'm not surprised by Anonymous Coward · · Score: 0

      "ambulance chasers" as an entire idea were pushed into the public mind by these very same corporations. Not being held accountable was what tort reform was all about. They got what they paid for, just like they always do.

    6. Re: I'm not surprised by Anonymous Coward · · Score: 1

      This is how they have a product designed for security guaranty a profit to the investors. Hire a chinese factory to mass produce some crap hobbled together in a nice new shiny package with "SECURITY" stickers all over it. Include an 'instruction manual' detailing the tedious process of actually using it, but never once actually hire anyone who knows anything about security, which is of course where all the value is supposed to lie.
      Tbh it is not that difficult to build and install a secure system, but you must take measures to maintain robustness. And yes you will have to run wires to a main server/hd recorder. All this bs about just plug it in and turn it on is BS.

    7. Re:I'm not surprised by Darinbob · · Score: 1

      It's also a startup mentality. Get an entrepreneur with zero skills, but with an "idea". Then watch as a company is created to turn that idea into a product despite the lack of competence to create such a product. That's because the goal of a company is to make money. Without customer or inevestor demand there is no need for quality.

    8. Re: I'm not surprised by Darinbob · · Score: 1

      A fundamental feature of security is that it is opposed to convenience. Adding convenience subtracts from security. Passwords are inconvenient, dongles are inconvenient, PINs for the debit cards are inconvenient, little metal keys to the front door are inconvenient. But if you want to sell to customers then you need to increase convenience. The result is that if customers are not specifically asking for security and verifying the security actually exists, companies aren't going to bother too much about security. A security sticker serves the purpose it was intended for.

      I work in a building once used by a company that stored all their customers passwords in plaintext, and apparently the CEO was warned about this but took no action. After a hacker breach exposed all the data this made a couple of buildings available for us to expand into.

    9. Re:I'm not surprised by wardrich86 · · Score: 1

      To be fair, the 95% stat is user-stupidity.

    10. Re: I'm not surprised by Anonymous Coward · · Score: 0

      In Texas you do have to be certified and licensed. You live in a fkd up state.

  2. This would make you a target. by Anonymous Coward · · Score: 0

    1. Find someone with enough stuff that they feel like they need an alarm system.
    2. Find someone stupid enough to buy a hackable alarm system that's part of the IoT.
    3. Jackpot!

    1. Re:This would make you a target. by Grishnakh · · Score: 1

      I see a market here, for selling tools to burglars to hack these crappy alarm systems.

    2. Re:This would make you a target. by Mr+D+from+63 · · Score: 1

      1. Find someone with enough stuff that they feel like they need an alarm system. 2. Find someone stupid enough to buy a hackable alarm system that's part of the IoT. 3. Jackpot!

      Maybe it will take an actual exploit and burglary to change things. But apparently, despite all the talk about how easy it is, that has not yet happened. Hackers tend to have an aversion to physically showing up at their targets.

    3. Re:This would make you a target. by losfromla · · Score: 1

      Maybe people need to form teams like the TV Show "Person Of Interest", one is the hacker/brain, the other is the muscle. One hacks, the other boosts... Profit!

      --
      Only I can judge you.
    4. Re:This would make you a target. by Anonymous Coward · · Score: 0

      Maybe it will take an actual exploit and burglary to change things. But apparently, despite all the talk about how easy it is, that has not yet happened. Hackers tend to have an aversion to physically showing up at their targets.

      Sure. but hackers can cooperate. You test-hack your own alarm, or perhaps the alarm of some relative that lets you have a go at it. Then you make an alarm-hacking app (or at least a pc program) so easy to use that even your average burglar can try it out. Then you share it.

      Or if you really want to monetize such a thing, sell it to the mob . . .

    5. Re:This would make you a target. by cybergibbons · · Score: 1

      I have been tempted. For each issue I disclose, there are probably ten others I have kept under my belt. An RF jammer that takes out 80% of wireless alarms in the UK can be built for about £5 in parts...

    6. Re:This would make you a target. by cybergibbons · · Score: 1

      I have yet to be approached by the mob, but I have had some very dubious emails.

    7. Re:This would make you a target. by Zero__Kelvin · · Score: 1

      "Maybe it will take an actual exploit and burglary to change things."

      Do you actually believe that non of these vulnerabilities have been exploited in the wild? Seriously? Because I assure you that there have been plenty of actual exploit and burglaries.

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
    8. Re:This would make you a target. by Mr+D+from+63 · · Score: 1

      "Maybe it will take an actual exploit and burglary to change things."

      Do you actually believe that non of these vulnerabilities have been exploited in the wild? Seriously? Because I assure you that there have been plenty of actual exploit and burglaries.

      Please provide some examples. I have doubts about your "assurance". Just one resl report would siffice.

    9. Re:This would make you a target. by Zero__Kelvin · · Score: 1

      The fact that you think it is possible that nobody anywhere on the planet is doing it is almost "cutely" naive.

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
    10. Re:This would make you a target. by Mr+D+from+63 · · Score: 1

      I see. It is your opinion that it is happening, with no evidence to support. Thanks.

  3. Is this really as typical as it seems? by QuietLagoon · · Score: 2
    Over the past year or so, I've been seeing far too many of these shoddy security implementations with IoT devices.

    .
    Are the developers of such devices really this incompetent?

    Are they really so focused on jumping on the IoT revenue bandwagon that they give the actual security of their devices a passing glance, if that?

    Some of these security lapses seem to border on criminality...

    1. Re:Is this really as typical as it seems? by Anonymous Coward · · Score: 0

      Yes

    2. Re:Is this really as typical as it seems? by UnknowingFool · · Score: 1

      Are the developers of such devices really this incompetent?

      My guess would be that they were told to implement it in a certain way. They may have had objections but were overruled by managment.

      Are they really so focused on jumping on the IoT revenue bandwagon that they give the actual security of their devices a passing glance, if that?

      Yes. I find this is the most plausible explanation: "Make it work on the interwebs! By next week!"

      --
      Well, there's spam egg sausage and spam, that's not got much spam in it.
    3. Re:Is this really as typical as it seems? by QuietLagoon · · Score: 1

      They may have had objections but were overruled by managment.

      In my experience, that would be a correct assessment.

    4. Re:Is this really as typical as it seems? by The-Ixian · · Score: 0

      IoT is new and comes along at a time when the technology it sits on top of is also relatively new.

      We do not yet know how to make truly secure systems. Even really smart people have trouble with this because there just aren't enough examples yet of systems "done right".

      --
      My eyes reflect the stars and a smile lights up my face.
    5. Re:Is this really as typical as it seems? by Anonymous Coward · · Score: 0

      Sadly

    6. Re:Is this really as typical as it seems? by RobinH · · Score: 1

      At a previous company we were making kiosks for securing some rather high value items. The storage lockers and the kiosk used an off-the-shelf Bluetooth board to communicate. My boss defined the communication spec, and part of it was that the kiosk had to use a hard coded password to the lockers in order to "authenticate." I had several arguments with him about how this wasn't really secure, and I proposed other ways to do it. Eventually he got annoyed (nobody likes being told they might be wrong). He told me in his best "bosses voice": "it's good enough." So we did it that way. That's how this shit happens. There were other security problems, like the fact that it was hooked to the customer's office network over their WiFi (with a WEP password), and included a built-in webserver for web reports, only used HTTP (not SSL). Even if the web interface used a password (can't remember) it likely sent it across in the clear.

      --
      "I have never let my schooling interfere with my education." - Mark Twain
    7. Re:Is this really as typical as it seems? by silas_moeckel · · Score: 1

      Security is new? These security devices fail because they make unacceptable tradeoffs generally from rolling their own implementation. There is a reason for standards. In the move from NO/NC devices these guys are trying to get device lock in. Reality is a pir motion sensor is a few bucks but they realy want to sell one for 50. If they conform to a legit standard like zwave they would have to work with other bits of kit and thus compeat. Zigbee is a cluster because it does not define a high level and require it's use. It's little different from the hard wired days when you needed the master password to program your panel but were beholden on the company that installed it to give it to you (and my favorite charge me to change it since they used the same one on every device they installed).

      --
      No sir I dont like it.
    8. Re:Is this really as typical as it seems? by gstoddart · · Score: 1

      My guess would be that they were told to implement it in a certain way. They may have had objections but were overruled by managment.

      To the consumer, incompetence by managerial decree is impossible to differentiate from incompetence technical design.

      The product's security is shit. Why it's shit is irrelevant.

      So, sure, blame whoever you want. The key thing is here that as many people as possible should be told the product is so terribly insecure as to defeat its entire purpose.

      Unless, of course, actual security isn't the purpose. In which case it's doubly important to tell people not to use it.

      --
      Lost at C:>. Found at C.
    9. Re:Is this really as typical as it seems? by QuietLagoon · · Score: 1

      ...We do not yet know how to make truly secure systems...

      While that could be debated from now until doomsday, I'll take a different approach...

      .
      We do know how to create systems that are very significantly more secure than the insecure garbage that is currently being sold.

      The fact that many (most?) IoT companies don't even meet a minimum level of security is bordering on criminality, imo.

    10. Re:Is this really as typical as it seems? by Anonymous Coward · · Score: 0

      We do not yet know how to make truly secure systems.
      If by "truly secure", you mean 100% secure, you're right. We'll never know that though. Security isn't binary. It's always a spectrum with difficulty of breaking the security vs payoff. A locked filing cabinet has cheap locks and easily gotten past. But it normally provides enough security from the threat of casual snooping.


        Even really smart people have trouble with this because there just aren't enough examples yet of systems "done right".

      No. Smart people do it wrong because they think security is just another programming task, and they can just pick something they think is "hard", and go on. They don't realize that a lot of security is just choosing well tested and vetted methods, rather than trying to be the smartest guy in the room and "roll your own".

    11. Re:Is this really as typical as it seems? by Anonymous Coward · · Score: 0

      We do not yet know how to make truly secure systems.

      While there is no perfect security possible outside of the most trivial systems, we DO know how to make really, really good security. That much is a solved, available off-the-shelf as open source, problem.

    12. Re: Is this really as typical as it seems? by Anonymous Coward · · Score: 0

      Yes, they are incompetent. They are from Hyderabad.

    13. Re:Is this really as typical as it seems? by beschra · · Score: 1

      The purpose of the system is to keep you from being robbed. Until burglars learn that a sticker like "security by X" is a joke, they'll move on to a house with no sticker. So there's probably still some value for now.

      --
      It is unwise to ascribe motive
    14. Re:Is this really as typical as it seems? by SQLGuru · · Score: 1

      Just buy the sign. It's probably MORE secure because regular burglars will by-pass because you have a system.....and hackers will spend half a day trying to hack into a non-existent alarm system.....hopefully enough time for someone to come home and notice them so they get scared off.

    15. Re:Is this really as typical as it seems? by Ungrounded+Lightning · · Score: 2

      New technology market deployments go in stages, including the following:
        1) The underlying technology becomes available and financially viable. The window opens.
        2) An explosion of companies introduce competing products and try to capture market share. They are in a race to jump through the window.
        3) There is a shakeout: A handful become the dominant producers and the rest die off or move on to other things. The window has closed.

      We've seen this over and over. (Two examples from a few decades back were the explosions of Unix boxes and PC graphics accelerator chips)

      IoT applications recently passed stage 1), with the introduction of $1-ish priced, ultra-low-power (batteries last for years), systems-on-a-chip (computer, radio peripheral, miscellaneous sensor and other device interfaces) from TI, Nordic, Dialog, and others. It's in stage 2) now.

      In stage 2) there's a race to get to market. Wait too long and your competitors eat your lunch and you die before deploying at all. So PBHs do things like deploy proof-of-concept lab prototypes as products, as soon as they work at all (or even BEFORE they do. B-b ) They figure that implementing a good security architecture up front will make them miss the window, and (if they think that far ahead at all) that they can fix it with upgrades later, after they're established, have financing, adequate staffing, and time to do it right - or at least well enough.

      So right now you're seeing the IoT producucts that came out first - which means mostly the ones that either ignored security entirely or haven't gotten it set up right yet. Give it some time and you'll see better security - either from improvements among the early movers or new entrants who took the time to do it right and managed to survive long enough to get to market. Then you'll see a shakeout, as those who got SOMETHING wrong fail in competition with those who got it right.

      If we're lucky, one of the "somethings" will be security. But Microsoft's example shows that's not necessarily a given.

      In this case, though, the POINT of the product is security, so getting it wrong - visibly - may be a company killer. (I see that, in the wake of the exposure, the company is promising a field upgrade with this issue fixed in about a month. If it does happen, and comes out before the crooks develop and use an exploit, perhaps this company will become another example for the PHBs to point at when they push the engineers for fast schlock rather than slow solid-as-rocks.)

      --
      Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
    16. Re:Is this really as typical as it seems? by R3d+M3rcury · · Score: 1

      Give it some time and you'll see better security - either from improvements among the early movers or new entrants who took the time to do it right and managed to survive long enough to get to market.

      ...or there will be some public exploit that makes the news and suddenly makes it a priority over some really cool demo-able feature that has to be added before the next trade show.

    17. Re:Is this really as typical as it seems? by cybergibbons · · Score: 1

      This is a massive part of it. It's easy, even trivial, to develop a system more secure than this. You can just use HTTPS and any API. Even if you completely forget certificate pinning etc. it is still more secure than this.

    18. Re:Is this really as typical as it seems? by cybergibbons · · Score: 1

      If you are willing to share privately, please contact me via the contact form on the website cybergibbons.com What you are describing sounds right up my street.

    19. Re:Is this really as typical as it seems? by Zero__Kelvin · · Score: 1

      "We do not yet know how to make truly secure systems"

      Just how many banks do you think there are in the world? You seem to think there are few or none. There are many, many truly secure systems. There are also many more hacks who don't understand security, but want to get in on the IoT wave early in the game; competence be damned.

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
    20. Re:Is this really as typical as it seems? by Anonymous Coward · · Score: 1

      I worked for this sort of small company. Three tech staff, two bosses - one highly "agile" (read: massively over-caffeinated), one indifferent. Bosses negotiate contracts from wherever the hell they can, all manner of areas, so long as they think they can make money. The first you hear about the new product is when they send you an email saying "do this by *insert ridiculously short deadline*" and you have entirely too little time to research, learn, price and implement something you are entirely unfamiliar with. At the end the customer only sees the shiny shell, not the horribly kludged together innards you threw together in an unfamiliar language, working with tech you had no prior experience with on a deadline that had only the most tenuous connection with reality.

      Now the company in question didn't do any IoT work when I was there ("just" sensor nets, building control, lighting, a bit of hardware design, A/V, art installations... among others), but they were precisely the sort of company that would whip up an IoT product at the drop of a hat, which is precisely how this sort of thing happens. Person without the necessary time to tool up, working on a ridiculous deadline (and probably several other projects simultaneously) just trying to get something out the door before the next assignment fall on them from above. They do their best, but...

      I'm glad I'm not working there anymore.

    21. Re:Is this really as typical as it seems? by Darinbob · · Score: 1

      You confuse "developers" with "management" and "architects". The developers almost never have any control over the product except to implement it as directed from above. If the management never hired security experts then there won't be any security of note. If the architects never considered security then it won't exist. Many of these companies probably just had someone at the board meetings wave their hands saying "yes, yes, our developers will add security, now let's not worry about such details and instead direct your attention to these slides about projected revenue".

      I'm also amazed at how a lot of people just believe all the marketing, even internal marketing where they should know better. The people who run a company really prefer to stay beyond arms length from the actual products, they don't want to know how sausage is made or even know that a pig is involved.

    22. Re:Is this really as typical as it seems? by Darinbob · · Score: 1

      "So, we've got an IoT module, so let's plug it into a home security system and see if we can sell it."

    23. Re:Is this really as typical as it seems? by Darinbob · · Score: 1

      Zigbee is a mess at the low level too. Industry consortiums can create standards without ever having experts involved.

    24. Re:Is this really as typical as it seems? by Anonymous Coward · · Score: 0

      Using one of these chips now. A disaster. Smaller than we need but objections were overruled (I'm sure you can optimize your code more). The chip was essentially pre-beta; things didn't work, some of the key bullet points in the marketing literature never got implemented, each release changed the registers and drivers, the only debugger was a piece of crap that only runs under windows for extra pain, the customer support team would take weeks or months to get answers to our questions, etc. Meanwhile management gave us a deadline.

    25. Re:Is this really as typical as it seems? by turbidostato · · Score: 1

      "The purpose of the system is to keep you from being robbed."

      Wrong. The purpose of he system is to make money.

      "Until burglars learn that a sticker like "security by X" is a joke, they'll move on to a house with no sticker. So there's probably still some value for now."

      Oh, you meant the purpose... of the customer. Well, a friend of mine did exactly that: he put a sticker of a reputed security company on his door and done with it. Same security level at a lower cost.

    26. Re:Is this really as typical as it seems? by goose-incarnated · · Score: 1

      For physical security including access and lockout, having *any* wireless sensor is downright stupid, nevermind if it is zwave, zigbee or $FOO-FROM-2025. Wireless listeners can be DOSed very easily, very cheaply and very reliably.

      Dumb NO/NC wired listeners are incredibly hard to DOS and require actual breaking and entering to achieve. And when you do, you only manage to kill a single sensor at a time. When you flood the airwaves with junk signal of the correct wavelength, you effectively shutdown the listeners ability to report sensibly, and you do it from over the fence, 20 times throughout the night until the building security finally gives up and turns the system off.

      --
      I'm a minority race. Save your vitriol for white people.
    27. Re:Is this really as typical as it seems? by silas_moeckel · · Score: 1

      In general at the home level security is for the discount on your homeowners policy, unless the insurance companies stop giving that for wireless installs not much will change. Reality is the quick smash and grab will be in and out before anybody shows up response times in the 5+ minutes give a lot of leeway.

      Hate to break it to you but wired alarms are easily defeated with stock cellphone jammers and some wire cutters, no internet/landline and no cell phone means no way to alert anybody outside a local siren (which a bb gun can deal with). It even stops anybody in the house from calling for help.

      Personally I use a mix, wired CCTV and wired and wireless sensors. The primary security bits are wired with a traditional panel to make the insurance guy happy. CCTV, HA and Security all feed up to a controller for the home. This way security sensors can be fed back into HA, new HA sensors that are useful but not perfect for security can feed back into security same for CCTV. By not perfect HA motion cares about people in rooms even specific spots in the room security cares about belt and suspenders covering doors, windows, and traffic pinch points when those doors and windows have open/close sensors and glass break sensors. Frankly the CCTV is probably the most useful since once an alarm is triggered I can see what is going on. I average one false alert in a year or so. The security aspects are very much secondary to the HA with the comfort and usability gains that brings but it was a fun project. Mind you it would be very different if I was living in a city apartment vs on acres at the far end of the burbs.

      --
      No sir I dont like it.
    28. Re:Is this really as typical as it seems? by Anonymous Coward · · Score: 0

      In general at the home level security is for the discount on your homeowners policy, unless the insurance companies stop giving that for wireless installs not much will change. Reality is the quick smash and grab will be in and out before anybody shows up response times in the 5+ minutes give a lot of leeway.

      I agree. Fully.

      Hate to break it to you but wired alarms are easily defeated with stock cellphone jammers and some wire cutters, no internet/landline and no cell phone means no way to alert anybody outside a local siren (which a bb gun can deal with).

      I've got to disagree on this bit. I live in a house (freestanding, remote) in South Africa. Our high crime-levels make our country the best place to test any security product. My wired alarm cannot be defeated with a cellphone-jammer (it uses more than a celll-phone to alert), nor with wire-cutters (Uses more than the landline). It contacts the response team using a different (proprietary, probably) RF, supplied by the response company. Sure, you can defeat that too (eventually).

      However, my comment was not about defeating the call-out. My comment was directed more at the newer alarms I see that use wireless sensors (zwave, zigbee, etc). The alarm control panel can be easily DOSed preventing any communication with any sensor. With wired sensors you have to physically gain access to cut the wires, and even then you cannot DOS the alarm, hence my comment about the general uselessness of wireless sensors for security.

      IOW, with wired sensors the alarm will at least alert me and my dogs with a siren. With wireless sensors the siren won't even go off.

      Home security is not easy, and solutions advertising "no wires - just place these sensors wherever you need them" are broken by design. You aren't going to DOS a wired-sensor solution with the ease that you defeat a wireless-sensor solution.

      (BTW: Yes, it's goose - too lazy to log in right now)

  4. You know what they say... by Anonymous Coward · · Score: 0

    App appers who app other apps get apped!

    Apps!

    1. Re:You know what they say... by PPH · · Score: 1

      Mooo?

      --
      Have gnu, will travel.
  5. For fun by Anonymous Coward · · Score: 0

    Check out shodan.io

  6. WTF??? by gstoddart · · Score: 2

    today we hear about an IoT smart home alarm system that works over IP. Made by RSI Videofied, the W Panel features no encryption, no integrity protection, no sequence numbers for packets, and a predictable authentication system. Security researchers who investigated the devices say, "The RSI Videofied system has a level of security that is worthless.

    So, the makers of the "W Panel" are lazy, incompetent people who have no business making a security system? Or they're greedy, cheap people who have no business making a security system?

    Blah blah blah Insecurity of Things written by people who are either incompetent or indifferent to security, yet another product which is more marketing than substance, and yet another product which sounds like it's utterly useless.

    Tell you what, can we assume all IoT shit is broken, defective, and insecure ... and then only have the stories when someone builds one which isn't?

    Yet another product created purely by the marketing and sales people, and stunningly incompetently done at the tech level.

    They make know something about video. But apparently they don't know a damned thing about security. This is worse than vaporware ... this is a product which is so utterly unfit for the purposes it's being sold for as to be dangerous.

    --
    Lost at C:>. Found at C.
    1. Re:WTF??? by ColdWetDog · · Score: 1

      All of the Sturm und Drang aside, these sorts of devices are probably OK for much of their intended use - getting some pics of the the teenage lowlife that trashes your apartment looking for something to fence. These people are not even going to unplug the phone or power. They're going to grab and run.

      No, it won't protect your million dollar stamp collection from the Ukrainian mafia boss who has been salivating about some particular bit of old paper. It's not designed for that. Of course, adding some real security would not be all that hard and we should hammer these idjits, but get a grip. This is about the same level of protection that a typical alarm company offers you.

      Some, not all that much.

      --
      Faster! Faster! Faster would be better!
    2. Re:WTF??? by phantomfive · · Score: 2

      IoT is a party. It makes DEFCON so much more interesting. I love it.

      --
      "First they came for the slanderers and i said nothing."
    3. Re:WTF??? by gstoddart · · Score: 1

      No, I'll make this explicit: this is a web-cam, pretending it's a security/alarm system.

      Buy a nanny cam. Buy a better door lock. Buy a dog.

      This is about the same level of protection that a typical alarm company offers you.

      I very much doubt a typical alarm company is providing you with something which is broken on the level of this thing

      The entire authentication process is decoupled from the actual device, and attackers can easily spoof device IDs and gain access and control over someone else's alarm system.

      To make matters worse, nothing is encrypted, all communications are blurted out in cleartext, there is no message integrity protection mechanism and no sequence numbers for network packets.

      Sorry, but that level of defective is beyond anything you can try to excuse.

      But then again, people seem to have accepted that IoT will have security written by blind and drunk monkeys, but that it's good enough. So you buy one, and I'll continue to believe the IoT is just another opportunity for assholes in marketing to pretend they have a useful product.

      --
      Lost at C:>. Found at C.
    4. Re:WTF??? by KGIII · · Score: 1

      I've not been to DEFCON in a while, three years ago actually, is "Spot the Fed" still a thing? One year a few of us made an effort to get 'em all in photos without being noticed and we'd compare and contrast and had special names for 'em. I don't remember the points value we had but we'd made a bit of a drunk-game out of it.

      --
      "So long and thanks for all the fish."
    5. Re:WTF??? by phantomfive · · Score: 1

      is "Spot the Fed" still a thing?

      I didn't see it there. Attendance has grown so dramatically that I think it would be easy for a fed to blend in now.

      --
      "First they came for the slanderers and i said nothing."
    6. Re:WTF??? by cybergibbons · · Score: 1

      The system is actually quite different to a web-cam. It's been built from the ground-up to provide very small clips when a PIR has been detected. It's not really any more broken than anything else on the market. A week prior, I published issues in a much more critical alarm system: http://cybergibbons.com/securi...

  7. If I want IoT I'll make it myself. by AndyKron · · Score: 3, Funny

    If I want IoT I'll make it myself. It will be safe because only I will know I have it, and how it works.

    1. Re:If I want IoT I'll make it myself. by Anonymous Coward · · Score: 0

      that's called 'security through obscurity' and generally isn't recommended

    2. Re:If I want IoT I'll make it myself. by Anonymous Coward · · Score: 0


        It will be safe because only I will know I have it, and how it works

      You've just violated Kerchoff's Principle which originally came from Crytography, but which can be more generalized to apply to all of security. In general, it means that "the attacker knows the system", and that the only secrets you should be keeping are the key.

    3. Re:If I want IoT I'll make it myself. by Anonymous Coward · · Score: 0

      No, it's called "security by me and only me having the fucking ssh key".

      If I was making myself an IoT device, I'm not going to write my own low level security code from scratch. I'm going to piggyback on ssh to get data off the device and onto my computer or vice vesa. Point is, NONE of my data will be going to some "cloud service" somewhere, and it will all be strongly encrypted.

      But since IoT vendors will never sell device that let me run my own software stack, I won't be buying the devices. But hey, you all have fun!

    4. Re:If I want IoT I'll make it myself. by by+(1706743) · · Score: 2

      About 5 years ago I built a little relay box to control household outlets (inspired by http://www.tldp.org/HOWTO/Coff... ). So I can control my lights/stereo amplifier/etc. with a dinky web interface or via SMS (through Google Voice emails). Security is dubious (to say the least!), and yet somehow, I haven't been the victim of an attack, "friends" aside ;)

      Also, the HDMI CEC on the Raspberry Pi allows me to control basic features of my A/V system remotely (my TV and receiver are not internet-enabled). Really handy given that I don't have line-of-sight access to my receiver. Much better than v1.0, which was to use a mirror...

    5. Re:If I want IoT I'll make it myself. by Anonymous Coward · · Score: 0

      See, that's you. You actually know enough to not do stupid things like try to reinvent the wheel. The OP claimed it was secure "because only I know how it works", which is at best security through obscurity, and at worst security through overconfidence.

    6. Re:If I want IoT I'll make it myself. by Grishnakh · · Score: 1

      But since IoT vendors will never sell device that let me run my own software stack, I won't be buying the devices. But hey, you all have fun!

      I'm sure they're really going to miss a handful of sales from some nerds. Meanwhile, they'll be raking in money from millions of laypeople who have no idea that ROT13 isn't a secure algorithm. You think a typical roofer or grocery store clerk can tell the difference?

    7. Re:If I want IoT I'll make it myself. by Anonymous Coward · · Score: 0

      (same AC your reply is to, here): yes, I believe you are sadly correct. There will be people lining up by the millions to put their video camera & microphone equipped refrigerators and dolls and whatever on the internet. I have no illusions that my staying away changes anything in the big picture, but it *does* make my own data safer.

    8. Re:If I want IoT I'll make it myself. by Anonymous Coward · · Score: 0

      Security by obscurity. Nice!

      Wait, isn't that just like this vendor? Someone cobbled something together, didn't get security vetted by experts, and thought 'who'd possibly care enough to reverse engineer this?' </sarc>

  8. CERT/CC listing by campuscodi · · Score: 2

    CERT has published the researchers' security disclosure. In case someone wants to read it. http://www.kb.cert.org/vuls/id...

  9. [BUZZWORDOFTHEDAY] security system can be hacked by davidwr · · Score: 2

    It's usually* not [BUZZWORDOFTHEDAY]'s fault, it's usually the fault of incompetent, cheap, or lazy people.

    The same thing can happen with yesterday's [BUZZWORDOFTHEDAY] and the same thing will probably happen with tomorrow's [BUZZWORDOFTHEDAY]. Sigh.

    ----
    *Sometimes it is the fault of [BUZZWORDOFTHEDAY]. In that case, it might actually be "news for nerds," assuming [BUZZWORDOFTHEDAY] is a tech-related buzzword.

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
  10. The IoT of now and the future. by geekmux · · Score: 3, Insightful

    This just goes to show you that even with a security-centric product like an alarm system, even basic security features cannot seem to be prioritized over cost or first to market.

    Expect thousands more shitty products that lack even the most basic security to hit the IoT market before consumers pull their head out of their a...ah, what the hell am I thinking? Consumers have never given a shit about security or privacy.

    It's the very reason shitty IoT is thriving.

    1. Re:The IoT of now and the future. by gstoddart · · Score: 1

      This just goes to show you that even with a security-centric product like an alarm system, even basic security features cannot seem to be prioritized over cost or first to market.

      You know, looking at their company history, I'd say they're a video-centric product, which some ass in marketing decided to start selling as a security-centric product.

      "The RSI Videofied system has a level of security that is worthless," concluded the Cybergibbons team. "It looks like they tried something and used a common algorithm - AES - but messed it up so badly that they may as well have stuck with plaintext."

      Sorry, that's not security. That's pretending you have a product that has any business being used in security.

      Epic incompetence. Be that at the management or technical levels, it really doesn't matter.

      --
      Lost at C:>. Found at C.
    2. Re:The IoT of now and the future. by Grishnakh · · Score: 2

      ...before consumers pull their head out of their a...ah, what the hell am I thinking? Consumers have never given a shit about security or privacy.

      Exactly. Just look at how popular Facebook is.

    3. Re:The IoT of now and the future. by Anonymous Coward · · Score: 0

      and the facebook news feed is full of people complaining about privacy. Funny.

    4. Re:The IoT of now and the future. by nnull · · Score: 1

      Consumers? I see all these devices now in the industrial and professional world. I had a company call me about their lines shutting down randomly. Guess what I discovered? Someone was logging into these machines remotely from another plant and sabotaging the lines just so the plant they were working at would look better in efficiency. They weren't logging into the machine directly, but they were logging into a random display device to access the machine. And then you have all these wonderful vulnerable PLC's to access because it's on the same network and since every PLC manufacturer doesn't really give a damn about security, easy to access.

      Nobody cares about security until something happens. In fact, nobody even considered the possibility that someone was logging into the system and breaking the machines. Then someone like me shows up, fixes it for the day. But with no one maintaining anything, it's just a matter of time before it happens again. The infrastructure is not even setup to prevent something like that in the first place.

      And then you have Teamviewer, which has now taken over as an industry standard for every new machine out there with its crappy security (Really, all I need to know is the key, easy to get by just visiting the place and playing around with the UI). Teamviewer bypasses firewalls because firewalls at 90% of businesses don't really block anything. It's like an open door to everything. What a wonderful world we live in.

  11. Levels of Security by holophrastic · · Score: 1, Insightful

    I'm quite tired of the hi-tech this-security-is-hackable discussion. Of course it's hackable. Everything is. That this product doesn't require ethan hunt just makes it worthless for bank vaults.

    I highly doubt that this product is being sold as a replacement for secure systems. It's being sold as a supplement to, wait for it, a lock and key.

    It's better than the fake camera with the blinky light.

    This isn't slashdot-worthy news. There are lesser products out there. That's never news.

    1. Re:Levels of Security by phantomfive · · Score: 1

      I'm quite tired of the hi-tech this-security-is-hackable discussion. Of course it's hackable. Everything is.

      If you think so and can prove it, then you can earn $1000 and eternal fame by hacking DJB's qmail. Over 15 years and still hasn't been hacked.

      That this product doesn't require ethan hunt just makes it worthless for bank vaults.

      Even then, there are different levels of "hackable." Some things (like uefi) take six months of work to hack, but that's not what we're talking about here. Some of these IoT devices literally are running their own wifi server, with an open telnet port. When I say open, I mean it doesn't even have a password. This is how much these companies care about security.

      We're talking about the kind of security that your neighbor kid could hack after taking a high-school networking class.

      --
      "First they came for the slanderers and i said nothing."
    2. Re:Levels of Security by Anonymous Coward · · Score: 0

      Exactly. I guess 95% of the people who say this is insecure also only have (pretty insecure) normal glass in their windows, not (more secure) bullet-proof glass.

    3. Re:Levels of Security by Anonymous Coward · · Score: 0

      If you think so and can prove it, then you can earn $1000 and eternal fame by hacking DJB's qmail. Over 15 years and still hasn't been hacked.

      That's nice. Of course, the challenge is BS. I'm sure DJB will hand out the check if you play by his rules, but that's not really the point as the game is rigged. The reality is that qmail is just one piece of a system, and one that's never updated and of limited functionality. Do you really just run one qmail system and that's it? No client end, no other servers, no other services, no passwords, nothing?

      The real world is much more complicated than one service.

    4. Re:Levels of Security by Grishnakh · · Score: 1

      No, it's more like having a window on your house with a big red button on the outside that says "press to open".

    5. Re:Levels of Security by phantomfive · · Score: 1
      The point of his system is to show that it really is possible to write secure software.

      Do you really just run one qmail system and that's it? No client end, no other servers, no other services, no passwords, nothing?

      The other systems should be made securely. DJB showed it's possible to write highly secure software. But fwiw it's not uncommon to only run one service on a server, especially now with VMs making it so cheap to do so. And passwords are archaic, we don't even use them with git anymore.

      --
      "First they came for the slanderers and i said nothing."
    6. Re:Levels of Security by Anonymous Coward · · Score: 0

      The real world is much more complicated than one service.

      And yet ironically, how many firewalls open but one TCP port talking to the outside world in order to communicate to that one web service...

      Much like cell phones these days, we make most shit obscenely complicated.

    7. Re:Levels of Security by tlambert · · Score: 1

      I'm quite tired of the hi-tech this-security-is-hackable discussion. Of course it's hackable. Everything is.

      If you think so and can prove it, then you can earn $1000 and eternal fame by hacking DJB's qmail. Over 15 years and still hasn't been hacked.

      Actually, it has been hacked, and it's relatively easy to do.

      Functional decomposition is a really poor way of abstracting complexity, when it's being used in isolation, and does not include mandatory boundary layer order and direction of operations over said boundary.

      I really don't need to spend $1,000 worth of my time to argue with DJB, when he'll happily argue with anyone for free.

    8. Re:Levels of Security by phantomfive · · Score: 1

      Actually, it has been hacked, and it's relatively easy to do.

      [citation needed]

      --
      "First they came for the slanderers and i said nothing."
    9. Re:Levels of Security by cybergibbons · · Score: 1

      This product is being sold as a replacement for secure products. The company very much pitch themselves as secure from advanced attackers. They've even boasted how their wireless side is secure: https://www.videofied.com/_ass...

    10. Re:Levels of Security by cybergibbons · · Score: 1

      Probably, but I don't see any secure alternative to glass windows. There are secure alternatives - at little to no cost - for crappy netsec though.

    11. Re:Levels of Security by tlambert · · Score: 1

      Actually, it has been hacked, and it's relatively easy to do.

      [citation needed]

      http://marc.info/?l=qmail&m=14...

    12. Re:Levels of Security by phantomfive · · Score: 1

      Meh, qmail could probably do better in its handling of .forward, but if you upgrade your bash then it's not a problem anymore. the worst you can say is that qmail relies too much on things in the unix environment when it shouldn't. Which is a problem, but only because other things are not secure.

      --
      "First they came for the slanderers and i said nothing."
    13. Re: Levels of Security by Anonymous Coward · · Score: 0

      So basically we just need to make sure we deadbolt it too huh-lol

    14. Re:Levels of Security by phantomfive · · Score: 1
      btw, I'm pretty sure you have an interesting point here when you said this:

      Functional decomposition is a really poor way of abstracting complexity, when it's being used in isolation, and does not include mandatory boundary layer order and direction of operations over said boundary.

      but I'm not entirely sure what you meant. Could you clarify? What other option is there besides functional decomposition?

      --
      "First they came for the slanderers and i said nothing."
    15. Re:Levels of Security by Zero__Kelvin · · Score: 1

      Here's your citation

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
    16. Re:Levels of Security by phantomfive · · Score: 1

      That's a cool one, but it's in djbdns, not in qmail, which is what I was asking about.

      (Also, the world would be a better place if Microsoft and other large companies apologized every time they released software with a security flaw)

      --
      "First they came for the slanderers and i said nothing."
    17. Re:Levels of Security by tlambert · · Score: 1

      btw, I'm pretty sure you have an interesting point here when you said this:

      Functional decomposition is a really poor way of abstracting complexity, when it's being used in isolation, and does not include mandatory boundary layer order and direction of operations over said boundary.

      but I'm not entirely sure what you meant. Could you clarify? What other option is there besides functional decomposition?

      DJB's philosophy is to minimize individual attack surfaces by reducing code complexity. This has three components, of which DJB himself is a proponent of two of them. I'm not sure whether this is because he doesn't realize that it's a consequence of his implementation paradigm, or whether he simply thinks it's too obvious to talk about. These are the components:

      (1) Reduce complexity by separating the problem domains into individual processes. This separates necessary privilege escalations from other code, and separates cross-functionality address space based attacks on the code.

      (2) Reduce complexity into functional time domains involving serialization of operations which could (potentially) otherwise take place in parallel. This is also done through use of individual processes, but is based on the trigger initiating the processes being separate, and therefore not under the control of an attacker. This increases the difficulty of an attack by requiring serial attacks for each component between the intermediate targets and the final target of an exploit (as in the previously referenced "shellshock" attack). For a shellshock attack, this particular precaution was meaningless, since there was a direct passthrough of the data without prevalidation without action before passing the data onto another component. In other words: the particular attack zips through this security precaution.

      (3) This may or may not have been intentional, but he reduces the network and system call footprint for each of the components in such a way that it reduces the remotely accessible attack surface (you can only attack things you can talk to) to something which can be firewalled, and the system call footprint of individual components into something that could have local application sandboxing applied to prevent particular system calls being used by individual program components, or even sequences of system calls being used outside a particular order, or in excess of a particular number of times. This was probably not a design goal, given that neither deep packet inspection/stateful firewalls, nor sandboxing, were utilized in most systems at the time qmail was originally written.

      That's cool and all, but it's taking a hammer to a problem which is actually a result of programmer discipline and machine architecture, and, frankly, some of those architecture issues have been addressed at the operating systems and compiler level for years, and others are better addressed through other mechanisms. It also failed miserably in intentional strategy #2, above.

      The first mechanism is boundary layer violations. The most infamous email program in existence is Microsoft Outlook, and it's for good reason. Outlook engaged in interface layering violations. These are responsible for nearly all the initially exploited Outlook vulnerabilities.

      What avoiding boundary layer violations means is that, if you are designing correctly, you identify architectural layers for your libraries in order to abstract complexity of each layer from the layer below it. As part of this, you define an interface contract: you are permitted to call down to the interfaces below yourself, and you are permitted to call across, within the same layer to auxiliary functions, but under no circumstances are you permitted to call upward. A good example of a boundary layer violation in libc is the use of a function pointer for the compare function in the qsort library routine, which will result into an upcall from the libc layer, to upper level code. In general, this should

    18. Re:Levels of Security by phantomfive · · Score: 1

      I'm not going to write an entire paper here on Slashdot.

      You already kind of did lol. This is good stuff though. I have some follow-up questions if you don't mind:

      1) How are you aware of (and able to control) lower-level things like the page size, or which functions go into which groups of pages?
      2) Why is it called "container-in-a-mailbox?"
      3) you wrote, "Most modern (predominantly research) security architectures" who is doing this research, and where can I find it?

      As part of this, you define an interface contract: you are permitted to call down to the interfaces below yourself, and you are permitted to call across, within the same layer to auxiliary functions, but under no circumstances are you permitted to call upward.

      That would ruin (or improve) a lot of modern OO techniques.

      The reason I like DJB's work is because he seems to carefully think about what problems may arise every time he writes a line of code. He may not always succeed, but if you don't have that way of thinking, you will automatically fail at "identifying architectural layers for your libraries in order to abstract complexity of each layer from the layer below it," and will have bugs no matter what rules you follow.

      --
      "First they came for the slanderers and i said nothing."
    19. Re:Levels of Security by tlambert · · Score: 1

      I'm not going to write an entire paper here on Slashdot.

      You already kind of did lol. This is good stuff though. I have some follow-up questions if you don't mind:

      1) How are you aware of (and able to control) lower-level things like the page size, or which functions go into which groups of pages?

      In a general, hand-wavy fashion, things like page size are an attribute of the compilation environment, and do not vary.

      In practice, there are some older MIPS systems and the original NeXTStep which would "gang" 4K pages into 8K pages, and of course there's the Intel variety of superpages, depending on operating mode and contents of CR4, and the PSE bit being set, with or without the PAE bit being set, to give you either 4M or 2M pages. There are also some other architectures that allow even weirder variants.

      As a general rule, most of these things other than the default are accessed via two interfaces: Either a section attribute in an executable section descriptor -- meaning it's handled by the kernel -- or via a special user mode interface for allocating large pages. The user mode interface may or may not be hidden in the malloc internals, in order to prevent direct use by a program. In addition, there are potentially device specific controls (in UNIX systems, these would be ioctl's) to map large pages into a user space process; as an example, the frame buffer memory in a Wayland or X Server, and so on.

      Practically speaking, one of the most useful things you can do with large pages in a Linux, BSD, or UNIX running on an Intel system is to put the kernel itself into large pages; location won't matter, without a kernel code injection exploit. It's useful because Intel processors maintain separate TLBs (Translation Look-aside Buffers) for large and small pages, and this means that user space processes, and kernel interrupts, traps, or traps from user space to kernel space (e.g. system calls) won't be ejecting each other's pages from the look-aside. Depending on how frequently you end up running in the kernel vs. user space, this can result in an up to about 36% performance improvement.

      One of the problems with this is that there's a known bug in Intel processors where INVLPG won't invalidate the page mappings in both, so there was an early bug that tended to hit Linux systems -- but not FreeBSD system -- where the INVLPG instruction kicked a page out of one TLB but not both TLBs, if it was mapped in both. This was mostly an issue when you tried to convert from running in real mode to running on the PMMU, and then from there, from 4K pages to large pages. The work around is to INVLPG twice, or to reload CR3, which flushes all the TLBs (making it the "big hammer").

      Anyway, that was a digression, and in the scenario I discussed using statistical protection, you'd use the compiler and linker to make sections per function or function group, and then the linker would put linkage vtables in each of these groups when creating the executable, and then the exec function in the kernel would interpret these as allocation units, and put the sections in as few contiguous pages as possible, and then randomly locate them some place in the process address space. Which on an Intel/PPC architecture would locate them in a 64 bit virtual space, out of a 52 or 53 bit physical addressable space.

      When the loader resolved the linkages for shared libraries through the fault/fixup mechanism, it'd do it by library:section, rather than by library alone, using the per-section vtables.

      2) Why is it called "container-in-a-mailbox?"

      Fair question.

      Historically speaking, there are several ways to pass things around around between components. One of these is via register reference to the address of the thing. Another is via stack reference to the address of the thing. Another is via descriptor (in VMS, this is the function descriptor; in Mach, this is a Mach Message that is defined in an IDL co

    20. Re:Levels of Security by phantomfive · · Score: 1

      This wouldn't entirely preclude layering violations, but it would certainly make them more difficult. That would improve security, but whether it improved the techniques?

      Here I was referring to the fact that dependency injection and callbacks and closures often make code hard to read. Java code with threads and closures with mutable variables can be inscrutable sometimes....increasing the amount of time it takes to add features (or find bugs) by an order of magnitude or two. (Of course you can use dependency injection and callbacks and still have readable code, but a lot of times that doesn't happen).

      3) you wrote, "Most modern (predominantly research) security architectures" who is doing this research, and where can I find it?

      Wow. Pretty much everyone in OS software who cares?

      IBM and Microsoft are players, OpenBSD is, for some types of things. Apple is; Linux people (though I think it was a DARPA project run by IBM?) were the first to implement ASLR; I think Apple was the first to ASLR absolutely everything? And to do page level executable signature verification in the paging path? Though I think they mostly did it for DRM reasons, rather than to be helpful to users. I think compiler stack probes came from the LLVM folks?

      I know about ASLR and page level executable signature verification lol (and I hate page level encryption in iOS but that's another story. Incidentally, on iOS you can still easily trojan an executable by adding a shared library with a c++ static initializer to the mach "load command" section. It will get run on startup. You will need to resign, but that's usually not a problem).

      Here I was asking about who is aligning page boundaries with the end of their arrays? Or is that already in GCC now? Also, who is using container in a mailbox? Because I don't think Outlook has changed this still.....

      The problem I really have with his work is that it's largely academically oriented, rather than practical.

      Fair enough. I haven't really looked at DJBDNS much so I can't really disagree with you.

      --
      "First they came for the slanderers and i said nothing."
  12. lol by Anonymous Coward · · Score: 0

    This story can't be true, look at all of the awards the company has received:
    https://www.videofied.com/eu/uk/about_us/awards_and_recognition/

  13. Use a third party firewall by gurps_npc · · Score: 1
    A company called DOJO labs sells what looks to me to be a pretty good one.

    Because it's third party, you know they can't put any special back doors allowing their company access to your equiptment.

    http://techcrunch.com/2015/11/...

    --
    excitingthingstodo.blogspot.com
    1. Re:Use a third party firewall by scsirob · · Score: 1

      You, Sir, appear to be in dire need of a bridge. And it just happens to be your lucky day. I have a terrific one for sale, for a very reasonable price indeed!

      --
      To Terminate, or not to Terminate, that's the question - SCSIROB
  14. If you have an IOT alarm.... by Lumpy · · Score: 2

    Then you are a moron. Relying on the cloud for anything important and time sensitive is 100% foolish and borderline stupid.

    It's great for toys like Smartthings and Hue lights. but only a complete moron will rely on their internet and the cloud service for something like an alarm system.

    --
    Do not look at laser with remaining good eye.
    1. Re:If you have an IOT alarm.... by Anonymous Coward · · Score: 0

      Typically you only rely on internet / cloud for interacting with it remotely. If the alarm is triggered, alarm events are normally sent via voice (if installed), then cell network, followed by internet cloud alerts (notifications only in most systems).

      Time really does not matter, the police will not get there in under 30 mintues (Response times locally for alarm calls in my city are 25-60 minutes), what does an extra 2 seconds matter (assuming control box is somewhat secure/hidden).

      The benefit of being able to arm the alarm when your out and you realize you forgot is a great tool to have. Or when the wife forgets to arm when she leaves. the alarm is meaningless when not armed. That coupled with smaller things like alerts when the kids dont disarm by x time, or when person x disarms, or when zone y is tripped (like a safe being opened) make it more valuable.

      A security system should be treated as your stuff just got stolen, might as well get the insurance ball rolling alert.

    2. Re:If you have an IOT alarm.... by Anonymous Coward · · Score: 0

      I don't have one yet, but I'm considering it for a vacation house.
      Advantages:
      - I can install a wireless setup myself, and not have to pay ongoing fees.
      - I can monitor it remotely.
      Cons:
      - It might suck or be easily hacked.
      To me, it's not worth having some $2000 alarm system plus $300/year fees to try to keep people from stealing a sofa or something. A few hundred bucks, just for peace of mind, I might do that.

    3. Re:If you have an IOT alarm.... by Anonymous Coward · · Score: 0

      Actually, MOST of the IOT alarms require the server to respond back and trigger the alarm. They are designed by morons that are following bigger morons in the executive suite.

    4. Re:If you have an IOT alarm.... by Anonymous Coward · · Score: 0

      Then you really cant afford a "vacation home" if you are whining about a $299 ADT alarm install and the $9.95 a month. monitoring and Cellular backup.

    5. Re:If you have an IOT alarm.... by Zero__Kelvin · · Score: 1

      Way to speak authoritatively on a subject you have no actual clue about!

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
    6. Re:If you have an IOT alarm.... by Anonymous Coward · · Score: 0

      I can afford it, but the reason I can afford my vacation house (which I'm renting out a lot anyway) is because I'm frugal. And like I said, the install and monitoring I've been quoted is way more than $299/$10 month. If you go to ADT right now, they will GIVE you a FREE Nest thermostat. They aren't doing that because they are dirt cheap.
      Plus, I like to geek on this stuff too, so I don't really want the ADT stuff.

    7. Re:If you have an IOT alarm.... by Anonymous Coward · · Score: 0

      Because he really is an expert, and you are a unemployed idiot in your mom's basement.

  15. Match the tech to the threat by petes_PoV · · Score: 1
    Your average (or even top of the class) housebreaker is not a criminal mastermind. They do not keep up to date on security vulnerabilities and won't spend much time trying to spoof, or tap into an internet-based alarm system. they will smash your front door or window, grab what they can and be gone before the cops arrive.

    If you want to protect against them, get a metal door or a large dog (always the best deterrent). If you want a home security system and you think that your attacker will have disabled it via a web based attack you've been watching too many bad movies. Although if you really are that impressionable, you'd be very easy for companies to sell you stuff.

    If it does turn out that your enemies really are prepared and able to hack your house, cut your phone and power, jam your mobile phone and then break in - you've got bigger problems than a little system like this, or all the guns in the world, will protect you against.

    --
    politicians are like babies' nappies: they should both be changed regularly and for the same reasons
  16. homekit by Noah+Haders · · Score: 1

    I'm thinking of investing in devices that connect via Apple's Homekit system. I read that a strength of these is that the protocol puts a good layer of security on all the communications. Any opinions / thoughts on this?

    1. Re:homekit by Anonymous Coward · · Score: 0

      Put some HD cameras in the bedroom. Your front door isn't cutting it as fap material.

  17. Hype and commerce - recipe for disaster by scsirob · · Score: 1

    It's of all times. Whenever a new hype starts (cloud, drones, apps, IoT), the one and only thing that counts is 'time to market'. Companies strive to stick the new hype label on anything and everything they have, and will stop at nothing to be FIRST! Never mind quality control. Never mind test phases. If it so much as compiles, shove it out the door and hope no-one finds out the cr*p you produced before you cashed.

    IoT will be the worst failure of them all. And you must be a total idiot to connect your doorlock to the Internet

    --
    To Terminate, or not to Terminate, that's the question - SCSIROB
  18. Why is everyone trying to sell me a bridge? by tlambert · · Score: 1

    You, Sir, appear to be in dire need of a bridge. And it just happens to be your lucky day. I have a terrific one for sale, for a very reasonable price indeed!

    Why is everyone trying to sell me a bridge? The specification clearly calls for a switch...

  19. Watershed event by mcrbids · · Score: 1

    Dumb ideas that are cheap persist. That is, until there's a watershed event that puts all the stupid into sharp relief. We haven't had such an incident for IoT; give it time.

    Thanks to movies and TV, people think that encryption is something you "bypass" by letting somebody who looks nerdly typing furiously in front of 3 or 4 screens in an office with lots of glass and neon lights. When it's exploited by thugs who downloaded an exploit and stole their stuff by using their security system to verify that they weren't home, the word will start to spread.

    --
    I have no problem with your religion until you decide it's reason to deprive others of the truth.
  20. Re:Off Topic... by Anonymous Coward · · Score: 0

    While that may or may not be "stuff that matters", it certainly isn't news for nerds. Some governments having a meeting that was scheduled long ago - boring. No exiting hitech - boring. Might have some importance - but it is mere politics, not nerd stuff.

  21. The IoT of hype .. by nickweller · · Score: 1

    Enough with the IoT of hype ..

  22. What about others like ADT? by antdude · · Score: 1

    Do I assume they have the same weak security problems too?

    --
    Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
  23. IOT = IOSF by Anonymous Coward · · Score: 0

    The "Internet Of Things" (IOT) should be renamed "Internet Of Security Failures" (IOSF)

    This technology is total crap.

  24. Always indicative of incompetent management by DrPeper · · Score: 1

    I have some level of expertise in this field. I've been involved with numerous start-ups and IPO's. I can assure you that this is completely and 100% all due to incompetent management. Without any question or doubt.

  25. EnduranceRobots.com is looking for enthusiasts by endurancerobot · · Score: 1

    EnduranceRobots.com is looking for enthusiasts and hobbiests in robotics and laser industry. We are looking for tech smart people who would like to help us to improve our products and positioning on the markets. We are still very early startup and can not pay big salaries but we can pay some. Please have a look our web site: endurancerobots.com youtube channels: http://www.youtube.com/channel... http://www.youtube.com/channel... and our facebook: https://www.facebook.com/Endur... We are very open to all critics: email us your ideas to: gf@endurancerobots.com or skype my: george.fomitchev