IoT Home Alarm System Can Be Easily Hacked and Spoofed

An anonymous reader writes: In the never-ending series of hackable, improperly protected IoT devices, today we hear about an IoT smart home alarm system that works over IP. Made by RSI Videofied, the W Panel features no encryption, no integrity protection, no sequence numbers for packets, and a predictable authentication system. Security researchers who investigated the devices say, "The RSI Videofied system has a level of security that is worthless. It looks like they tried something and used a common algorithm – AES – but messed it up so badly that they may as well have stuck with plaintext."

I'm not surprised

[TWX]

I've worked with security companies that do lower-end security before. They've e-mailed usernames and passwords to me across the Internet.

There's no licensing or aptitude testing necessary to operate a security company. Anyone can form a business and call it a security business, and often people that have no technical background will do it because there's a market to be served, even if they should not be the ones serving it.

Re:I'm not surprised

[jittles]

I spent a lot of time working for a security company that did high end enterprise systems. I hope they've changed their ways but their idea of security about 15 years ago was to just base64 encode your credentials when you log in. Once you logged in you used a token. Their digital signatures on video frames was inadequate also and it was quite possible to alter a frame and then resign it after the fact. Oh and all of the devices allowed root login and had a shared password across all networks.

Re:I'm not surprised

[Lumpy]

90% of all ADT alarms installed use the zipcode as the installer/backdoor access code.
95% of all alarms installed by companies use the house address as the default code for the customer at install time and NEVER have the code changed.

Alarm systems typically are only used for notification to the homeowner that they need to call the insurance company for a claim.

Re:I'm not surprised

[JaredOfEuropa]

No licensing required... but how about making them liable? I'm not a big fan of a litigious society of ambulance chasers (or lawyers in general), and I don't think IT or "security" firms should pay damages for every single thing that can possibly go wrong, but in a case of gross negligence like leaving default passwords or having no encryption whatsoever on links, they should be at least held liable for damages suffered.

Is this really as typical as it seems?

[QuietLagoon]

Over the past year or so, I've been seeing far too many of these shoddy security implementations with IoT devices.

.
Are the developers of such devices really this incompetent?

Are they really so focused on jumping on the IoT revenue bandwagon that they give the actual security of their devices a passing glance, if that?

Some of these security lapses seem to border on criminality...

Re:Is this really as typical as it seems?

[Ungrounded+Lightning]

New technology market deployments go in stages, including the following:
  1) The underlying technology becomes available and financially viable. The window opens.
  2) An explosion of companies introduce competing products and try to capture market share. They are in a race to jump through the window.
  3) There is a shakeout: A handful become the dominant producers and the rest die off or move on to other things. The window has closed.

We've seen this over and over. (Two examples from a few decades back were the explosions of Unix boxes and PC graphics accelerator chips)

IoT applications recently passed stage 1), with the introduction of $1-ish priced, ultra-low-power (batteries last for years), systems-on-a-chip (computer, radio peripheral, miscellaneous sensor and other device interfaces) from TI, Nordic, Dialog, and others. It's in stage 2) now.

In stage 2) there's a race to get to market. Wait too long and your competitors eat your lunch and you die before deploying at all. So PBHs do things like deploy proof-of-concept lab prototypes as products, as soon as they work at all (or even BEFORE they do. B-b ) They figure that implementing a good security architecture up front will make them miss the window, and (if they think that far ahead at all) that they can fix it with upgrades later, after they're established, have financing, adequate staffing, and time to do it right - or at least well enough.

So right now you're seeing the IoT producucts that came out first - which means mostly the ones that either ignored security entirely or haven't gotten it set up right yet. Give it some time and you'll see better security - either from improvements among the early movers or new entrants who took the time to do it right and managed to survive long enough to get to market. Then you'll see a shakeout, as those who got SOMETHING wrong fail in competition with those who got it right.

If we're lucky, one of the "somethings" will be security. But Microsoft's example shows that's not necessarily a given.

In this case, though, the POINT of the product is security, so getting it wrong - visibly - may be a company killer. (I see that, in the wake of the exposure, the company is promising a field upgrade with this issue fixed in about a month. If it does happen, and comes out before the crooks develop and use an exploit, perhaps this company will become another example for the PHBs to point at when they push the engineers for fast schlock rather than slow solid-as-rocks.)

WTF???

[gstoddart]

today we hear about an IoT smart home alarm system that works over IP. Made by RSI Videofied, the W Panel features no encryption, no integrity protection, no sequence numbers for packets, and a predictable authentication system. Security researchers who investigated the devices say, "The RSI Videofied system has a level of security that is worthless.

So, the makers of the "W Panel" are lazy, incompetent people who have no business making a security system? Or they're greedy, cheap people who have no business making a security system?

Blah blah blah Insecurity of Things written by people who are either incompetent or indifferent to security, yet another product which is more marketing than substance, and yet another product which sounds like it's utterly useless.

Tell you what, can we assume all IoT shit is broken, defective, and insecure ... and then only have the stories when someone builds one which isn't?

Yet another product created purely by the marketing and sales people, and stunningly incompetently done at the tech level.

They make know something about video. But apparently they don't know a damned thing about security. This is worse than vaporware ... this is a product which is so utterly unfit for the purposes it's being sold for as to be dangerous.

Re:WTF???

[phantomfive]

IoT is a party. It makes DEFCON so much more interesting. I love it.

If I want IoT I'll make it myself.

[AndyKron]

If I want IoT I'll make it myself. It will be safe because only I will know I have it, and how it works.

Re:If I want IoT I'll make it myself.

[by+(1706743)]

About 5 years ago I built a little relay box to control household outlets (inspired by http://www.tldp.org/HOWTO/Coff... ). So I can control my lights/stereo amplifier/etc. with a dinky web interface or via SMS (through Google Voice emails). Security is dubious (to say the least!), and yet somehow, I haven't been the victim of an attack, "friends" aside ;)

Also, the HDMI CEC on the Raspberry Pi allows me to control basic features of my A/V system remotely (my TV and receiver are not internet-enabled). Really handy given that I don't have line-of-sight access to my receiver. Much better than v1.0, which was to use a mirror...

CERT/CC listing

[campuscodi]

CERT has published the researchers' security disclosure. In case someone wants to read it. http://www.kb.cert.org/vuls/id...

[BUZZWORDOFTHEDAY] security system can be hacked

[davidwr]

It's usually* not [BUZZWORDOFTHEDAY]'s fault, it's usually the fault of incompetent, cheap, or lazy people.

The same thing can happen with yesterday's [BUZZWORDOFTHEDAY] and the same thing will probably happen with tomorrow's [BUZZWORDOFTHEDAY]. Sigh.

----
*Sometimes it is the fault of [BUZZWORDOFTHEDAY]. In that case, it might actually be "news for nerds," assuming [BUZZWORDOFTHEDAY] is a tech-related buzzword.

The IoT of now and the future.

[geekmux]

This just goes to show you that even with a security-centric product like an alarm system, even basic security features cannot seem to be prioritized over cost or first to market.

Expect thousands more shitty products that lack even the most basic security to hit the IoT market before consumers pull their head out of their a...ah, what the hell am I thinking? Consumers have never given a shit about security or privacy.

It's the very reason shitty IoT is thriving.

Re:The IoT of now and the future.

[Grishnakh]

...before consumers pull their head out of their a...ah, what the hell am I thinking? Consumers have never given a shit about security or privacy.

Exactly. Just look at how popular Facebook is.

If you have an IOT alarm....

[Lumpy]

Then you are a moron. Relying on the cloud for anything important and time sensitive is 100% foolish and borderline stupid.

It's great for toys like Smartthings and Hue lights. but only a complete moron will rely on their internet and the cloud service for something like an alarm system.