back to article Researcher criticises 'weak' crypto in Internet of Things alarm system

Security shortcomings in an internet-connected burglar alarm system from UK firm Texecom leave it open to hack attacks, an engineer turned security researcher warns. Luca Lo Castro said he had come across shortcomings in the encryption of communication after buying Texecom’s Premier Elite Control Panel and ComIP module and …

  1. allthecoolshortnamesweretaken

    Hmm - haven't we been discussing just this recently on these treasured pages? CAB - Computer Aided Burglary.

  2. a_yank_lurker Silver badge

    Huh?

    “Realistically, this attacker isn't going to be able to perform an attack against the ComIP module. They don't have the skills, tools, or motivation to target an individual,” - Is this guy clueless? There was a show on US cable several years ago showing how professional burglars case neighborhoods looking for likely targets. If the one with a couple of brain cells realize they might turn off an alarm system they might be willing to spend time locating the vulnerable targets in their area.

    Yes, many criminals do have a hard time carrying on a conversation with the vast intellect of brick. but there are enough with a clue who seeing reports like these (not condemning the report - it is needed) will realize they might want to learn how to remotely disable these systems.

    1. The Axe

      Re: Huh?

      Who this "expert"? He doesn't seem to know much about criminals. I suppose he'll probably also say that car alarms need highly skilled IT experts to break and therefore it's unrealistic for cars to be stolen without actually breaking a window as criminals are stupid. It's the "expert" who is stupid. He probably advised the car makers when they were making their insecure car alarms.

      This "expert" needs to realise that not all criminals are clueless. Criminals can come from all walks of life.

      1. Fatman Silver badge
        Joke

        Re: Huh? ...not all criminals are clueless.

        <quote>This "expert" needs to realise that not all criminals are clueless. Criminals can come from all walks of life.</quote>

        Some are even politicians, and Government Agents.

        1. Mad Chaz

          Re: Huh? ...not all criminals are clueless.

          Or alarm system salesmen.

      2. cybergibbons

        Re: Huh?

        Which would probably be why they said "it would be beyond the capability of most would-be burglars with access to no more than basic electronic tools like wire strippers, a multi-meter, and crocodile clips".

        Are you arguing that most burglars would be capable of this? That would strongly go against the available evidence.

        Burglary and car theft have very different risks and rewards, which you seem to have ignored in your analogy/comparison.

        You can almost entirely work out the security system on a car just by the model and year. There is very little variation. Not possible with a home alarm. It's easy for criminals to identify and target cars like this.

        Once you have bypassed the security system on most modern cars, that's it. You can open the door and start the engine. Not so with a house - bypass the alarm, and you still need to deal with physical security.

        Most burglaries don't result in a good reward of a known value. You might get £500, you might get £5k. Lift a high-end car, and you will be looking at a lot more.

    2. Adam 1 Silver badge

      Re: Huh?

      For a hundred quid, a criminal could buy a WiFi pineapple (or similar), setup a fake AP, sending out fake deauth packets for their real router and waiting for the unlock code to be recorded.

      Wow, I managed to make that sound like you need to be done l337 haxor to do. It's really not. At all. And if you really can't RTFM because you have the intelligence of a house brick, you can watch the step by step on YouTube.

      It really isn't a good argument to say "not vulnerable" because it is "beyond the capability of most would-be burglars". That is like saying that it doesn't matter that your car may be easy to hotwire but don't worry because they would have to get through the locked door first.

      We live in a world where IOT light bulbs leak the password of their WiFi network. Security in the digital age is about layers, not some impenetrable moat on the outside of your castle. You assume that your adversary can see and manipulate any communications between any of the devices and build the security in from the foundation.

    3. Anonymous Coward
      Anonymous Coward

      Re: Huh?

      Completely agree with the other commenters here - the "expert" doesn't know what they're talking about. Lots of alarm people are ex-locksmiths rather than IT security experts - is this the case here by any chance?

      Criminal networks are highly effective at sharing information and systematising the breaking of security. I may not have the personal skill to design an operating system or i7 chip, but it doesn't stop me using them highly effectively. It only takes one person to do it and sell the tools.

      Combine this with a company that's a/ evidently clueless about network security b/ appears to have a natural reaction of denying rather than responding to security issues and it's an accident waiting to happen.

      What's the odds criminals are trying to hack their customer list (and those of their resellers) right now? Combine it with rented access to a router botnet and cross reference with IP address geolocation and you've probably got a nice address list to go after. The alarm system remote monitoring will probably even tell you when there's no-one in the house...

      1. MachDiamond Silver badge

        Re: Huh?

        It wouldn't be hard to use a low power Pi or similar computer dropped near a target and log when the alarm is activated and disarmed. A week or so of data would give a good indication of the homeowners schedule. If it could be done via the net, a burglar could monitor several alarms for a longer period of time to build a larger statistical universe. Most people with regular jobs keep a pretty consistent schedule.

      2. cybergibbons

        Re: Huh?

        I can build a device that will disable a significant number of wireless alarms on the market in the UK. It costs about £12 to make. It took very little research (relatively) to work it out.

        Never seen anyone else sell them - I've even tried asking on some of the forums that are used for trading ATM skimmers, fake chip&pin terminals etc. They just aren't made - criminals aren't currently interested in bypassing alarms on domestic properties.

    4. cybergibbons

      Re: Huh?

      I don't think there are enough burglars with enough sense to carry out these attacks - certainly not against domestic properties with self-installed panels with no professional monitoring.

      I've been asked to look into five cases now where a homeowner has suspected that the burglars had used advanced electronic bypass methods to get in. Whilst I could never say for sure, there was no evidence in any of these cases that anything untoward had happened.

      There's a world of difference between casing high-end targets (which would have graded alarms) and most burglars working out how to bypass individual homes over the Internet.

  3. Stevie Silver badge

    Bah!

    And in what universe does a remotely controlable burglar alarm make any sense, especially one controlled over the bleeing world wide web?

    1. Anonymous Coward
      Anonymous Coward

      Re: Bah!

      "And in what universe does a remotely controlable burglar alarm make any sense, [...]"

      Presumably the use of an app on a smartphone is to replace a dedicated controller - like many IoT things. Outside your front door use the app to disable the alarm before you enter - and vice versa to arm it when leaving the house.

      Convenience has often taken priority over security - which is only ever as strong as the weakest link.

      1. Commswonk Silver badge

        Re: Bah!

        And in what universe does a remotely controllable burglar alarm make any sense, especially one controlled over the bleeding world wide web?

        The universe of marketing, for starters. And the universe of politicians who start drooling uncontrollably if the words "digital" or "apps" are used. Not, it must be said, in any universe where common sense has a place.

        It serves to prove that you really can fool most of the people most of the time.

        1. Pompous Git Silver badge

          Re: Bah!

          It serves to prove that you really can fool most of the people most of the time.

          And as my granddad used to say, jerk the rest off ;-)

        2. h4rm0ny

          Re: Bah!

          >>"It serves to prove that you really can fool most of the people most of the time."

          Things I can do with an Internet connected security system that I can't do with an old-fashioned one:

          * Check that I set it after I've left home.

          * Enable it if I find I need to later on (e.g. if I did forget).

          * Disable it if I need to (e.g. my partner returns when I'm not around / I want my neighbour to check on something for me / I have a delivery or service person I want to enter my home whilst I'm at work)

          * Be notified immediately on my phone that it has been triggered and take appropriate actions such as calling the police / turning the alarm off if it's a false alarm or it's done it's job and I want to stop driving the neighbours crazy / logging into cameras in the home to see what's happened)

          * Have more than a rudimentary All or Nothing approach to my home security. (E.g. different access levels for different people / ability to amend these on the fly as needed).

          Of course, feel free to mock it as an example of how you can fool most of the people most of the time (you've mangled the quote, btw).

          1. Commswonk Silver badge
            Happy

            Re: Bah!

            ...feel free to mock it as an example of how you can fool most of the people most of the time...

            Res ipsa loquitur just about covers it, I think, even if I am not a lawyer.

          2. Stoneshop Silver badge

            Re: Bah!

            Given that a decent alarm system usually has the capability to send alarm notifications by phone (which tends to get replaced with "over Da Intarwebz" though), SMS should be a viable option for most of the requirements you list:

            [x] * Check that I set it after I've left home.

            [x] * Enable it if I find I need to later on (e.g. if I did forget).

            [x] * Disable it if I need to (e.g. my partner returns when I'm not around / I want my neighbour to check on something for me / I have a delivery or service person I want to enter my home whilst I'm at work)

            Limit control for this option to phone numbers registered with the control unit, and add a one-time code (copied from the control unit before you leave) if you're worried about number spoofing.

            [x] * Be notified immediately on my phone that it has been triggered and take appropriate actions such as calling the police / turning the alarm off if it's a false alarm or it's done it's job and I want to stop driving the neighbours crazy / logging into cameras in the home to see what's happened)

            [x/ ] * Have more than a rudimentary All or Nothing approach to my home security. (E.g. different access levels for different people / ability to amend these on the fly as needed).

            Amending on the fly is explicitely something I wouldn't want. Security, including access modes and zones, is something I'd design and set up beforehand. If I then need to grant access in a way that doesn't match those predefined modes, then it's "tough shit, come back tomorrow".

            I want my home control system (which an alarm can be considered part of, although not necessarily integrated with) to offer a limited number of predefined states, such as "I'll be home in half an hour, set the living room thermostat to $preset(comfortable)" unless you have direct physical access. And controlling the system from outside the house can only select the applicable subset of those predefined states.

          3. tom dial Silver badge

            Re: Bah!

            The concomitant of this convenience, however, is to degrade, apparently quite a lot in the case of this equipment, the system's performance of its basic function.

            Note also that the last two items cited mostly do not require external wireless control despite the fact that they can be implemented in that way.

      2. anonymous boring coward Silver badge

        Re: Bah!

        I suspect it's more of a cost issue. A dedicated installed panel will cost you.

      3. John Robson Silver badge

        Re: Bah!

        Which is great - assuming infinite battery life...

        And the thing should be SSL'd even over the WLAN - as someone mentioned above the light bulbs are leaking wifi credentials - as is Windows 10. Pretty sure a kettle did it recently as well...

        Given that it probably insists on either WEP or an open wifi network....

        Oh well - whatever happened to devices having an ethernet port :(

        1. I am not spartacus

          Optional

          "Oh well - whatever happened to devices having an ethernet port :(

          It really has come to something when this fits in to the general category of 'Grumpy old git/technophobe response' (and, I'm not sure whether you would count that perception as undesirable, but that is how I read it).

          1. John Robson Silver badge

            Re: Optional

            Hardly technophobic..

            I can see the benefit of having some devices on WiFi - mostly user devices, but I doubt that an ethernet port shouldn't be significantly more expensive than a WiFi chip and antenna.

            My NowTV boxes aren't mobile, they don't need the mobility of a WiFi connection, neither does an alarm system - which is presumably wired in to the house...

            My Blu Ray player has an ethernet port on the back... One of the things I looked for when I bought it...

            The benefit of using wires is that the airwaves need be shared by fewer devices. Wires make good a spatial division multiplex and avoids all the issues of whatever the latest wireless security issue is, as well as not limiting your next gen router to an older WiFi speed, compromising the remainder of your devices.

            1. cybergibbons

              Re: Optional

              The device only has Ethernet - not sure where all the WiFi stuff has come from.

              1. John Robson Silver badge

                Re: Optional

                It came from the "remote control via pocket computer"

                There isn't any indication that any of the comms are encrypted and there is a tendency in devices nowadays to be WiFi only - often not a recent version, forcing all devices to drop to a lower standard...

                That this has ethernet is one good point IMHO - of course the rest of the security is still needed

    2. Lee D Silver badge

      Re: Bah!

      I refuse to put an alarm bell on my house. They are pointless, loud, annoying, and... totally ignored. Thus they are useless, even in a friendly neighbourhood. Every time an alarm goes off in my street (and it happens enough that I know this), it's completely ignored. Car. House. Doesn't matter.

      So my house alarm just texts me instead. Then I can login and look at the cameras from home. Motion detection on such a setup is pointless and distracting, so there's no point relying on movement being detected in order to alert me. But a door opening, or a window breaking, that means something happened. Possibly. Like the way that the CCTV motion detection going off could mean that it's a bit windy in the garden, the door magnet going off could just be a windy door banging on the latch or a PIR being set off by the cat.

      But with a remote control system, I am able to be alerted. I am then able to make a decision, based on the alerts and other remote-accessible data (like cameras, alarm trigger logs, etc.). Then... guess what... IF I SUSPECT a burglary, I can set the house alarm off remotely. And alert the police directly. Or phone the neighbours. Or drive straight home. Or not.

      Without a remote home alarm? My alarm would go off, people would all ignore it, and I'd know nothing until I got home. Does having a remotely-controlled alarm put me at a disadvantage or provide an avenue into my home? No. Because it's properly designed and thought out. Hell, even the CCTV can detect if it's being obscured or cut and alert me, because I know for a fact that the CCTV on its own is next to useless to actually preventing the crime.

      But a remote home alarm? There's a ton of uses. And it doesn't have to provide avenues for a burglar, or insecure access to your home.

      (The other day I found out which damn delivery driver it is who keeps pulling my bins across the front of my driveway so that I can't get my car in without stopping in the road. Because walking into the garden sends an alert and flags the cameras to record, and my home cameras are set up on my monitor at work (and, no, you can't DO anything, just see the camera over a VPN connection))

      1. Stevie Silver badge

        Re: Alarm bells ar pointless, bins, setting/unsetting the alarm

        But an alarm siren at earsplitting volume *inside* the house, coupled with flashing xenon strobe lights will make the burglar's job that much more difficult and exact a just toll on the bastards.

        None of which needs an internet connection. Remote controls to the house are just another way for technology to interrupt me when I'm doing my life. My alarm calls the rozzers by itself. Let them deal with the situation and tell me about it when I get back from dinner.

        Catching the person who blocks your driveway with bins doesn't require an internet connection either.

        If you can't remember to set your alarm when you go out, there's no guarantee you'll remeber to check it over the web either.

        And if you can't trust your partner with a kill code for your alarm system, you have issues the internet won't fix.

        Admit it, Internet of Burgalar Alarms fanboys, you want it because it is shiny, not because it is useful. Don't come crying to El Reg when villains in stripped jerseys and masks hack your front door and have it away with your flatscreen and dolby 7.1 Surroundsound setup.

        The NSA will have your killcode every time you use it too. At least they have to send a van with a cable TV imposter with a trad setup.

  4. Commswonk Silver badge

    What?

    1: To be able to remote control the alarm system remotely...

    I blinked at this several times before remembering that we were advised that El Reg staff were going to have a break to, er, celebrate the New Year. Notwithstanding this linguistic horror you are nonetheless forgiven.

    2: That means a lot of legacy products, compared to the two to three year product lifetime we are seeing on general IoT products.

    Well that's another reason for having nothing to do with the stuff, then. Two to three year product life? I expect anything vaguely falling into the description "hardware" to have a much longer life than that. Two to three years falls into the category of "taking the piss".

    1. VinceH Silver badge

      Re: What?

      "Two to three years falls into the category of "taking the piss"."

      Or, from the point of view of the vendor, it's "presenting a healthy upgrade and repeat sales cycle."

    2. Paul Crawford Silver badge

      Re: What?

      Indeed 2-3 years is taking the piss, but that is what we see with the majority of smartphones. You have to look hard to find any getting support or security updates even when under 1 year old, let alone 3.

      But this misses the point - such shit security practice like unencrypted communications that reveal passwords, etc, have been known to be shit for decades so there is no excuse. It simply comes down to companies not employing staff or external support (e.g. penetration testing, etc) who know what they are doing when it comes to security. So many of the bugs that keep coming up, and design flaws, are well known and often (in some cases, like memory abuse) picked up by compiler warning and static analysis tools. That don't get used.

    3. Stoneshop Silver badge
      Headmaster

      Re: What?

      1: To be able to remote control the alarm system remotely...

      I blinked at this several times before remembering that we were advised that El Reg staff were going to have a break to, er, celebrate the New Year.

      Yes. I'm sure they intended to write "To be able to remotely control the alarm system's remote control remotely.", but then festivities happened.

  5. Steve Davies 3 Silver badge

    IoT and Security?

    Now there is an oxymoron if I ever heard one.

    If this is not a warning to anyone thinking of an IoT solution then I don't know what is.

    Do do it unlerss you are 1,000,000% certain about not only the Security but the data slurping.

    1. NotBob
      Trollface

      Re: IoT and Security?

      But who cares about security in a security system...

      ...Oh. Now I get it.

      1. Anonymous Coward
        Anonymous Coward

        Re: IoT and Security?

        "But who cares about security in a security system...

        ...Oh. Now I get it."

        Well, yeah, my point exactly. We've all been used, here, to utter shite security for any IoT gadgets (light bulbs, others) that normally kind of stay in the local LAN, even if local WIFI is something to be defined (radio can last a long way). So, yeah, IoT security = bollocks is now granted.

        But here, this is not IoT gadgets for me, this is a SECURITY system, for pro and home use ! For which there is, indeed, uses cases of remote usage, through public networks (call/signal/inform someone) !

        And they screw up so badly (lol, base64 encoding security), and spin it so badly ...

        I'd be a criminal, I'd start to organise burglar teams lke this:

        - cyber-intruders, central team, instructing burglars on where and when go

        - local burglars, local teams

        Can't loose vs. those morons ...

        Anon, as I don't want any copyright on the above.

  6. adnim Silver badge

    sim card in alarm system

    phones home owner/police on breach of security. No connection to Internet.

    Just off the top of my head without any further thinking..... I am getting drunk so can't be assed designing a security system in real time. Happy new year have fun y'all.

    1. Commswonk Silver badge

      Re: sim card in alarm system

      Phone home owner; all well and good. Phone police? Don't think so; ISTR that the police will not now take calls from "automated" burglar alarms because of the number of false alarms. I think remote alarms have to go to an "alarm company".

      Which raises the question "if the home owner gets an automated alarm call what are they going to do about it?" Ring the police and risk getting short shrift anyway? It would have to be a text to the home owner in any case; a voice call could be frustrated by the user yakking away on their phone, which looking at a large percentage of the population at any given time is all too likely.

      1. h4rm0ny

        Re: sim card in alarm system

        >>"Which raises the question "if the home owner gets an automated alarm call what are they going to do about it?"

        Log into my IoT home security cameras and see if it's a false alarm or not. If I can see a stranger in my home or a forced open door, then I can call the police and tell them that it's not a false alarm myself. That's what we're going to do about it.

        1. Commswonk Silver badge

          Re: sim card in alarm system

          ...Log into my IoT home security cameras...

          Since you have mentioned your IoT cameras don't you think it is time to clear out the old pizza boxes... and that wallpaper...ugh.

  7. frank ly

    For not at all simple homeowners

    " ... are designed to provide simple homeowner monitoring ..."

    " ... designed to interact with properly designed and managed IT networks that provide an appropriate level of IT security and integrity in their own right."

    1. Commswonk Silver badge

      Re: For not at all simple homeowners

      In other words the overall system security has been outsourced to someone else.

      Brilliant.

      Not...

      1. herman Silver badge

        Re: For not at all simple homeowners

        Yap - security is outsourced to the burgler it seems.

  8. Doctor_Wibble
    Boffin

    Spear Phishing

    If the target is worth the time then you aim a trojan at the user, their home computer then listens on the local network, sniffs the password as they test (or show off) their remotely controllable alarm system, and then either sends the info out or waits for your 'main screen turn on' instruction to come through, 'what happen' being entirely optional.

    Better yet, start up a mailing list management company and given time you will have a collection of ready-made target lists to work from.

    If the data is only present on the remote network then you pwn the remote network. May or may not be trivial of course but that's why these films have the proverbial motley crew, to cover all the angles.

  9. DropBear Silver badge
    WTF?

    I admit my cognitive abilities are completely shot right now but...

    ...how exactly does one reconcile "a secure local network" with "punching holes in the firewall", for fuck's sake? If it's a local setup phase ONLY that travels unencrypted over a hopefully secure local wifi that's still bad enough, granted, but maintaining an unsecure connection that LEAVES the local wifi is an entire different ballgame. So which is, because it's not even that one of you is talking bullshit, it's that the two things are incompatible - it's either one or the other!

  10. Captain DaFt

    "it would be beyond the capability of most would-be burglars with access to no more than basic electronic tools like wire strippers, a multi-meter, and crocodile clips."

    It would seem this 'expert' is still designing alarms for the 1970s. Things have slightly changed since then.

    Most crooks these days have access to highly sophisticated computers called smart phones.

    All it'd take to bypass these security systems would be some war-driving software and a copy of the control app loaded, and Mr. Smooth Criminal loots your house at leisure.

    1. Mystic Megabyte Silver badge
      Pirate

      @Captaindaft

      > and Mr. Smooth Criminal loots your house at leisure.

      Some years ago a friend returned to her London house just as a man in a suit was climbing down the drainpipe! Mr. Smooth Criminal was a professional cat-burglar who obviously only stole pocketable items. He also avoided the heavily locked front door by not using it. the. The suit was a neat way to blend in, the police are looking for hoodies carrying a TV.

      Rather than risk getting attacked she let him walk away, I don't think that he was caught.

      1. Alan Brown Silver badge

        Re: @Captaindaft

        >... climbing down the drainpipe.

        Decent home security includes assessing this kind of thing and using anticlimb paint where necessary.

  11. Andy629
    WTF?

    oops. have just bought this very hardware for an alarm upgrade, to allow remote access etc for alarm checking / reset. I'm struggling to understand why anyone with a clue would link an alarm system over the internet without using a vpn though. As for traffic not being encrypted on the LAN, surely if someone has access to your Lan it's mostly game over anyway...

    Telecom have an opportunity here to pull their finger out and probably steal a lead on the competition - some of the systems available are truly appalling (wireless systems with one way transmission)

    1. gerdesj Silver badge

      "oops. have just bought this very hardware for an alarm upgrade"

      I recommend you discover the joys of multiple VLANs and multiple SSIDs. 1 for your PCs/laptops, 1 for NASs/servers, 1 or more for IoT stuff, 1 for your phones, 1 for guests. Each will need routing, and a good firewall policy. It's non trivial but necessary if you want a modicum of security.

      The trouble is, not only is it a bugger to setup the above properly but you will need a bit more than your average ISP freebie router to do it. However get yourself something like a Draytek or FritzBox or a custom ROM based thing like Tomatoe or pfSense on an old PC/laptop plus a modem as required and you can do all of that. Reasonably cheap switches can be had eg Netgear GS110TP for PoE + layer 2 managed for cameras and the like.

      1. Anonymous Coward
        Anonymous Coward

        not much

        just a mid-range Mikrotik router (about 40 quid) with a VLAN-capable switch (about the same or more for PoE) doing router on a stick method (trunk link on one port to the router) - easy :)

  12. Anonymous Coward
    Anonymous Coward

    So, how long until...

    ...IoT + Social Media + Stupidity = Total knowledge of a mark's every act and movement?

  13. TeeCee Gold badge
    Facepalm

    IoV

    Internet of Vulnerabilities.

    That's what we're actually building here.

    1. Teiwaz Silver badge

      Re: IoV

      Idiot Of Things

      or

      Inadequate of Things

      or

      IUT - Internet Unsecure Thing

      1. Stoneshop Silver badge

        Re: IoV

        Intrusion of Trespassers

  14. Anonymous Coward
    Anonymous Coward

    "If you have nothing to hide...

    ... then why are you using a burglar alarm in the first place?"

  15. Mage Silver badge
    Holmes

    Expertise

    You only need ONE expert in the WORLD to know how to break into a system, that writes it up clearly, maybe with a video.

    Then anyone able to use a multimeter can follow the instructions.

    "We aren't buying your security setup for our workstations and servers" said the College, "most of the students don't have clue."

    "How many of the best ones do have a clue and are untrustworthy?" I asked. "Do they have any friends, or websites?"

    We got the order.

    Without me having to suggest some of their students by name.

    1. TheOtherHobbes

      Re: Expertise

      In a world where scriptkiddies are pwning WordPress installations by the million to make botnets and cybercrime gangs are coining it with variations on cryptolocker, anyone who thinks crims don't know how to technology is so lacking in clue they probably have trouble remembering how to breathe.

  16. Kevin McMurtrie Silver badge
    WTF?

    beyond the capability?

    Not all criminals carry a crowbar and sack. Some criminals might sell software that makes breaking into houses as easy as stealing a phone to run it.

  17. Roland6 Silver badge

    Warning! Reality Mismatch!

    And the problem is exacerbated because alarms are designed to be installed and last 10 to 15 years. That means a lot of legacy products, compared to the two to three year product lifetime we are seeing on general IoT products.

    I suggest this shows just how far from the real world many IoT pundits and 'toy' developers are. The sorts of things IoT is being targeted at are things that currently are, quite reasonably, expected to work with minimal maintenance for a minimum of 10 to 15 years in a domestic environment and significantly longer (30+ years) in many industries.

    By way of example, whilst the circuit board in the external box need to be replaced every ten years or so (degradation due to sun and weather) the alarm control box, under the stairs, I don't expect to do anything to it until some component (eg. it's PSU) fails, which shouldn't be within a few decades.

    Similarly light bulbs might have a 'limited' lit life, but that doesn't mean that they don't last; I still have a couple of bulbs I've not changed since I moving into my current house 12 years ago, because they just don't get used very much. My central heating controls are still the originals and I see no need to replace them anytime soon.

    Which gives rise to an interesting security problem, namely: within the life of these systems we can expect commodity computational power to develop to the point where the "state-of-the-art" security installed in them can be broken by any one simply downloading the relevant cracking tool.

  18. John Crisp

    "Our self-monitoring signalling products are reliant on the local IT network being secure"

    What is that old adage about ASSUME?

    Muppets.

  19. anonymous boring coward Silver badge

    Why call NO crypto "weak" crypto?

    What a shocking surprise this news was. Who would ever have thought...

  20. K Silver badge

    compared to the two to three year.. for.. IoT products

    Hence why the IoT is another marketing hypergasm, thats going end in a premature nut bust!

    3 years ago I replaced all the lightbulbs in my house with LED ones, so that I could save money, they have a life expectancy of 9-10 years and I expect to get full usage out of them!

  21. AnoniMouse

    IoT - Internet of Targets

    A consumer boom, delivering cheap, already compromised or readily compromisable "things" into a large proportion of the nation's homes, cars, buildings, ...

    What could possibly go wrong?

    Happy New Year!

  22. This post has been deleted by its author

  23. MachDiamond Silver badge

    Hard then simple

    Many crack jobs DO require a very knowledgable person to be the first in finding a security flaw. Once the secret is out, it's only a short amount of time before somebody has coded a bit of software to exploit the vulnerability and it's a piece of cake for anybody to break in with only enough brains to manage Sunday cartoons.

    Company's/Developers should only enter the security devices market if they will spend the time to build a competent product. They should also bring in outside testers to try and circumvent their products.

    Scenario:

    A burglar combs the listings of homes for sale in a high priced neighborhood and sees some pictures of a home with stuff that can be resold without a fuss. The estate agent was being very helpful by stupidly taking a close up picture of the alarm panel to show potential buyers that the home has an alarm system. Now the burglar has a fair inventory of what his haul could be and the particulars of the alarm system. A little bit of searching online and/or some consulting with others in his trade and he will have an idea on how to bypass the alarm. Since the best return is made by burglarizing high end homes and those homes ubiquitously have alarms fitted, professional thieves are much more tech savvy than many start up alarm system companies think. If all it takes is a tablet and some sniffer software, thank you very much.

  24. Yugguy

    Save your bloody money

    And spend it on improved PHYSICAL security. Better window and door locks, that the burglar can SEE, are far more effective.

  25. Mad Chaz

    Checklist

    1: Find an open/wep secured wifi and get connected.

    2: Scan the network for such a device. Record cleartext password at any time the application gets connected. Probably every 5 minutes while it checks status.

    3: Turn it off, rob the place, turn it back on.

    4: Profit

    Yea, I'm sure that could never happen ....

    1. cybergibbons

      Re: Checklist

      Or:

      1. Find an unoccupied house

      2. Break into it

      3. Steal everything you can in under 5 minutes

      4. Leave

      Whilst the system isn't secure, the attacks being proposed are pure fantasy.

  26. jsciii

    One of Those Guys isn't Right

    Many of the comments are interesting and good ideas, but don't really address the specific problem. The researcher says he used WireShark and was able to see the communication between the Texecom hub and an iPhone in clear text. The Texecom spokesman was a bit more vague, but he appeared to be saying that communication with systems on the internet are protected with TLS or SSH. If this were true then they wouldn't be in plain text. So perhaps the researcher is new to WireShark and thought he was seeing plain text. But it is more likely to me that the Texecom spokesperson didn't include iPhones in his statement. I think he used the word "servers." Perhaps they somehow define that word in their minds so that it doesn't include iPhones. (Can't you imagine a lawyer choosing the word "server" because she thinks that the only servers are those systems in the data center.)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019