How to Protect Wireless Intrusion Systems From Cyber Threats

Unprotected Network Communications
The industry in general is seeing more and more use of 802.11 (Wi-Fi) when it comes to residential IoT. It’s important for technically progressive security dealers to make absolutely sure the IoT devices they enroll in their wireless security systems use an encrypted form of Wi-Fi simply because an open connection becomes the weakest link in the security chain. Most of the systems that currently use unencrypted Wi-Fi appear to be consumer grade on the DIY (do-it-yourself) side.

Recently, a similar method was used to perform the same retransmission procedure with a well-known national brand of DIY wireless security systems that, according to the author of the following quote, uses unencrypted Wi-Fi. In this case, an IT expert was able to intercept the unprotected communications of the alarm user’s keyfobs when they disarmed their alarm system.

“IOActive’s Andrew Zonenberg has discovered that these devices all talk to each other via unencrypted Wi-Fi, with the controller pad broadcasting a ‘PIN code’ message to the base station whenever the alarm was turned off,” says Catalin Cimpanu, author of “Researcher Hacks Home Alarm System Just like in the Movies” (Softpedia). “The researcher found that these devices are interchangeable and that they can be moved from system to system. Using this knowledge, he bought a second alarm system and hot-wired a microcontroller board to this second system’s controller pad and base station.”

Although professional security companies are not likely to install DIY wireless systems that use unencrypted 802.11 communication technology, some actually sell it to consumers who want to install it themselves. The incentive, of course, is the RMR (recurring monthly revenue) factor. One such company, which ap
pears to be national in scope, has made significant inroads into most local markets in the United States by widespread advertising. If you’re one of these companies, or you’re looking at the DIY market, be aware that many of these consumer-grade systems may mention “encoding” with regard to wireless signal data, rather than encrypted data. But in fact, encoding and encryption are not the same thing and this is something of which you need to be aware.

Enrolled IoT devices should use an encrypted form of Wi-Fi simply because an open connection becomes the weakest link in the security chain.

Assuring the Internet Connection
A good portion of the HPE 2015 report focused on the connection that alarm control panels and users’ smartphone apps have as well as general data security via the Internet. Not only does this include the issue of encryption quality with regard to the SSL/TLS connection, but also a general lack of authentication and authorization concerning mobile and cloud-based user interfaces. The concern here is access to and the general integrity of critical data and system functionality. In particular, HPE found that half of the wireless security systems they studied exhibited poorly configured and implemented SSL/TLS.

“Not all versions of SSL are the same. Just because it is SSL does not mean it is strong or cannot be broken,” says Michael Gregg, CEO of Superior Solutions Inc. of Houston, a provider of superior IT security services for medium and large corporations. “As an example, the site ssllabs.com/ssltest allows you to check the strength of a site running SSL. Notice how some have failing grades. Is this what you’d want from something called a ‘security system’?”

Since the release of HPE’s critical reports in 2014 and 2015, as well as numerous independent news reports on similar issues, much of the industry has responded by creating new and improved technologies to offset many of the deficiencies cited.

“The industry is finally starting to adopt newer technologies and with the awareness of cybersecurity, dealers are becoming more knowledgeable and asking for more information from their vendors to ensure their customers’ protection. This has caused manufacturers to improve not only their software systems but also their hardware systems,” says Dan Simon, managing partner with Connected Technologies LLC, of Crystal Lake, Ill. “For example, our smartphone app has the same security features as does our browser version, and some of those use the highest grade of SSL/TLS protection, three-field authentication, and lockout features.”

Simon is talking about access and the secure I/O connection to his firm’s Connect One platform, which is a Web-hosted service that allows users to view, control and interact with their security systems via a single Web/cloud-based interface. In addition, Connect One has a workaround for alarm systems that lack a secure communication format.

“In most cases, the connection between the alarm panel and our service is dependent on the designs of the alarm panel. However, we have recently worked to improve that with the addition of our access expander,” says Simon. “The access expander interfaces with the alarm panel locally and the access expander then connects to our cloud. In this way we can better manage the security of the connection. This is one way we have achieved better security in our product and also improved responsiveness.”

As time marches forward, the security industry will continue to work toward better, more secure hardware and software. Until the time when all of the security issues cited in HPE’s two reports are addressed by every manufacturer in the security market, security dealers will have to continue to be vigilant, educate themselves on all the issues and intelligently select the best and most secure equipment for their purposes.

If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our FREE digital newsletters!

Related Content

Murietta Valley District Schools Enhance Safety With i-PRO Camera Installation

Johnson Controls Focuses on Small- and Mid-Size Businesses at ISC West 2024

Elite Interactive Solutions Wins 2024 Monitoring Technology Marvel Award

Global Security Operations Centers: Trends and Opportunities in 2024 and Beyond