Wilco Baan Hofman made a talk last week at the Hack in the Box conference, where he detailed some of his work in reverse engineering the proprietary SIA-HS protocol, which is now becoming more and more common in alarm reporting systems.
As usual, the security industry prefers secrecy over openness, so most of these alarm reporting protocols, and importantly all of their implementations are closed. Time and time again this has been proven to be a sure-fire way of building systems with gaping security holes.
He states 10 assumptions that Alphatronics, the designer of SIA-HS, made. All of these assumptions lead to fatal mistakes being made in the implementation of a secure protocol.
A lot of these assumptions are technical – I can attribute them to ignorance or incompetence.
But not assumption 5. This has to be a conscious, management level decision.
If my product is certified, it is secure
This couldn’t be any more wrong, and points to a worrying, widespread, archaic and persistent attitude problem that many alarm manufacturers have. He backs his statement up with a quote:
“Alphatronics emphasizes that the uncovered vulnerabilities do not influence
the product certification.”
Now, some quotes I have from my correspondence with three alarm manufacturers:
“The fact remains that this is a Grade 2 security panel and meets all the security requirements for that grade.”
“We consistently strive to ensure that all our products meet the relevant standards and we generate a continual program of product testing and quality control. The product has not been designed to compete with professionally installed commercial products.”
“We have been selling wireless alarms since 1990 and code issues have never been a problem. Potential burglars would need extensive knowledge and equipment to overcome any alarm system.”
All of these are in response to the disclosure of easily exploitable vulnerabilities. The next one is in response to simply discussing vulnerabilities:
“If you have managed to reverse engineer our protocol i would be:
1. Suprised
2. Glad to see you in court”
I honestly find this attitude offensive and I can’t understand it.
Why is it a problem that alarm manufacturers only want to meet the standards and not exceed them?
- The environment alarms are deployed in is continually changing. What seemed secure 10 years ago may now be stunningly insecure today. Standards take years to draw up, and are normally out of date by the time they are published, and are then used for long periods.
- A standard cannot and does not cover all known angles of attack. If there is a valid and demonstrable vulnerability but it is not encompassed by the standard, that does not stop it being a vulnerability.
- Very few alarm systems have any mechanism to update anything but the alarm panel firmware. Most panels don’t allow updates to be carried out automatically or by end users. This massively constrains the ability to patch security holes. The attitude that “it was once certified secure, it is secure now” just causes this practice to continue.
- Most of the vulnerabilities raised with the manufacturers I would consider a direct result of bad software design and could be fixed with firmware updates. Continuing to sell these systems without altering them is lazy.
- Electronic and software security systems differ to physical security systems. It would take me 2 hours each and every time to drill the door on a high end safe. However, if I invest a few days in analysing an alarm system and find a vulnerability, I can usually use the vulnerability in seconds time and time again. Importantly, I can package the vulnerability in a way that any idiot can use it.
Maintaining this position directly results in insecure, un-patchable alarm systems being deployed. It doesn’t look like this is going to change.
beyondhelp
April 15, 2013 at 10:36pmAllowing updates via the web etc would I think make matters worse. Given that often software is the biggest problem, allowing easy access to it would be crazy.
cybergibbons
April 15, 2013 at 10:44pmThe problem is there is often no way of updating the system. A lot of the newer panels are Internet connected anyway, so the hole already exists.
beyondhelp00
April 15, 2013 at 10:50pmSurely you understand by now that if the company makes a profit they don’t actually care? Although I do understand your trying to force them to take notice.
cybergibbons
April 15, 2013 at 10:52pmI’d like to make it so the less lazy ones make more profit.
Nigel
April 16, 2013 at 8:10amThat’s a good analogy.
Extending it, you may know the ‘weak point(s)’ on a safe, but that knowledge still keeps an attacker out for a minimum length of time. Also, they have to be physically present.
An electronic weak point is normally instant once found.
cybergibbons
April 16, 2013 at 8:13amYes – very true. Even if the electronic vulnerability does take time, it can be done by dropping a small device within wireless range.