Wilco Baan Hofman made a talk last week at the Hack in the Box conference, where he detailed some of his work in reverse engineering the proprietary SIA-HS protocol, which is now becoming more and more common in alarm reporting systems.
As usual, the security industry prefers secrecy over openness, so most of these alarm reporting protocols, and importantly all of their implementations are closed. Time and time again this has been proven to be a sure-fire way of building systems with gaping security holes.
He states 10 assumptions that Alphatronics, the designer of SIA-HS, made. All of these assumptions lead to fatal mistakes being made in the implementation of a secure protocol.
A lot of these assumptions are technical – I can attribute them to ignorance or incompetence.
But not assumption 5. This has to be a conscious, management level decision.
If my product is certified, it is secure
This couldn’t be any more wrong, and points to a worrying, widespread, archaic and persistent attitude problem that many alarm manufacturers have. He backs his statement up with a quote:
“Alphatronics emphasizes that the uncovered vulnerabilities do not influence
the product certification.”
Now, some quotes I have from my correspondence with three alarm manufacturers:
“The fact remains that this is a Grade 2 security panel and meets all the security requirements for that grade.”
“We consistently strive to ensure that all our products meet the relevant standards and we generate a continual program of product testing and quality control. The product has not been designed to compete with professionally installed commercial products.”
“We have been selling wireless alarms since 1990 and code issues have never been a problem. Potential burglars would need extensive knowledge and equipment to overcome any alarm system.”
All of these are in response to the disclosure of easily exploitable vulnerabilities. The next one is in response to simply discussing vulnerabilities:
“If you have managed to reverse engineer our protocol i would be:
2. Glad to see you in court”
I honestly find this attitude offensive and I can’t understand it.
Why is it a problem that alarm manufacturers only want to meet the standards and not exceed them?
- The environment alarms are deployed in is continually changing. What seemed secure 10 years ago may now be stunningly insecure today. Standards take years to draw up, and are normally out of date by the time they are published, and are then used for long periods.
- A standard cannot and does not cover all known angles of attack. If there is a valid and demonstrable vulnerability but it is not encompassed by the standard, that does not stop it being a vulnerability.
- Very few alarm systems have any mechanism to update anything but the alarm panel firmware. Most panels don’t allow updates to be carried out automatically or by end users. This massively constrains the ability to patch security holes. The attitude that “it was once certified secure, it is secure now” just causes this practice to continue.
- Most of the vulnerabilities raised with the manufacturers I would consider a direct result of bad software design and could be fixed with firmware updates. Continuing to sell these systems without altering them is lazy.
- Electronic and software security systems differ to physical security systems. It would take me 2 hours each and every time to drill the door on a high end safe. However, if I invest a few days in analysing an alarm system and find a vulnerability, I can usually use the vulnerability in seconds time and time again. Importantly, I can package the vulnerability in a way that any idiot can use it.
Maintaining this position directly results in insecure, un-patchable alarm systems being deployed. It doesn’t look like this is going to change.