Researcher criticises 'weak' crypto in Internet of Things alarm system

Security shortcomings in an internet-connected burglar alarm system from UK firm Texecom leave it open to hack attacks, an engineer turned security researcher warns.

Luca Lo Castro said he had come across shortcomings in the encryption of communication after buying Texecom’s Premier Elite Control Panel and ComIP module and assembling it.

To be able to remote control the alarm system remotely, you open a firewall port in the router and do a port forwarding to the internet. But this allows the mobile app to directly connect to the ComIP module over an unencrypted connection, Lo Castro discovered.

Using WireShark, he said he had discovered that data traffic between the mobile app and the control panel is done in clear text or encoded to BASE64. That means potentially confidential information like the alarm control panel (UDL) password, device name and location are exposed, as a blog post by Lo Castro explains.

Since the module sends data and credentials in clear text it would be possible for an attacker to sniff communications between the app and the panel, obtain the UDL password and and passcode for a user, and then control the alarm.

An independent expert in alarm security, quizzed by El Reg, acknowledged this as a security shortcoming while suggesting it would be beyond the capability of most would-be burglars with access to no more than basic electronic tools like wire strippers, a multi-meter, and crocodile clips. “Realistically, this attacker isn't going to be able to perform an attack against the ComIP module. They don't have the skills, tools, or motivation to target an individual,” our expert (who asked to remain anonymous) explained.

In response to queries from El Reg on Lo Castro’s research, Texecom issued a long statement denying that the possible security shortcomings posed much of a risk in practice. It did concede that its “self-monitoring signalling products are reliant on the local IT network being secure”, a somewhat risky assumption.

Our products are designed and validated against an appropriate risk assessment based on the intended product use.

We have a wide range of electronic security products and services, with applications ranging from small domestic use through to high security applications. Our mobile applications, when used in conjunction with IP-based communicators, are designed to provide simple homeowner monitoring and additional features for lower risk applications. These are not intended to replace professionally monitored and certified alarm communications, and Texecom supports numerous products that are intended for higher risk applications.

When discussing our mobile applications, we believe that it would be irresponsible to provide intricate details of the inner workings of our IP based communication protocols. However, we are prepared to make some general statements and observations about our IP based self-monitoring signalling products.

Our products are designed to interact with properly designed and managed IT networks that provide an appropriate level of IT security and integrity in their own right. Texecom IP based products have been designed to maintain the integrity of IT networks, and the architecture of our system design provides appropriate levels of resilience to maintain network security. Our self-monitoring signalling products are reliant on the local IT network being secure, and we accept that unsecure local IT networks can compromise the security of information communicated within the network itself.

Outside of local IT networks, Texecom app based services utilise the latest TLS encryption. Client / server authentication is employed to provide secure communication interconnections. Certificates are pinned to our apps to prevent MiTM attacks. Access to all servers is via SSH tunnels. All servers employ the necessary levels of encryption and security required by regulations as well as providing backup and redundancy of services.

We appreciate and recognise that there is no room for complacency with regards to cyber security. We are continuing to improve the security of our services, regardless of the perceived current risk, and we will continue to provide firmware upgrades to our products to enhance performance and security.

Texecom’s reply implied that Lo Castro was looking at domestic or small business grade kit “not intended to replace professionally monitored and certified alarm communications”. However Lo Castro responded that his tests were on commercial grade security systems. Texecom currently sells two types of alarms: Veritas for Home Security and the Premier Elite Control Panel for “residential and light commercial applications”. Lo Castro said he had bought and carried out tests on Premier Elite Control Panel and IP connector, the commercial-grade set-up. “Their documents clearly advise to use unsecure methods to expose the alarm control panel to the internet,” Lo Castro told El Reg. “As traffic is not encrypted, this is a big problem for security.”

Lo Castro’s blog post offers mitigation advice, including a suggestion that the user avoids opening any firewall port to their alarm system. “A workaround to remote control the alarm system using the mobile app is to create a VPN connection from the mobile device to the local network where the control panel is installed and then run the Texecom mobile app,” he added.

“Texecom should take charge of notifying its customers about this issue,” Lo Castro concluded. “Their mobile apps and documentations should change any reference to ‘encrypted password’ to ‘encoded password’,” he added.

Our independent alarm security expert tells us that much of the physical security market is a long way behind best practice found in information security. And the problem is exacerbated because alarms are designed to be installed and last 10 to 15 years. That means a lot of legacy products, compared to the two to three year product lifetime we are seeing on general IoT products. ®