How to Protect Wireless Intrusion Systems From Cyber Threats
oday, wireless intrusion systems and IoT (Internet of Things) are tied together so that what affects the one is almost sure to influence the other. This fact came to light in 2014 when Hewlett Packard Enterprise (HPE) conducted a study that revealed that 70% of IoT devices are vulnerable to attack. The concern then, as now, involves the fact that the majority of today’s intrusion systems are Internet connected.
A second HPE study, conducted in 2015, revealed even more perplexing news on the security of security: “The simplicity and convenience of home security systems is unquestionable, especially with their remote monitoring capabilities. But do these smart security devices actually make our homes safer or put them more at risk by providing easier electronic access via an (insecure) IoT device?”
In other words, by ignoring the little things, we jeopardize the bigger ones. This same concern also applies to commercial systems, although to a lesser degree. Just ahead, we’ll explore this and other wireless security matters such as encryption, provide practical ideas on how security professionals can minimize inherent risks and see what some manufacturers are doing to mitigate these issues.
Protecting Traditional Wireless Connection
Several years ago a story hit the news where two computer code-savvy IT professionals were able to hack a popular brand of alarm panel, disarming the system by recording and retransmitting the various radio frequency (RF) signals to the alarm system. Of special concern was the user keyfobs that arm and disarm the system. The issue also centered on the use of an unencrypted RF technology.
“Two researchers say that top-selling home alarm setups can be easily subverted to either suppress the alarms or create multiple false alarms that would render them unreliable. False alarms could be set off using a simple tool from up to 250 yards away, though disabling the alarm would require closer proximity of about 10 feet from the home,” wrote Kim Zetter in the July 2014 WIRED article, “How Thieves Can Hack and Disable Your Home Alarm System.”
The first part of this issue, which involves unencrypted radio signals, has been addressed by several security system manufacturers since this story hit the Internet in 2014. One method is to change the keyfob arm/disarm code each time it’s used, something that garage door radio control manufacturers have been doing for some time.
Although there is no perfect security system, signal encryption at this level helps assure the bad guys will fail at the task of signal interception. Experienced security professionals should look for systems that provide secure signal transmission centering on encrypted data.
“Bosch control panels support multiple wireless platforms, including Bosch RADION, as well as Inovonics Echo-Stream. RADION utilizes synchronized encryption for keyfob communications, which provides increased immunity to replay attacks for more reliable system security,” says Tom Mechler, application design manager with Bosch of Fairport, N.Y.
Although there is no perfect security system, signal encryption at this level helps assure the bad guys will fail at the task of signal interception. New security companies as well as experienced professionals searching for something a step above the traditional should look for systems that provide secure signal transmission centering on encrypted data.
“In addition to encrypting the transmission, the system and keyfob also maintain synchronization. Every time a keyfob button is pressed, it increments the code. Similar to traditional rolling code schemes, it uses an incremented code for its next transmission. The receiver knows to look for this incremented code and will not accept messages that do not match. This thwarts attempts to record and replay the transmission. By combining synchronization and encryption, the Bosch RADION platform provides reliable, secure system operation,” says Mechler.
The second method of dealing with vulnerable radio signals is to use spread spectrum technology. In this case, radio transmitters basically transmit data over multiple frequencies in such a manner that interception is extremely difficult if not impossible. The other part of the spread spectrum solution is it effectively stops high-tech criminals who attempt to jam the wireless receiver by sending out a radio signal on the same frequency the system uses.
“DMP’s 900MHz two-way wireless technology has proven very solid and reliable, because of its frequency-hopping spread spectrum technology and acknowledgement for every message, it’s difficult to intercept or tamper with,” says Mark Hillenburg, executive director of marketing with DMP of Springfield, Mo. “The wireless communication is hopping randomly over 53 channels every 32 milliseconds, based on a unique code that changes for each system. Any interference or collision in a single fragment of a message results in a retry of that message fragment on another channel. This has met the most stringent UL anti-jamming requirements, and has proven completely reliable gaining UL commercial fire listings and widespread adoption among discerning dealers.”
The takeaway from this is to do your homework and select a wireless alarm system that clearly makes use of rolling codes, encryption or spread spectrum technologies.
Unprotected Network Communications
The industry in general is seeing more and more use of 802.11 (Wi-Fi) when it comes to residential IoT. It’s important for technically progressive security dealers to make absolutely sure the IoT devices they enroll in their wireless security systems use an encrypted form of Wi-Fi simply because an open connection becomes the weakest link in the security chain. Most of the systems that currently use unencrypted Wi-Fi appear to be consumer grade on the DIY (do-it-yourself) side.
Recently, a similar method was used to perform the same retransmission procedure with a well-known national brand of DIY wireless security systems that, according to the author of the following quote, uses unencrypted Wi-Fi. In this case, an IT expert was able to intercept the unprotected communications of the alarm user’s keyfobs when they disarmed their alarm system.
“IOActive’s Andrew Zonenberg has discovered that these devices all talk to each other via unencrypted Wi-Fi, with the controller pad broadcasting a ‘PIN code’ message to the base station whenever the alarm was turned off,” says Catalin Cimpanu, author of “Researcher Hacks Home Alarm System Just like in the Movies” (Softpedia). “The researcher found that these devices are interchangeable and that they can be moved from system to system. Using this knowledge, he bought a second alarm system and hot-wired a microcontroller board to this second system’s controller pad and base station.”
Although professional security companies are not likely to install DIY wireless systems that use unencrypted 802.11 communication technology, some actually sell it to consumers who want to install it themselves. The incentive, of course, is the RMR (recurring monthly revenue) factor. One such company, which appears to be national in scope, has made significant inroads into most local markets in the United States by widespread advertising. If you’re one of these companies, or you’re looking at the DIY market, be aware that many of these consumer-grade systems may mention “encoding” with regard to wireless signal data, rather than encrypted data. But in fact, encoding and encryption are not the same thing and this is something of which you need to be aware.
Assuring the Internet Connection
A good portion of the HPE 2015 report focused on the connection that alarm control panels and users’ smartphone apps have as well as general data security via the Internet. Not only does this include the issue of encryption quality with regard to the SSL/TLS connection, but also a general lack of authentication and authorization concerning mobile and cloud-based user interfaces. The concern here is access to and the general integrity of critical data and system functionality. In particular, HPE found that half of the wireless security systems they studied exhibited poorly configured and implemented SSL/TLS.
“Not all versions of SSL are the same. Just because it is SSL does not mean it is strong or cannot be broken,” says Michael Gregg, CEO of Superior Solutions Inc. of Houston, a provider of superior IT security services for medium and large corporations. “As an example, the site ssllabs.com/ssltest allows you to check the strength of a site running SSL. Notice how some have failing grades. Is this what you’d want from something called a ‘security system’?”
Security dealers should select a wireless alarm system that clearly makes use of rolling codes, encryption or spread spectrum technologies.
Since the release of HPE’s critical reports in 2014 and 2015, as well as numerous independent news reports on similar issues, much of the industry has responded by creating new and improved technologies to offset many of the deficiencies cited.
“The industry is finally starting to adopt newer technologies and with the awareness of cybersecurity, dealers are becoming more knowledgeable and asking for more information from their vendors to ensure their customers’ protection. This has caused manufacturers to improve not only their software systems but also their hardware systems,” says Dan Simon, managing partner with Connected Technologies LLC, of Crystal Lake, Ill. “For example, our smartphone app has the same security features as does our browser version, and some of those use the highest grade of SSL/TLS protection, three-field authentication, and lockout features.”
Simon is talking about access and the secure I/O connection to his firm’s Connect One platform, which is a Web-hosted service that allows users to view, control and interact with their security systems via a single Web/cloud-based interface. In addition, Connect One has a workaround for alarm systems that lack a secure communication format.
“In most cases, the connection between the alarm panel and our service is dependent on the designs of the alarm panel. However, we have recently worked to improve that with the addition of our access expander,” says Simon. “The access expander interfaces with the alarm panel locally and the access expander then connects to our cloud. In this way we can better manage the security of the connection. This is one way we have achieved better security in our product and also improved responsiveness.”
As time marches forward, the security industry will continue to work toward better, more secure hardware and software. Until the time when all of the security issues cited in HPE’s two reports are addressed by every manufacturer in the security market, security dealers will have to continue to be vigilant, educate themselves on all the issues and intelligently select the best and most secure equipment for their purposes.
The end user’s first and last stop for making technology decisions.