The Internet of Insecure Security Things

cameraIf the title seems confusing, it is not your fault.  It is really tough to get my head around the epic failure of purported security companies who bring products like these to market.  This practically qualifies as fraud!

The first story is about a manufacturer of security camera and DVR systems.  This company is a white box manufacturer, in that they build products that are privately labelled by other companies and sold under many different brand names.  This surveillance camera system is controlled with a web user interface, which you can log into from any web browser with the IP address, user name, and password.  Unfortunately, this manufacturer has created root system user and password that is hard coded into the firmware and can’t be changed.  So this means that someone who knows this information can log into your surveillance system, and change your password and lock you out.

The next tidbit is about a security alarm system that security researcher Luca Lo Castro bought for his own home.  This was not a cheap system, but a Grade 3 out of 4 on the European standard EN50131.  The problems he discovered included:

  • The manufacturer recommends opening a firewall port and using port forwarding to allow direct unencrypted access to the alarm from the Internet.  This really means anyone who knows your IP address can log onto your security system.
  • The alarm system “calls home” in clear text, so traffic, including pass codes, and be read off the wire using software like Wireshark.
  • Authentication uses a known password to get to the web interface, then your user name and pass code to log through to where you can make changes to the system.  There are two pre-programed users and passwords for Engineer and Master.  Looking these setting up on the manufacturer website will get you into the system.
  • The mobile app communicates with the control panel, including sending the password, in plain text.

So all in all, not that secure.

The last story is about a doorbell paired with a CCTV camera and intercom that connects to your Wi-Fi.  This allows you to see who is at the door from a computer or even when you are away with the smartphone app.  Unfortunately, this device is manufactured in a way that would allow someone to unscrew the doorbell button, and turn it into a wireless access point that would allow them to connect to your network.

You would like to think that companies that are working in the security space would have a better hand on security by design, but obviously we cannot depend on that.  So before you spend your money, you may want to check reviews online, and even find the owner’s manual on the support pages of their website, and see how the security works.

More information:

0

About the Author:

Cybersecurity guru to business owners in the St Paul, Minneapolis, and western Wisconsin area. Computer security and hacking have been a passion of mine since I entered the computer and networking business in 2000. In 2013 I completed a course of study and certification exam to become a Certified Ethical Hacker (CEH). In 2016 I was certified as a Certified Information Systems Security Professional (CISSP). As Senior Cybersecurity Engineer at Computer Integration Technologies, I help our clients experience high levels of computer security, network security, and web site security. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also provide Cybersecurity Awareness Training for clients and their employees. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. The views expressed on this Web site are mine alone and do not necessarily represent the views of my employer.

Add a Comment