If the title seems confusing, it is not your fault. It is really tough to get my head around the epic failure of purported security companies who bring products like these to market. This practically qualifies as fraud!
The first story is about a manufacturer of security camera and DVR systems. This company is a white box manufacturer, in that they build products that are privately labelled by other companies and sold under many different brand names. This surveillance camera system is controlled with a web user interface, which you can log into from any web browser with the IP address, user name, and password. Unfortunately, this manufacturer has created root system user and password that is hard coded into the firmware and can’t be changed. So this means that someone who knows this information can log into your surveillance system, and change your password and lock you out.
The next tidbit is about a security alarm system that security researcher Luca Lo Castro bought for his own home. This was not a cheap system, but a Grade 3 out of 4 on the European standard EN50131. The problems he discovered included:
- The manufacturer recommends opening a firewall port and using port forwarding to allow direct unencrypted access to the alarm from the Internet. This really means anyone who knows your IP address can log onto your security system.
- The alarm system “calls home” in clear text, so traffic, including pass codes, and be read off the wire using software like Wireshark.
- Authentication uses a known password to get to the web interface, then your user name and pass code to log through to where you can make changes to the system. There are two pre-programed users and passwords for Engineer and Master. Looking these setting up on the manufacturer website will get you into the system.
- The mobile app communicates with the control panel, including sending the password, in plain text.
So all in all, not that secure.
The last story is about a doorbell paired with a CCTV camera and intercom that connects to your Wi-Fi. This allows you to see who is at the door from a computer or even when you are away with the smartphone app. Unfortunately, this device is manufactured in a way that would allow someone to unscrew the doorbell button, and turn it into a wireless access point that would allow them to connect to your network.
You would like to think that companies that are working in the security space would have a better hand on security by design, but obviously we cannot depend on that. So before you spend your money, you may want to check reviews online, and even find the owner’s manual on the support pages of their website, and see how the security works.
More information:
- Naked Security – Insecure Surveillance System
- Naked Security – Insecure Security Alarm
- Lo Castro on same device
- Naked Security – Insecure Doorbell
APR
About the Author:
I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com