A home alarm system that could make you less safe
These days almost everything is online thanks to the internet of things. That can, of course, be good since it allows you to control and monitor devices from wherever you are. It can also be a problem as we've seen. Sometimes the security of these devices is a bit lacking. I fully expect that one day one of my colleagues here will turn off my lights just because he can.
A bigger problem arises when the security weakness is actually your home security system. That seems to be the case with Texecom as UK-based security researcher Luca Lo Castro found out when he purchased the system.
All was well until he delved into the ComIP Module and then problems reared up. According to Sophos, "Unfortunately, what Luca found in the IoT alarm system he investigated was that a well-practiced crook might very well need little more than a laptop, or even just a suitably programmed mobile phone, as his break-and-enter tool of choice".
What terrors Castro found are as follows -- opening a firewall port for access from the internet, the alarm calls home using no encryption or authentication and the mobile app communicates with the system also using no encryption or authentication.
"After purchasing the engineer app I have realized that for some reason, Texecom does not give access to the UDL code generator to not authorized engineers. Reading through the mobile user guide, on page 19 it shows an example of the Encrypt UDL Password generator and it turned out that what they called Encrypt Password is just a BASE64 Encode", Castro claims.
Yes, the IoT is good thing in theory and it's a lot of fun to play with these devices, but it isn't all ready for prime-time just yet.