Security alarm and IoT

Logo_tex_Willerpistol_concept_sketch_by_misternefarious-d5rcdc4

 

 

 

 

 

 

 

It is awkward to begin a blog in such a way. I really wanted to start with a positive entry, really.

This article is about your security alarm system and the perception of security.

Today everything needs to be online” – to provide a useful service or for marketing reasons or just because it is possible.

Home security alarms are not excluded from this trend and there are company out there making their first steps into the Internet of Things, perhaps too naively.

What is an Home alarm system? Wikipedia has a decent entry about it that is worth reading it:

A security alarm[1] is a system designed to detect intrusion – unauthorized entry – into a building or area. Security alarms are used in residential, commercial, industrial, and military properties for protection against burglary(theft) or property damage, as well as personal protection against intruders. Car alarms likewise protect vehicles and their contents. Prisons also use security systems for control of inmates.

Some alarm systems serve a single purpose of burglary protection; combination systems provide both fire and intrusion protection. Intrusion alarm systems may also be combined with closed-circuit television surveillance systems to automatically record the activities of intruders, and may interface to access control systems for electrically locked doors. Systems range from small, self-contained noisemakers, to complicated, multi-area systems with computer monitoring and control.

A European standard EN50131 classifies four grades of intruder alarm systems:

Grade 1

Systems classified as Grade 1 would be most at risk from “Opportunist” thieves. Intruders would have little knowledge of Intruder Alarm Systems, and would be restricted to a limited range of easily available hand tools, such as hammers, chisels, screwdrivers, pliers etc. This Grade would typically be used for most domestic ‘Bells Only’ Systems. This grade is a lower standard than BS 4737.

Grade 2

Systems classified as Grade 2 are likely to be targeted by criminals who will have prepared themselves prior to a crime and will know something about the contents of a building. Intruders would have limited knowledge of Intruder Alarm Systems, and would have the use of a general range of tools and portable instruments such as multimeters, bolt cutters, battery drills etc. This grade would normally account for large residential and small commercial Systems such as Florists, Bakers, Salons and Carpet Retailers. Grade 2 is the closest to BS 4737. An option has also been created for lower risk Grade 2 systems, which are not monitored. These are classified as Grade 2X.

Grade 3

Systems classified as Grade 3 are likely to be required where a buildings contents are perceived to be high value, and criminals are likely to spend time planning an intrusion. Intruders would be conversant with Intruder Alarm Systems and have a comprehensive range of tools and portable electronic equipment, such as oscilloscopes, laptops, security screwdrivers etc. Typically this grade would account for most commercial systems such as bonded warehouses, motor garages, computer distributors, mobile phone shops, sports shops etc.

Grade 4

Systems classified as Grade 4 will apply where security takes precedence over all other factors. Intruders are expected to have the ability or resource to plan an intrusion in detail and have access to a full range of tools and equipment. This would include the means to substitute vital components in the Intruder Alarm System. Typically this grade accounts for security systems that could be applied to military installations, bullion and cash centres, government research establishments etc. In these circumstances there is a high risk of organised crime or terrorism.

Intellhome.com has an easy to read diagram explaining standard alarm components and their connections.typwired

While reviewing my options for a home security system, I came across an interesting product from a company called  Texecom.

Texecom currently sells 2 types of alarms:

Veritas for Home Security listed as PD6662:2010  Grade 2 Class II device and the Premier Elite listed as PD6662:2010 Grade 3 Class II.
The reason why I came across this company and their alarm system is because of their modular expansion.
One module in particular got my attention: the Premier Elite ComIP.
As per Texecom specification:
“The Premier ComIP module allows alarms to be signaled over an IP network to an Alarm Receiving Centre.”  and includes the following features:
  • Premier Elite Series Compatible
  • Premier Series Compatible
  • Modem Speed (Baud) 19200
  • ATS Class 4
  • Enables alarm system control via Premier Elite Mobile Apps
  • Upload / download via Wintex software

The module on paper complies with App Transport Security Class 4, allows alarm system control using a mobile app and makes the programming of the alarm easier using a bespoken configuration software, rather than the keypad.

I have purchased one of their grade 3 premier elite control panels, sensors, keypad and ComIP module and assembled it.

I was very pleased with alarm system in itself but I was let down by their ComIP module because I found it not secure at all.

Let me explain my reasoning.

To be able to remote control the alarm system remotely, rightfully it is explained in the mobile application user guide to open a firewall port in the router and do a port forwarding to the Internet.

This allows the remote mobile apps to directly connect to the ComIP module, over a not encrypted connection!!

texecom

Following the diagram above  the ComIP module enables not only to communicate to a security center but also enables communication over IP between the mobile app  and the control panel, providing full control of the security system, remotely.

Authentication to the ComIP module is done by providing a what so called UDL password. This password is the gatekeeper to the alarm control panel.

Once logged in using the UDL password, providing  a user id and a numeric code will enable full access to the alarm system.

The numeric IDs are sequential numbers, starting from 0 and all panels come with two known IDs, 0 and 1.

ID 0 is the engineer ID, while the ID 1 is the Master ID, all other users will be sequential to those.

The engineer ID and Master ID also come with a generic code, which obviously needs to be changed.

Analyzing the data traffic between the mobile app and the control panel,  it shows all communication is done in clear text.

Devices

Information like the UDL password, Deveice Name and location, IP Addresses can be easily spoofed over the internet.

The mobile app installation guide does indeed recommend to use a UDL protected password, which can be generated only by purchasing the engineering mobile app.

After purchasing the engineer app I have realised that for some reason,  Texecom does not give access to the UDL code generator to not authorized engineers.

Reading through the mobile user guide, on page 19  it shows an example of the Encrypt UDL Password generator and it turned out that what they called Encrypt Password is just a BASE64 Encode.
UDL encrypt

 

It is possible to achieve the same result by using a Windows PC with PowerShell by running the following command:

powershell texecom

I have brought to the attention of the company the security flaw and I was given the following answer:

Our mobile applications, when used in conjunction with IP-based communicators, are designed to provide simple homeowner monitoring and additional features for lower risk applications. These are not intended to replace professionally monitored and certified alarm communications, and Texecom supports numerous products that are intended for higher risk applications.
Our self-monitoring signalling products are reliant on the local IT network being secure, and we accept that unsecure local IT networks can compromise the security of any information communicated within the network itself.
At present it is not possible to change the security settings on our homeowner monitoring service. However, we are continuing to improve the security of our services, regardless of the perceived current risk, and we will continue to provide firmware upgrades to our products to enhance performance and security.

If it happens you have a Texecom Premier Elite Control Panel with a Premier Elite ComWiFi or Premier Elite ComIP module, my advise would be not to open any firewall port to the control panel.

A workaround to remote control the alarm system using the mobile app is to create a VPN connection from the mobile device to the local network where the control panel is installed and then run the Texecom mobile app.