Can Your Physical Security System Leak Private Data?

The endless and widespread announcements of new network security vulnerabilities raises serious data security and physical security concerns. In a commercial environment your security devices can contribute to that data leakage. As physical security technology progresses it increasingly has more data about you and your organization's habits and actions.

In the security control room of The Belagio Hotel in Oceans 11

In the security control room of The Belagio Hotel in Oceans 11

It is a cliche in heist movies -- The Hacker, Gadget Guy, or Mission Control Coordinator will hack into the targets security camera system turning the tables giving the heist crew all of the info and feeding the security guard misleading images. While heist movies are full of far fetched plots, and the simplicity that they present the CCTV takeover is somewhat far fetched, the reality is hackers anywhere on the internet can gain access to the cameras of many vulnerable organization. Once In they can manipulate cameras for the benefit of a heist or just turn all of your cameras and network devices into crypto currency miners or bandwidth eating DDoS attack bots. 

Less dramatic than a casino heist but far more frequent are hackers that are, mostly recreationally, accessing security cameras. The recent Mirai virus is an example where security cameras and servers are turned into bots taking direction from a hacker or hacker network. The Mirai malware is one of many leaving these networks and devices vulnerable.

The actions you can take a minimize your risk:

  1. Make your network security an integral aspect of any physical security roll out.
  2. Keep the firmware on firewalls and appliances (including security cameras, alarm panels, and iot devices) up to date at all times.
  3. Use well supported and business class of firewall. Open source is great if managed by knowledgeable engineers and the distribution is well supported with regular security patches.
  4. Do not open ports through your firewall; use VPN’s to access remote cameras or resources. Use modern and well accepted encryption on your devices. 
  5. Use 2-factor where a physical key (e.g., Yubikey) so that resources are restricted to users with the correct passphrase AND the correct physical key.

Related Resources

Your Email is Filled with Attacks

Your Email is Filled with Attacks

The recent high-profile email dumps from Wikileaks appear to be obtained through an email “Phishing” scheme that is pervasive. I recieved the same email around the same time as the target of on of the most visible leaks. Here is how to minimize your risk.

Read More

DMP Virtual Keypad Provides Expanded Control and Apple Watch Support

The latest app update for brings Apple Watch support and a new customizable Home screen.

The DMP Virtual Keypad app, which allows users to control their security systems remotely, has just released its latest version and is now a clear leader in the mobile alarm application space.

The latest update released last week provides a customizable home screen that allows users to quickly access their most used security cameras, thermostats, and other systems. The application is not available on Apple Watch for the first time.

Urban Alarm often recommends DMP security alarm panes because of the application’s high levels of security, manufacturer quality and support, and multiple communication paths direct to our monitoring station.

While the DMP mobile application has, at times, lagged behind many others, it is now on par or exceeds the quality and functionality of other mobile alarm applications.

Features of the DMP Virtual Keypad application

For consumers who want remote control over their security system, the application provides the ability to:

  • Control your systems via your Apple Watch
  • Lock or unlock doors
  • Arm or disarm security alarms
  • Turn on or off lights
  • Control thermostats and other in-home systems

The application provides real-time alerts when alarms are triggered, showing the user an image of the area in question. The user can then confirm or dismiss whether the disturbance is a legitimate threat.

This update will allow users to more easily view or control key areas of their home. The expansion to Apple Watch also increases the user’s assurance that they will always know what is happening in their secured home.

Keep security in mind when selecting an IoT app

DMP’s high standards for security and constant rollout of upgrades are positive signs for the Internet of Things application. It’s important consumers consider potential security vulnerabilities whenever selecting IOT products.

Among the most common vulnerabilities include poor mechanisms to rollout system updates, unsecure connections when passing information from device to backend network, and holes in user account security.

It’s always advisable to vet a potential application and find out how it’s securing its data before fully investing in the product.

IoT Security Vulnerabilities

Consumers buy Internet of Things (IoT) devices like Ring Doorbell Pro to see instant videos of their doorsteps and keep their homes safe.

So imagine their surprise when some began seeing videos from other houses. The company had been merging databases with user information and some ID numbers were accidentally overridden, leading to a mixup of user accounts. Ring contested that the error rate was extremely small — fewer than 10 out nearly 84 million calls.

Still, the security error demonstrates the vulnerability of IoT security systems. There’s a lot of areas where things can go wrong — from the backend network that keeps everything running, to the web or mobile app screens where users view information, and even the physical devices themselves.

And although the Ring case was seemingly an internal error which was caught relatively quickly, the real danger is if a hacker can break into a system and use it damage people.

OWASP (Open Web Application Security Project) is currently working on a project that analyzes the security of IoT applications. The project highlights some major vulnerabilities that can occur:

  • Easy collection of usernames— Any time there is something that needs to authenticate users (make sure it’s who they say they are), there's a chance that an attacker can view and collect a list of valid usernames.

  • Weak passwords — If they system allows weak passwords (e.g. “1234”) people may be tempted to choose them, allowing attackers to easily guess and obtain access to the account.

  • Lack of account lockout — Does the system let users guess passwords an infinite amount of times? Systems that do are prime real estate for attackers.

  • Unencrypted services — There is a lot of information being passed between the physical device, a device on the user side (e.g. a computer or mobile phone), and a backend network that is keeping everything runner. If that communication between devices is unencrypted, attackers can eavesdrop into the system and learn sensitive information.

  • Poor update mechanisms — All good systems should have the ability to securely install update files and clearly mark when the last update occurred. If this process is not stable, attackers can break into the update files and do damage — either by installing malicious updates or overriding other security measures.

These security vulnerabilities aren’t just hypothetical; some systems have already shown failures in the real world.

Observer.com published a list of eight of the biggest IoT security fails. Number one on the list was Target, the company that suffered a major breach of credit card information at the hands of hackers.

To pull it off, the attackers entered through a security vulnerability in Target’s IoT heating and cooling system. After gaining access to that system, the attackers were recognized as legitimate users and were able to access Target’s point of sale system — installing software on credit card readers that allowed them to see personal information every time a card was swiped.

In another case on Observer’s list, a presenter at a security conference demonstrated how easy it was to install code onto Nest thermostats.

The ability to tamper with the physical devices meant that attackers could buy tons of Nest devices, install malicious code, and then resell them to the general public. The attackers would then be able to access secure information from the unknowing consumers.

* Illustration re-posted under Creative Commons License from www.nesta.org.uk