All Wireless Security Alarm Systems are not Vulnerable (but most are)

Wired Magazine is back to remind us that most of the security alarm systems installed are easily hacked. In 2014 Wired reported on the vulnerabilities of alarm systems installed by ADT, Vivent, and others; and today reported on similar vulnerabilities of security alarm system installed by Xfinity:

Security researchers at Rapid7 have found vulnerabilities in Comcast’s Xfinity Home Security system that would cause it to falsely report that a property’s windows and doors are closed and secured even if they’ve been opened; it could also fail to sense an intruder’s motion.
— Wired Magazine

In response to their reporting CERT (Computer Emergency Response Teams, sponsored by the US Department of Homeland Security) issued a “Vulnerability Note” echoing this warning.

This is not news. The majority of consumer intrusion alarm manufacturers operate under the assumption that intruders are not going to be knowledgeable or do their homework. And they are largely correct.

Most break-ins are opportunistic and perpetrated by someone looking for the easy way in, and a quick way out. Intrusion Alarm Systems do not need to be sophisticated to address this threat. The wireless vulnerability is just one of many deficiencies of most security alarm systems.

most of the EQUIPMENT installed by national alarm companies have been found to be vulnerable. Urban Alarm installs alarm control panels that are not SUSCEPTIBLE to these issues. 

most of the EQUIPMENT installed by national alarm companies have been found to be vulnerable. Urban Alarm installs alarm control panels that are not SUSCEPTIBLE to these issues. 

Basic encryption, standard in any consumer WiFi router, is extremely rare and generally only implemented in the most secure DOD level intrusion alarm systems (e.g., Sensitive Compartmented Information Facility or SCIF’s).

I have never heard a major consumer-oriented alarm company mention issues around social engineering much less have a strategy for mitigating those risks.

Wired cited a Comcast spokesperson responding to today’s article: “Our home security system uses the same advanced, industry-standard technology as the nation’s top home security providers,” the spokesperson said. “The issue being raised is technology used by all home security systems that use wireless connectivity for door, window and other sensors to communicate.”

Well, yes and no. It is shockingly true that systems sold by most security alarm manufacturers are vulnerable to this same problem. However, there are security alarm systems that are proactive in addressing these issues, and much less vulnerable. Security alarm installers that put security ahead of cost and some “nice to have” features can talk about these trade-offs, and offer options that significantly address these problems.

I recently discussed “high security alarm systems” with a customer who was looking for the absolute state of the art in security. And while most major alarm companies would suggest such systems center around “smart homes” and “internet of things” the most secure systems are not always the coolest systems (or at least the systems that look cool in an advertisement).

What makes a high security intrusion alarm system? There is a range, from the DIY and mass market systems covered in these Wired articles, to the uber high security systems that are defined by UL standards and are the cornerstone of security for the intelligence and defense agencies.

Most of the systems Urban Alarm installs address the specific wireless vulnerabilities covered in the articles with two-way wireless, wireless jamming detection, higher frequency spread-spectrum technology, and variable time duration supervision. Some customers want the alarm system to sound a warning when interference jams the wireless signal for a moment. Others are less concerned and would prefer an uninterrupted night’s sleep to a false warning from innocuous stray wireless signals.

Characteristics of a high security intrusion alarm system (this technical list is for illustration and scope so I will not get into detailed explanation of each here):

  • High frequency spread-spectrum wireless
  • Two-way wireless with variable timeframe supervision
  • Anti-jamming detection and notification
  • End of line resistors (at the end of line, not in the alarm panel)
  • Multiple communication paths for monitoring signal transmission
  • Aggressive supervision of a security panel’s communication from the central station (e.g., the alarm panel performs a communications test every few minutes and a failure triggers a warning or alarm)
  • Encrypted communication with an alarm monitoring central station
  • IP restricted reporting and/or VPN tunneling to central monitoring station
  • Tamper detection on panels, wires, and other elements of the alarm system
  • Biased (balanced) magnetic reed contact
  • Two-Factor Authorization with Central Station Dispatchers
  • Social Engineering defeat strategies

It is not practical or cost effective to implement all of these strategies in every installation. Threat assessments are a part of designing a good security alarm systems. Installing a security system where there is a specific targeted threat may be different than for someone whose primary concern is the most likely scenario: the 99% opportunistic threat.

The security industry needs to do better. The near industry-wide “security through obscurity” model is going to get worse as naive mass market providers try to compete with creative feature innovation coming from Silicon Valley and manufacturers (the good ones) are pushed beyond their focus on pure security.

Integrating Access Control and Video Surveillance with Slack

Enterprise physical security has technology advances every year but it is most often only loosely connected, and often falling behind, the innovation coming out of Silicon Valley.

The lagging innovation coming out of the historically slow moving enterprise security and commercial life safety industries is increasingly making those companies vulnerable to the creativity and disruption coming from the Maker culture of new technology.

We deploy many newer products and services in the operations of Urban Alarm. Slack ( has become a primary platform for our internal communications around projects and operations. Between Slack for real-time communication and Asana ( for task based collaboration we have all but eliminated internal email.

One of the promises of new technologies like Slack and Asana is the open integration which is leveraged to an extreme with integration focused services like If This Then That (IFTTT) and Zapier.

This integration can be a quick and simple opportunity to integrate physical security technologies with a modern workflow. For our offices we have created a Slack channel where door access control and video security alerts feed in via email or direct IP integrations. Email based integration is quick and simple however the feed can be better customized with webhooks or a more direct API.

Other ways to leverage integration with Slack or other modern cloud based services:

  • Send video from off-hours access to Asana or another task management system so operations to "check" all accesses as valid.
  • Track all alarm system arming and disarming of the alarm system in a slack channel.
  • Send all video events (or some subset of video events) into Slack, Asana, and any other system that fits your organization's workflow.

The Zapier Integration Zapbook is a good place to start for ideas even if you don't end up using Zapier to accomplish the integration.

A sample of the quick and simple integration of Slack with physical access control and video surveillance (we have trimmed out some of the additional text that is a limit of the email integration)

Modern cloud based web services almost always have excellent options for integration using email, WebHooks, or other methods.

Modern cloud based web services almost always have excellent options for integration using email, WebHooks, or other methods.