There's no place like 127.0.0.1
There's no place like 127.0.0.1

Security researchers have discovered a number of vulnerabilities in an internet-enabled burglar alarm that could see the device being remotely switched off by an attacker.

According to a blog post, Ilia Shnaidman , head of security research at Bullguard, said that the discovery of multiple flaws in iSmartAlarm is another example of a poorly engineered device that offers attackers an easy target.

The device, said Shnaidman, has flaws that can lead to full device compromise. The cube-shaped iSmartAlarm provides a fully integrated alarm system with siren, smart cameras and locks. It functions like any alarm system but with the benefits of a connected device: alerts pop up on your phone, offering you full remote control via mobile app wherever you are

“An unauthenticated attacker can persistently compromise the iSmartAlarm by employing a number of different methods leading to full loss of functionality, integrity and reliability, depending on the actions taken by the attacker,” he said. “For example, an attacker can gain access to the entire iSmartAlarm customer base, its users' private data, its users' home address, alarm disarming and ‘welcome to my home sign'.”

He said that when switched on, the device communicates with its backend on tcp port 8443. However, the cube does not validate the authenticity of the SSL certificate presented by the server during the initial SSL handshake. “So after forging a self-signed certificate, I was able to see and control the traffic to and from the backend,” he said.

He said he wanted to see how the app and the cube communicate, and figure out if he could gain control over the alarm system remotely without the app. The iSmartAlarm app works in two modes. One option is when the cube and the app are on the same local network. The other mode is when they are on different networks. 

“While examining the first mode, I was able to sniff the encrypted traffic between the cube and the app on tcp port 12345,” he said. He added that because the cube and the app communicate directly over the LAN, he was able to stop the cube from running.

“While running a DoS attack on the cube, the legitimate user loses control over the alarm system, and he or she is not capable of operating it, neither remotely nor locally.”

He added that once an attacker infiltrates the home/business network and find such a device, they could fully compromise the device. “It is needless to list the potential damages of a compromised physical security system such as alarm system,” he added.

Jason Hart, CTO of data protection at Gemalto, told SC Media UK that consumers are increasingly embracing connected devices, but the lack of security controls within them is giving hackers the ability to compromise data, take control of devices, or use them to access networks to conduct cyber-attacks.

“Any device that can connect to the internet is susceptible, and the data that's often collected can be very sensitive, so securing them is crucial for the growth of the IoT,” he said.

Leigh-Anne Galloway, cyber security resilience lead at Positive Technologies, told SC that even when a vulnerability is known or discovered, all too often manufacturers cannot fix them as they typically lie within third-party components.

“To try and address the issue, comprehensive agreed-upon IoT security guidelines should be created in collaboration with all interested parties – from hardware manufacturers to service providers and security experts. At the same time, ordinary users have to be educated about strong password policy as this will enhance the security of their connected devices,” she said.

Ken Munro, a partner at Pen Test Partners, told SC that over-the-air updates can make a big difference in allowing these devices to be updated.

“OTA updating brings its own challenges, though,” he said. “For a start the mechanism has to be secure itself or you could be creating an additional attack vector and channel for malware. And there can be a tendency to adopt a ‘sell now, fix later' mentality. It's tough for any developer to write code that defends against all current and future security issues so manufacturers have to start to making patching a priority [or] we could be in for a world of pain when IoT devices have saturated the planet.”