back to article Burglary in mind? Easy, just pwn the home alarm

It's Monday, and infosec-watchers are showing their age by calling internet of things security disclosures “a broken record”. This time, it's a home security system that's remotely p0wnable. iSmartAlarm ships a variety of app-linked security products, including door sensors, motion sensors, cameras, locks, and a controller …

  1. David Roberts
    Paris Hilton

    iSmart

    As in "Ouch. That's gotta smart!"

    1. John Brown (no body) Silver badge

      Re: iSmart

      Yeah, the irony meter just wrapper its needle around the stop. It's waaaaay past 11.

      A security system with almost no security FFS!

      1. Fatman

        Re: iSmart

        <quote>It's waaaaay past 11.</quote>

        Nope! the fucking pointer is bent 90 degrees out of whack.

  2. David 132 Silver badge

    "Showing their age"?

    It's Monday, and infosec-watchers are showing their age by calling internet of things security disclosures “a broken record”.

    Yeah, all the cool kids now use the phrase "a corrupt M4A file"

    /rolls eyes

    1. Anonymous Coward Silver badge
      Childcatcher

      Re: "Showing their age"?

      Damn it. I've only just got used to "a scratched CD"

    2. h4rm0ny

      Re: "Showing their age"?

      Yeah - the point with a scratched record is that it can get stuck in a loop and keep repeating the same bars over and over. A corrupt file just stops.

      1. 's water music

        Re: "Showing their age"?

        Yeah - the point ...

        Yeah - the point with a joke is... ...wait was I just meta-trolled?

      2. Anonymous Coward
        Anonymous Coward

        Re: "Showing their age"?

        A corrupt file just stops.

        A bit like the support once shipped with these cowboys?

      3. Anonymous Coward
        Anonymous Coward

        Re: "Showing their age"?

        > A corrupt file just stops.

        Unlike a corrupt politician.

  3. eldakka

    I'm confused.

    What server is the Cube, the controller unit, trying to connect to. Isn't the Cube the server in this case, the endpoint for the phone app to communicate with?

    With the exception of updates, why would I want my security controller communicating with some other server?

    1. Anonymous Coward
      Anonymous Coward

      Re: I'm confused.

      To help improve their service and give the best experience to customers, the Cube is connected tot he Cloud 24/7. If the cloud service should not respond within 3 femto seconds, it opens all doors...

      1. Captain Badmouth

        Re: I'm confused.

        "Open all hours"- there's an idea for a comedy, a technically illiterate small town trader selling dodgy burglar alarms. What do you think?

  4. Anonymous Coward
    Anonymous Coward

    Three things in life you can always rely on,

    Water being wet.

    Grass being green.

    IoT being insecure.

    It's not like it's anything important you know like a burglar alarm.

    1. jake Silver badge

      This is California. In July.

      The water has dried up.

      The grass is brown.

      Damn near everything IoT is insecure, though.

      Burglar alarms do nothing but let the burglars know who has shit worth stealing.

      1. Lee D Silver badge

        Re: This is California. In July.

        In the modern age, everyone has shit worth stealing.

        You'd be hard pushed, as a burglar, to break into somewhere and not find enough there to make it worth your while.

        Burglar alarms, however, notify someone that something's not right. People miss the point that your neighbours really couldn't care, especially if it's often wrong. The *alarm* part is poorly designed nowadays.

        However, the problem is that you just need to alarm the RIGHT people. The owners of the car/house/garage whatever. That needs some kind of integration, but in most circumstances a GSM alarm sending a text to the owner is a million times more useful and effective than something going off in the middle of the night while you're on holiday and just annoying your neighbours.

        Because the person it alarms is then YOU, and the person who cares about the false positives is then YOU, and the person who knows they need to fix their stuff is then YOU.

        But you don't need IoT to do that. In fact, that's layers of complication that you don't want. A GSM alarm is a plugin box, with a single off-the-shelf chip, tiny as anything, that texts a set number when a wire is activated. It's simple, works, cheap, and will send the text as soon as reception returns if it's dropped. It's also easy enough to hide anywhere, so blocking it is a pain in the butt.

        IoT stuff, you have to hope has even booted properly, can get on the wireless, has a firmware update, the service is up the other end, they tell you if the service is ever down, etc.etc.etc.

        I've never wired an alarm into my house. It's pointless. The only people who care are the people who live there. So my alarms all notify *me*. Even my car. And I can check CCTV from work and ring the police is anything is untoward.

        So, actually, the people with stuff worth nicking are probably not the people with an alarm nowadays. Everything is hidden, silent, high-tech, integrated, remotely-visible. If my kit is, and I'm just a nerd with off-the-shelf kit, you can be sure as anything that those people with the million-pound houses (a much better indicator of the contents) have got a similar system too nowadays.

        But it doesn't need IoT shite to do it. Unless you expand IoT to include "stuff that comes with an Ethernet socket or a SIM slot", like a CCTV NVR, car GPS tracker, house GSM module, etc. I wouldn't class them as IoT, but they can make your day very bad if you're a burglar (or - much more common in my case - you lob my fragile parcel over my garden fence, leave the recycling bin smack-bang in the middle of my drive after spilling all its contents while supposedly collecting it, or just plain park across my driveway and then walk off).

        1. jake Silver badge

          Re: This is California. In July.

          Or, you can save a lot of time and money (and typing, apparently) and get a dawg. Or several.

          1. CrazyOldCatMan Silver badge

            Re: This is California. In July.

            and get a dawg. Or several.

            Apparently, the optimum solution is a large, unagressive dog. And a small, hyper-paranoid[1] dog.

            Small dog hears something, make enough noise to wake up and wind up large dog.. Large dog investigates, burglar leaves in a hurry[1]. Big dog goes back to sleep.

            [1] If allowed. I'm not sure whether the story of a burglar trapped on top of a fridge for a day or two is urban miff or not.

            1. Lee D Silver badge

              Re: This is California. In July.

              Have any of you people ever tested having a stranger (that the dog doesn't know) enter your house while you're out, and bringing a packet of dog biscuits?

              For sure, I doubt most dogs understand the difference between a stranger and a burglar, especially if you've spent their lifetime pulling them back from sniffing visitors, telling them off for barking, locking them away from strangers, etc. And they only need to be distracted enough for someone to tie their lead to tie and some sofa leg out of their way. Hey, I bet if someone approached you on the street while you were taking them out for a walk, you'd let them mollycoddle the dog so long as they were inquiring about the breed, etc. Bang, the dog knows who that person is and "owner" approves.

              Ask a random animal shelter quite how long it takes most dogs to realise that you're "friendly enough" because you have some food, unless the animal is outright dangerous to everyone (owners included). Have none of you ever hired a dog-sitter to feed them while you're on holiday, etc? The majority of animals adjust extremely quickly and are easily led into "social hacks".

              Again, all the fancy "it would never happen to me" ideas foiled within seconds by someone with a bit of balls (they're burgling anyway, they have that) and a doggie treat in their top-pocket (which provides a distraction / escape route in case a dog suddenly appears that they didn't know about).

              I'd posit that any professional burglar would be more likely to have a dog biscuit on them than a crowbar. Crowbars attract attention, are hard to hide, get you nicked even if you haven't broken in. A dog biscuit quells attention, might save your arse, and you can't get nicked for.

              Unlike some, I have researched. Police have zero interest in CCTV footage unless it's absolute full-on HD faces, which is unusual with any burglar who's done it more than once. I used to spend portions of my career obtaining it for them. Number of convictions: One. Of a teacher that restrained a child kicking the shit out of his classmate, the parents did the teacher for assault and cost him his career. They hate CCTV. It takes them hours to retrieve, longer to analyse, often ends up with nothing (you don't burgle your own neighbourhood where the cops all know you by sight) and rarely can be used for prosecution.

              Entry into any premises is also incredibly easy. It's being brave enough to do it. Door locks are not unbreakable (everything from lock-picks to bump keys, but to be honest, just a large screwdriver and knowing how to use it will break most places) and if they are, you just don't use the door. Most of the footage I retrieved was for people who took less than 10 seconds to enter a property (the exception is kids, who generally take a lot longer and are happy to stand there for 10 minutes if they see even the slightest progress).

              Unless you live in a flat in a high-rise with no other feasible method of entry, the door is only one of a million options. Two different burglaries in my area in the past year, both times by jumping the garden fence (takes seconds, almost no risk if you look around / pretend you're delivering a parcel until you know nobody is looking), both times by going round the back, both times by wrenching open a rear window in seconds. One of them, there were people in both neighbouring houses all day and NOBODY heard a thing while it happened and didn't know until the homeowners returned and raised the alarm.

              Your house insurance just states that it has to be forced entry for a reason. They know you CANNOT secure anywhere. They just want you to not have left the doors wide open. They also know that almost all burglaries involve forced entry. I bet all those people thought they had an unbreakable lock too, until it's lying on the floor still attached to the PVC patio door.

              Same with cars, sure you can radio-jack some now but most thefts wouldn't bother. They just destroy the doors, because who cares? It's not their car. The industry standard is about 1 minute to enter a car without smashing a window, and then it's classed as "secure". Your back window, patio door or even brick wall similarly wouldn't take a minute to break through if someone wanted to even if they don't want the sound of breaking glass. Hell, I've seen entire double-walls taken down in less time, and thinking you've secured your house because the door is impenetrable just makes me look at the fragile glass window right next to it.

              Trying to STOP the crime is stupid. Not to mention dangerous. And expensive. And pointless. What you need to do is detect the crime. You spot the bloke coming up the drive on a camera. You have the doorbell ring your smartphone in work. You have the dogs bark at something if you're in bed. You can't STOP him from there, if he has even a minute alone. But you might be quick enough to catch him in the act, by calling the police or in-person.

              You know the police made it to my house in 1m30s when a neighbour reported an intruder? It was me, but they didn't know that. That's what they prioritise, because that's how you catch them and prosecute them. It takes hours to even do fingerprints, etc. and most of the time they don't have the time to do that either. Nobody's been caught for the two burglaries mentioned above, or most of the forced entries I witnessed when it was part of my job.

              What matters is not "stopping" them, you can't. You can hinder them at best. And hope that you are aware early, so that the hindrances put them off and/or prove to be their downfall and they get caught in the act. People have been burgled before now without even waking up. It's not uncommon at all.

              Like all things, the weakest link in the chain is where attacks occur. If you double-bolt, British standard, 5-bar lock with London bar, chain and bolt? Yeah, they just smash a window. Or lever the frame. Or jump round the back.

              It's about time and early detection, not spending a thousand pounds making a door secure when it's one bit of glass away from theft anyway. Most police forces barely even respond to reports of an already-committed burglary. They send round CSO's or even just civilians who work for them to gather a statement, and that's it. They can take HOURS to arrive, and if you think they always do forensics, you're wrong. Unless you can report "in progress" (which is a valid 999 call, by the way, reporting a burglary that's already happened isn't considered so), they can't do much at all.

              And all the big strong doors in the world don't tell you an attack is in progress if you're at work and have no idea until you get back at 6pm.

        2. Anonymous Coward
          Anonymous Coward

          Re: This is California. In July.

          So my alarms all notify *me*. Even my car. And I can check CCTV from work

          Great, so instead of getting back from holiday and seeing that your house has been burgled you can watch it in real-time. And have your holiday ruined as well.

          I have good locks, and insurance.

          1. Anonymous Coward
            Anonymous Coward

            Re: This is California. In July.

            > I have good locks

            No such thing.

            I used to break into houses during my university days and I never even bothered to look at the lock. If the door wasn't unlocked in the first place, non-destructive entry could usually be made through somewhere else such as a window, service door, cellar trap, etc. If not, destructive methods did the trick nicely.

            Emergency services, not burglary, but the skills are quite transferable when it comes to going into places.

            1. Anonymous Coward
              Anonymous Coward

              Re: This is California. In July.

              If not, destructive methods did the trick nicely.

              Not always. Some years ago we returned from Christmas vacation to find a cracked concrete sill and badly twisted lock where some ne'er-do-wells had tried to break in, apparently with a crowbar to lever open the shutter. Although they did some damage, twisting the metal lock frame, they were unsuccessful. I've since added an additional security bar. So, good locks do work.

        3. Anonymous Coward Silver badge
          Black Helicopters

          Re: This is California. In July.

          Actually, the really rich people wouldn't want such a system. They'd rather pay a security company to keep an eye out for them rather than having to check it out themselves.

          Monitored alarms or security patrols (and dogs) will do it all without inconveniencing you.

        4. lglethal Silver badge
          Trollface

          Re: This is California. In July.

          Lee, Lee, Lee... You'll never get rich selling something cheap to people.

          You have to give it the glam and the glitz - the always online functionality, the name created by a toddler, and the look of something that fell out of Apple's rejects folder.

          Cheap, simple and effective? No chance!

        5. CrazyOldCatMan Silver badge

          Re: This is California. In July.

          I've never wired an alarm into my house.

          Likewise. If I try he just looks at me and woofs. If I persist, I need to check my fingers for toothmarks..

          PS: I'd like a Lynx cat. Just so I can have a sign that says "Beware of the cat".

      2. Anonymous Coward
        Anonymous Coward

        Re: This is California. In July.

        "Burglar alarms do nothing but let the burglars know who has shit worth stealing."

        Actually you ask most (ex)burglars and they will say an alarm is a deterrent,

        Take two identical houses.

        One with (possible) alarm, one without.

        Given all other features are identical (doors, windows, surround visibility), which one will they hit.

        100% the one without, every time.

        Even dummy boxes will do the job, providing they are the same as the real thing. If you don't believe it, see how much ADT dummy alarm boxes sell for.

        1. Tikimon

          Re: This is California. In July.

          The deterrent value of an alarm is overstated. The thieves know a simple fact - the cops will almost always show up too late to catch them. My old house in south Atlanta was broken into at least four times after an obvious alarm was installed. In each case they got in, grabbed the TV and computers, and were gone before the police arrived. ONE time the cops arrived to see the criminal walking toward the street. He bolted through the back yard instead and got away clean.

          On the good side, the alarm kept their visit short. Otherwise they could have taken their time since we were at work and gone for hours.

  5. Anonymous Coward
    Anonymous Coward

    That implies targeted burglary

    What percentage of burglaries are targeted - going after a particular address, rather than a crime of opportunity? From what I can tell around here, almost all fall into the latter category. Most burglaries are in the poorer cities / poorer parts of cities, often just going in houses that didn't even have the door locked.

    If they were targeting they'd go into the nice neighborhoods where the chance of getting really good loot is higher, cut the phone/cable lines, and use a cellular jammer off eBay (in case the alarm uses cellular) Less than 1% of burglars are smart enough to do that, and they'd have to be even smarter to hack an alarm system.

    1. MonkeyCee

      Re: That implies targeted burglary

      "If they were targeting they'd go into the nice neighborhoods where the chance of getting really good loot is higher"

      My MIL lived with a (supposedly) ex crook who went to jail for receiving. We stayed there for a month when getting settled in the country and he was full of stories about his "old" days. He maintained that stealing from poor people was a bad idea, "working" over a poor neighborhood was worse, since there are more likely to be people home during the day and more likely that there would e some local group of goons that would object to his lot.

      So he and his minions would pick a upscale neighborhood, go there during the work day, and clear out half a dozen houses. So the neighborhood would be targeted, but individual properties will be opportunistically targeted.

    2. Oneman2Many

      Re: That implies targeted burglary

      Having been the victim of a break in myself at the end of last year, I've since spoken to CID, security companies and shall we just say 'others'. Yes there are crimes of opportunity but the majority of break ins actually have a bit more thought behind them. Police think we were targeted because of my ethnic background and the increased chance of having a lot of jewellery at home (we didn't). They almost certainly knew our patterns of work / school and when the house was empty. We got broken into during the late afternoon rather than nighttime. My neighbour works from home and his office overlooks our house. Still didn't put them off.

      Everyone I have spoken to said the same thing, an alarm will increase the chances of them just moving onto somebody else and sorry neighbours but that is what you want. CID said in over 500 cases he had dealt with, only a handful had an armed alarm. There is little doubt they do work.

      In terms of notifying people, the bell unit is effective. not because your neighbours may poke their head round the corner (ours probably would) but because burglaries know that the chances are that somebody has been remotely notified. That gives them a few minutes to get in and out and less chance of finding 'the good stuff'. Saying that, according to my neighbours CCTV my place was turned over in less that 10 minutes by a gang of 4, including going into the loft.

      Anyway, if it takes say 2 minutes to notify you via cloud app or text or whatever, then another 2 to check your internal CCTV and then a couple more to call the police (avg 10 minute response time) or a neighbour (I don't want my neighbour to risk their safety to confront some tooled up twats who are trying to get away) and time for them to respond they will have been in and out by then.

      In all this, its no surprise that alarms are vulnerable. Software doesn't make money and who questions how secure their systems are as long as the function work, even security companies who sell this stuff for a living don't.

      1. StatsBoy

        Re: That implies targeted burglary

        So you are of Indian heritage?

        For some reason, the theiving gangs around here think Indian households all have mini Fort Knoxes in the basement....

  6. John Smith 19 Gold badge
    Unhappy

    Todays "smart burglar" is tomorrows script kiddie.

    BTW how many of these devices are wireless? I can see a stack of these burning through batteries, unless they've been tuned to run a very lightweight protocol stack.

    Technically monitored alarms are meant to have a 2 sensor system, perimeter and interior. Tripping the perimeter indicates possible entry, tripping an interior confirms a real alarm.

  7. Adam 1

    stop the press

    Wait. Are you saying some IoT tat is full of security vulnerabilities and the vendor doesn't respond until the tenth of never?

    Quelle horreur!

  8. allthecoolshortnamesweretaken

    Think about it from the other end (Computer Aided Burglary) and things start looking good.

    1. John Smith 19 Gold badge
      Unhappy

      "Think about it from the other end (Computer Aided Burglary) "

      Oh year, the future for CAB is bright.

      Yeay for that.

  9. Anonymous South African Coward Bronze badge

    IoT giefs opportoonity to smart burglary types.

    Dumb ones get caught whilst blagging other people's stuff.

  10. Anonymous South African Coward Bronze badge

    Is a Speccy secure enough to act as alarm controller? :D

    1. Captain Badmouth

      Is Clippy secure enough to act as alarm controller?

      I see you're trying to burgle this house, would you like some help with that?

      I could open some ports for you...

  11. Stevie

    Bah!

    I'm shocked by this unexpected development!

  12. Steve Aubrey
    Joke

    Move along

    Nothing to see here.

    ". . . the list of vulnerabilities includes issues with SSL certificate validation, authentication errors, an access control blunder, and a denial of service."

    If you ignore those, are blind in one eye, and can't see out of the other, it ain't half bad!

  13. herman

    So, I take it that these iSmart assess are not?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon