Internet Connected Alarm System

Forums › Gadgets, robotics, home automation, electronics (including wearables) › Internet Connected Alarm System - Vulnerability?

MikeAqua

7773 posts

Uber Geek

#214799 29-May-2017 14:20

Looking at home alarm systems ... a lot of them have the option to connect an app that allows status to be monitored and changed via the internet.

I have two questions really: -

- How does the app get past the router to communicate with the alarm ?

- How vulnerable are these systems to hacking - I'm more concerned about someone using them as way into the network at home rather than the vulnerability of the alarm system itself.

Mike

t0ny

395 posts

Ultimate Geek

Lifetime subscriber

#1791122 29-May-2017 14:38

If i recall correctly, my alarm system connects to a server (hosted by the alarm company) and opens up a socket. From there onwards, it talks bidirectionally on that socket. If someone hacks the alarm companies servers, there is possibly a way for them to take over my network or someone can hijack the dns and route that connection elsewhere.

So yes, theres always a risk but you put your alarm system on a separate network so it cannot access anything else.

michaelmurfy

meow
13240 posts

Uber Geek

Moderator

ID Verified

Trusted

Lifetime subscriber

#1791124 29-May-2017 14:41

Often they'll ask you to forward a port which is very insecure - some of the better alarm systems don't require this.

Best ask your installer. If they say you must forward a port then it is insecure and should be avoided (or just used on the local network only - eg used when connected to WiFi).

Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.

MikeAqua

7773 posts

Uber Geek

#1791193 29-May-2017 16:11

michaelmurfy:

Often they'll ask you to forward a port which is very insecure - some of the better alarm systems don't require this.

Best ask your installer. If they say you must forward a port then it is insecure and should be avoided (or just used on the local network only - eg used when connected to WiFi).

No forwarding required. The app doesn't need router credentials or anything like that so it must be via a server as suggested.

Mike

MikeAqua

7773 posts

Uber Geek

#1791195 29-May-2017 16:13

t0ny:

So yes, theres always a risk but you put your alarm system on a separate network so it cannot access anything else.

How do i do that? I only have one network cable from the ONT to the router ..

Do I need another cable from the ONT to a separate router?

Mike

antoniosk

2358 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#1791238 29-May-2017 17:01

MikeAqua:

t0ny:

So yes, theres always a risk but you put your alarm system on a separate network so it cannot access anything else.

How do i do that? I only have one network cable from the ONT to the router ..

Do I need another cable from the ONT to a separate router?

And here is the issue I have with recommendations like this. You as the end user are suddenly put into the position of having to understand - and get working - dmz's, port locking, vlans and other various tricks to make this work happen. You are also straight past the point of consumer grade equipment into something better.

The alternative of course is dial-up or gsm - ugly, but I'm sure Mr Biddle will get on here and confirm dial-up over IP is a beautiful thing these days and works fine.

________

Antoniosk

neb

11294 posts

Uber Geek

Trusted

Lifetime subscriber

#1791264 29-May-2017 17:48

MikeAqua:
- How vulnerable are these systems to hacking - I'm more concerned about someone using them as way into the network at home rather than the vulnerability of the alarm system itself.

When they've been examined by security people they've typically been found to be really bad. That is, by IoS standards they're what passes for as normal, but bad by any actual IT security measure. The way to deal with them is to access them over an OpenVPN tunnel, then it doesn't matter how crap, or more accurately absent, the security is.

jpoc

1043 posts

Uber Geek

#1791371 29-May-2017 20:18

MikeAqua:

t0ny:

So yes, theres always a risk but you put your alarm system on a separate network so it cannot access anything else.

How do i do that? I only have one network cable from the ONT to the router ..

Do I need another cable from the ONT to a separate router?

You could try something like this:

https://www.amazon.com/Zyxel-Generation-Firewall-Gigabit-USG20-VPN/dp/B01E1DSKUS/ref=sr_1_5?ie=UTF8&qid=1496045454&sr=8-5&keywords=zyxel+dmz

You can plug the wan port into your router and then you have 4 configurable ports. Set one up as a dmz and put your security system on there. Nothing on that sub-network can see anything that is connected to any of the other ports so you are secure.

It is not that expensive and it is pretty easy to setup and maintain.

Equinox IT

Cloud spending continues to surge globally, but most organisations haven’t made the changes necessary to maximise the value and cost-efficiency benefits of their cloud investments. Download the whitepaper From Overspend to Advantage now.

neb

11294 posts

Uber Geek

Trusted

Lifetime subscriber

#1791372 29-May-2017 20:22

jpoc:
You could try something like this:

https://www.amazon.com/Zyxel-Generation-Firewall-Gigabit-USG20-VPN/dp/B01E1DSKUS/ref=sr_1_5?ie=UTF8&qid=1496045454&sr=8-5&keywords=zyxel+dmz

You can plug the wan port into your router and then you have 4 configurable ports. Set one up as a dmz and put your security system on there. Nothing on that sub-network can see anything that is connected to any of the other ports so you are secure.

It is not that expensive and it is pretty easy to setup and maintain.

If you're going to go the hardware route you could also get an Alix APU and run pfSense on it. That's how the OpenVPN tunnel setup I mentioned works.

Aredwood

3885 posts

Uber Geek

#1791429 29-May-2017 22:46

A GSM based alarm monitoring system is definitely better from the point of view that it doesn't need to connect to any part of your network. So if your network or alarm gets compromised, the other can't get compromised as well.

Another way if the App can work locally via Wifi, is setup a spare router to connect to the alarm and provide a 2nd Wifi network. But don't connect that router to the internet. You would then connect your phone to the 2nd Wifi just to manage the alarm. Only some phones try to ping a server somewhere when they connect to wifi, and often won't say connected to networks that don't have internet access available.

MikeAqua

7773 posts

Uber Geek

#1791532 30-May-2017 09:28

Aredwood:

A GSM based alarm monitoring system is definitely better from the point of view that it doesn't need to connect to any part of your network. So if your network or alarm gets compromised, the other can't get compromised as well.

Another way if the App can work locally via Wifi, is setup a spare router to connect to the alarm and provide a 2nd Wifi network. But don't connect that router to the internet. You would then connect your phone to the 2nd Wifi just to manage the alarm. Only some phones try to ping a server somewhere when they connect to wifi, and often won't say connected to networks that don't have internet access available.

Thanks I'll look into GSM. App needs to work over the internet as one of the advantages is being able to check if it's armed, which zone etc and is the garage door closed.

These features are important for the person in the house who I will not name who typically ponders these questions 20 minutes after we leave home.

I'll also read up on the various network acronyms used in other posts and see what I can learn there. No harm in up-skilling provided I can do it well enoguh to be confident what I set up is actually secure.

Mike