Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


ForumsGadgets, robotics, home automation, electronics (including wearables)Internet Connected Alarm System - Vulnerability?
MikeAqua

8024 posts

Uber Geek
+1 received by user: 3817


#214799 29-May-2017 14:20
Send private message

Looking at home alarm systems ... a lot of them have the option to connect an app that allows status to be monitored and changed via the internet.

 

I have two questions really: -

 

- How does the app get past the router to communicate with the alarm ?

 

- How vulnerable are these systems to hacking - I'm more concerned about someone using them as way into the network at home rather than the vulnerability of the alarm system itself. 

 

 




Mike

Filter this topic showing only the reply marked as answer Create new topic
t0ny
414 posts

Ultimate Geek
+1 received by user: 84

Lifetime subscriber

  #1791122 29-May-2017 14:38
Send private message

If i recall correctly, my alarm system connects to a server (hosted by the alarm company) and opens up a socket. From there onwards, it talks bidirectionally on that socket. If someone hacks the alarm companies servers, there is possibly a way for them to take over my network or someone can hijack the dns and route that connection elsewhere.

 

So yes, theres always a risk but you put your alarm system on a separate network so it cannot access anything else. 



michaelmurfy
meow
13579 posts

Uber Geek
+1 received by user: 10910

Moderator
ID Verified
Trusted
Lifetime subscriber

  #1791124 29-May-2017 14:41
Send private message

Often they'll ask you to forward a port which is very insecure - some of the better alarm systems don't require this.

 

Best ask your installer. If they say you must forward a port then it is insecure and should be avoided (or just used on the local network only - eg used when connected to WiFi).




Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.

MikeAqua

8024 posts

Uber Geek
+1 received by user: 3817


  #1791193 29-May-2017 16:11
Send private message

michaelmurfy:

 

Often they'll ask you to forward a port which is very insecure - some of the better alarm systems don't require this.

 

Best ask your installer. If they say you must forward a port then it is insecure and should be avoided (or just used on the local network only - eg used when connected to WiFi).

 

 

No forwarding required. The app doesn't need router credentials or anything like that so it must be via a server as suggested.




Mike



MikeAqua

8024 posts

Uber Geek
+1 received by user: 3817


  #1791195 29-May-2017 16:13
Send private message

t0ny:

 

So yes, theres always a risk but you put your alarm system on a separate network so it cannot access anything else. 

 

 

 

 

How do i do that?  I only have one  network cable from the ONT to the router ..

 

Do I need another cable from the ONT to a separate router?

 

 




Mike

antoniosk
2382 posts

Uber Geek
+1 received by user: 742

ID Verified
Trusted
Lifetime subscriber

  #1791238 29-May-2017 17:01
Send private message

MikeAqua:

 

t0ny:

 

So yes, theres always a risk but you put your alarm system on a separate network so it cannot access anything else. 

 

 

 

 

How do i do that?  I only have one  network cable from the ONT to the router ..

 

Do I need another cable from the ONT to a separate router?

 

 

 

 

And here is the issue I have with recommendations like this. You as the end user are suddenly put into the position of having to understand - and get working - dmz's, port locking, vlans and other various tricks to make this work happen. You are also straight past the point of consumer grade equipment into something better.

 

 

 

The alternative of course is dial-up or gsm - ugly, but I'm sure Mr Biddle will get on here and confirm dial-up over IP is a beautiful thing these days and works fine.




________

 

Antoniosk

neb

neb
11294 posts

Uber Geek
+1 received by user: 10018

Trusted
Lifetime subscriber

  #1791264 29-May-2017 17:48
Send private message

MikeAqua:

- How vulnerable are these systems to hacking - I'm more concerned about someone using them as way into the network at home rather than the vulnerability of the alarm system itself. 

 

 

When they've been examined by security people they've typically been found to be really bad. That is, by IoS standards they're what passes for as normal, but bad by any actual IT security measure. The way to deal with them is to access them over an OpenVPN tunnel, then it doesn't matter how crap, or more accurately absent, the security is.

 
 
 
 

Move to New Zealand's best fibre broadband service (affiliate link). Free setup code: R587125ERQ6VE. Note that to use Quic Broadband you must be comfortable with configuring your own router.
jpoc
1043 posts

Uber Geek
+1 received by user: 289


  #1791371 29-May-2017 20:18
Send private message

MikeAqua:

 

t0ny:

 

So yes, theres always a risk but you put your alarm system on a separate network so it cannot access anything else. 

 

 

 

 

How do i do that?  I only have one  network cable from the ONT to the router ..

 

Do I need another cable from the ONT to a separate router?

 

 

 

 

You could try something like this:

 

https://www.amazon.com/Zyxel-Generation-Firewall-Gigabit-USG20-VPN/dp/B01E1DSKUS/ref=sr_1_5?ie=UTF8&qid=1496045454&sr=8-5&keywords=zyxel+dmz

 

You can plug the wan port into your router and then you have 4 configurable ports. Set one up as a dmz and put your security system on there. Nothing on that sub-network can see anything that is connected to any of the other ports so you are secure.

 

It is not that expensive and it is pretty easy to setup and maintain.

neb

neb
11294 posts

Uber Geek
+1 received by user: 10018

Trusted
Lifetime subscriber

  #1791372 29-May-2017 20:22
Send private message

jpoc:

You could try something like this:

 

https://www.amazon.com/Zyxel-Generation-Firewall-Gigabit-USG20-VPN/dp/B01E1DSKUS/ref=sr_1_5?ie=UTF8&qid=1496045454&sr=8-5&keywords=zyxel+dmz

 

You can plug the wan port into your router and then you have 4 configurable ports. Set one up as a dmz and put your security system on there. Nothing on that sub-network can see anything that is connected to any of the other ports so you are secure.

 

It is not that expensive and it is pretty easy to setup and maintain.

 

 

If you're going to go the hardware route you could also get an Alix APU and run pfSense on it. That's how the OpenVPN tunnel setup I mentioned works.

Aredwood
3885 posts

Uber Geek
+1 received by user: 1749


  #1791429 29-May-2017 22:46

A GSM based alarm monitoring system is definitely better from the point of view that it doesn't need to connect to any part of your network. So if your network or alarm gets compromised, the other can't get compromised as well.

 

Another way if the App can work locally via Wifi, is setup a spare router to connect to the alarm and provide a 2nd Wifi network. But don't connect that router to the internet. You would then connect your phone to the 2nd Wifi just to manage the alarm. Only some phones try to ping a server somewhere when they connect to wifi, and often won't say connected to networks that don't have internet access available.





MikeAqua

8024 posts

Uber Geek
+1 received by user: 3817


  #1791532 30-May-2017 09:28
Send private message

Aredwood:

 

A GSM based alarm monitoring system is definitely better from the point of view that it doesn't need to connect to any part of your network. So if your network or alarm gets compromised, the other can't get compromised as well.

 

Another way if the App can work locally via Wifi, is setup a spare router to connect to the alarm and provide a 2nd Wifi network. But don't connect that router to the internet. You would then connect your phone to the 2nd Wifi just to manage the alarm. Only some phones try to ping a server somewhere when they connect to wifi, and often won't say connected to networks that don't have internet access available.

 

 

Thanks I'll look into GSM.  App needs to work over the internet as one of the advantages is being able to check if it's armed, which zone etc and is the garage door closed.

 

These features are important for the person in the house who I will not name who typically ponders these questions 20 minutes after we leave home.

 

I'll also read up on the various network acronyms used in other posts and see what I can learn there.  No harm in up-skilling provided I can do it well enoguh to be confident what I set up is actually secure.




Mike

Filter this topic showing only the reply marked as answer Create new topic








Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.








RSS feeds
Main feed
Forums feed
Copyright
©2002-2026 Geekzone®
Site features
Geekzone BI dashboard
Geekzone Badges
Geekzone Status Page

 

Site Information
Subscribe to Geekzone
Privacy Statement
Forum Usage Guidelines (FUG)
Advertising
Trademark and copyright