An Internet of Things-based ‘smart’ alarm dubbed iSmartAlarm has several vulnerabilities that could help criminals to set up a cyber-assisted burglary.
Ilia Shnaidman, head of security research at BullGuard, a cybersecurity company, said that he wanted to test internet-connected alarm systems, and came across a company called iSmartAlarm that had a number of online reviews and had quite a large market share.
The company is a leading IoT manufacturer in the smart alarm space – providing an alarm with sirens, smart cameras and locks. Unlike traditional alarms, it is connected to the internet, meaning alerts can be sent to homeowners’ phones and they can control the alarm via the mobile app from wherever they are.
However, Shnaidman said that the alarm had multiple flaws, and was an example of a poorly engineered device that offered attackers an easy target. In fact, the flaws can even lead to full device compromise.
“An unauthenticated attacker can persistently compromise the iSmartAlarm by employing a number of different methods leading to full loss of functionality, integrity and reliability, depending on the actions taken by the attacker,” he said.
“For example, an attacker can gain access to the entire iSmartAlarm customer base, its users’ private data, its users’ home address, alarm disarming and ‘welcome to my home sign’,” he added.
One of the many vulnerabilities was certificate validity; the iSmartAlarm cube communicates with the iSmart Alarm backend, but it does not validate the authenticity of the SSL certificate presented by the server during the initial SSL ‘handshake’. Shnaidman forged a self-signed certificate and could see and control the traffic to and from the backend.
However, he wanted to go a step further and control anyone’s alarm system remotely without the app.
The iSmartAlarm app works in two modes, one is when the cube and the app are on the same local network, and the other is when they are on different networks. While examining the first mode, Shnaidman was able to sniff the encrypted traffic between the cube and the app on tcp port 12345.
As the cube and the app communicate directly over the LAN, he was able to stop the cube from running.
“While running a denial of service (DoS) attack on the cube, the legitimate user loses control over the alarm system, and he or she is not capable of operating it neither remotely nor locally”, he said.
Finally, Shnaidman found the encryption key for the device, and explained that anyone with it “can do whatever [they] want with the alarm.”
“[A black hat burglar] can gain full control of any iSmartAlarm cube and also retrieve all of their customers’ private data, including their home address – creating a perfect scenario for cyber assisted crime,” he said.