CARDIOID

Security. Expectations and Reality.

Peace-Zeichen auf Fotos ermöglichen Diebstahl von Fingerabdrücken
Potentiell gefährliche Selfie-Pose: Japanischen Forschern war es gelungen, Fingerabdrücke anhand des beliebten “Peace-Zeichens” von einem Foto zu rekonstruieren.
Wie in der ‘Japan Times’, dem ‘SWR 3’ und ‘Next Shark’ berichtet, sehen japanische Forscher des Japan’s National Institute of Informatics (NII) eine Gefahr in der bekannten und überall auf der Welt beliebten Pose des “Peace-Zeichens” (oder auch Victory-Zeichen).
Laut NII-Forscher Isao Echizen war es dem Team gelungen, Fingerabdrücke von Fotos zu rekonstruieren, die aus einer Entfernung von gut 3 Metern geschossen wurden.
Das Thema ist keineswegs neu.
Bereits im Jahr 2013 war es Team ‘Star Bug’ gelungen den Fingerabdruckscanner eines iPhones zu überlisten:
Bessere Technik, weitreichende Vernetzung
Unsere Smartphones werden immer besser, die meisten Fotos digital weitergereicht. Sollten wir in Zukunft auf das Peace-Zeichen verzichten?
“Just by casually making a peace sign in front of a camera, fingerprints can become widely available,”
“Selbst wenn man nur zufällig ein Peace-Zeichen vor der Kamera macht, werden die Fingerabdrücke weitreichend verfügbar,”
sagte Echizen gegenüber der Sankei Shimbun Zeitung.
“Fingerprint data can be recreated if fingerprints are in focus with strong lighting in a picture,”
“Fingerabdrucks-Daten können leicht rekonstruiert werden, wenn die Fingerabrücke im Fokus sind und gutes Licht darauf fällt.”
An einer Lösung für dieses Problem wird gearbeitet. Neue Techniken sollen verhindern, dass solch sensible Daten aus Fotos gewonnen werden können. Bis dahin kann es aber noch Jahre dauern.
Fingerprint, Irisscan, Face-Recognition and Hand Vein - hacked
Biometric Vein Recognition under Attack
Vein recognition is a biometric that has traditionally been seen as difficult to hack or spoof, as the biometric patterns created by the vein structure in a person’s finger are hidden from view. However, Swiss researchers have now found a way to spoof a vein recognition device, albeit not a commercial sensor by one of the main manufacturers of such technology – predominantly Hitachi and Fujitsu. The attack was performed by the biometrics group at the Idiap Research Insitute in Switzerland, while the finger vein device is an open sensor provided by the University of Twente. Please see below a video of how the team beat the sensor using some image processing techniques, a thick piece of paper, a paper clip, pair of scissors and a marker pen. - Source:https://www.tabularasa-euproject.org/news/biometric-vein-recognition-under-attack

TABULA RASA is a project funded by the European Commission, under the Seventh Framework Programme
The TABULA RASA project will address some of the issues of direct (spoofing) attacks to trusted biometric systems. This is an issue that needs to be addressed urgently because it has recently been shown that conventional biometric techniques, such as fingerprints and face, are vulnerable to direct (spoof) attacks.
Former News
Director of National Intelligence: Use loT for identification, surveillance, monitoring, location tracking or to gain access to networks or user credentials
Stacks Image 242
The Internet of Things is one of the biggest trends of the near future. but smart, tethered to the Internet devices facilitate not only the life but also the monitoring, said the intelligence director of the United States.

The National Intelligence Director of the United States has admitted before the US Senate that intelligence services in the future, the Internet of Things (IoT) could use for their work.
In a hearing James Clapper stated that the services might be able to call for the "identification, monitoring, location determination, the final destination of the recruitment or network access" on smart devices. At the same time, he also pointed out that smart devices with Internet connection in the power grid, autonomous cars or apartments pose a threat to the privacy and security. 

With this brief statement in the context of his remarks about current dangers in the world Clapper has highlighted how two flutes is the work of US intelligence. It is an object of the NSA to ensure the IT security of devices, networks and software. On the other hand the intelligence but also responsible for monitoring and sets it again and again to attack information technology in order to gain access to networks. Vulnerabilities in Internet of Things holds clapper of a problem, but to completely fused equipment also attacks the NSA could fail. 

New initiatives to cybersecurity
US President Obama had also announced the appointment of the first information security officers on Tuesday. He shall supervise the activities of the federal government to update the information technology in the authorities. So there are currently 400 employees with the Social Security, whose sole job it is to keep the ancient software ready. That needs to change. In cooperation with the private sector also should privacy be improved. In addition, Obama has also announced the establishment of a High Level Commission on Cyber ​​Security. The should long-term strategies in order to counter threats from the IT sector. Still, however, the US Congress needs to approve the necessary budget. (mho

Complete Article
heise security (german)

Complete PDF-Document:
“Statement for the Record Worldwide Threat Assessment of the US Intelligence Community”

(Picture: dpa, Britta Pedersen)
Smartphone-Trojaner zapft NFC-Kreditkarte an
Stacks Image 1724
Taschendiebstahl im Informationszeitalter: Angreifer könnten alle Android-Smartphones und -Tablets mit NFC aus der Ferne dazu missbrauchen, Geld von Kreditkarten abzubuchen.
Neuerdings könnten Taschendiebe auch zuschlagen, wenn sie sich gar nicht in der Nähe ihres Opfers befinden. Dabei nutzen Angreifer die Nahfeldkommunikation via NFC von Android-Geräten aus der Ferne, um Geld von NFC-Kreditkarten abzubuchen. Das gelingt über einen Proxy, der die illegale Transaktion von einem beliebigen Ort aus steuert. Diesen Vorgang haben die Sicherheitsforscher Jose Vila und Ricardo J. Rodriguez 
in einem Vortrag erfolgreich vorgeführt.
Für einen Angriff muss das Opfer den Forschern zufolge eine präparierte App installieren. Apps mit Schadcode sind keine Seltenheit und 
schmuggeln sich immer wieder in Google Play.
Die Malware überwache die Umgebung via NFC und sobald eine geeignete Kreditkarte in der Nähe ist, bekommt der Angreifer eine Nachricht auf sein Smartphone geschickt. Postwendend muss dieser sein Gerät an ein passendes Lesegerät halten und kann eine Transaktion durchführen. Das kompromittierte Handy arbeitet dabei als Proxy und übermittelt die für den Übergriff benötigten Daten an den Angreifer.
In der Regel könnten Angreifer hierzulande aufgrund eines Limits in Bezug auf das kontaktlose Zahlen aber nur kleine Beträge bis 25 Euro stehlen.
Für eine erfolgreiche NFC-Attacke muss das Gerät des Opfers nicht gerootet sein, erklären die Sicherheitsforscher. In ihrer Präsentation haben sie den Vorgang eigenen Angaben zufolge mit einem Nexus 5, Sony Xperia S, Nexus 4 und Galaxy Nexus erfolgreich ausgeführt. Aktuell sind noch keine Übergriffe dieser Art in freier Wildbahn bekannt geworden. (
des)
32C3: Encryption of common RFID locking systems hacked
Stacks Image 45
RFID transponder cards which are used for electronic access control, can be, according to security experts often "trivially easy" cloned.
Bad news for those who want to replace their traditional home or office keys through a smart card or have already done: The accompanying RFID transponder for relevant electronic locking systems could be partly "trivially easy" cloned. This explained Ralf Spenneberg, head of the company Open Source Training, on Monday at the 32nd Chaos Communication Congress in Hamburg. 
Spenneberg and his colleague Oguzhan Cicek focused in their past together with the company Open Source Security Analysis on the Hitag-S transponder of the Dutch semiconductor company NXP. This transmits on short wave frequency 125 kHz and uses a 48-bit key and a 24-bit password. For use'm an undocumented encryption method that was deemed unbroken and so as "safe," said Spenneberg. Other "Cipher" from the same transponder family had been but already cracked, including the "Hitag 2"

Analysis
Electronic locking systems operate according Spenneberg partly online, said locking permissions will be centrally stored. Typically, only the identification of the transponder will be read. Once you could emulate this number, we therefore have a clone of the key. But there were also cases in which authentication would be performed. This makes things a bit more difficult. In the offline variant, the access permission is stored on the transponder itself, Spenneberg said: "If I can read or write it, I am able to change the permissions." Often the manufacturers of locking systems underwent already at this point "blunders". When Hitag S come with this variant in addition to authentication. Nevertheless, it is often possible, to produce "in passing" a duplicate key when the transponder is kept unprotected in the pocket. In public transport e.g. the "man with the backpack" could read the supposed secrets from about 30 centimeters distance.

Attack
For an "analytical attack" you have to read along the authentication processes or the communication exchange, say the experts. In detail, the team has looked at the command interface for the coprocessor accurate. It had been discovered no specific commands at Hitag S, with which data are stored in EEPROM. So it was obvious that the encryption method similar to hack as already done at Hitag 2. 
With reverse engineering and more common attack vectors such as Replay and brute force attacks, and the RFID tester Proxmark3 the inventors attacked the cipher directly. When analyzing a design error and the relatively short key length they made that extremely easy stated Cicek. Even the satisfiability of propositional logic we have taken advantage and can create a corresponding formula. At the end of the day the Hitag S has been completely read out and been emulated. Actually,it has finally taken to a refined method only five minutes to clone the transponder. Under certain circumstances, it is so possible to expand the lock authorization as of "trainee" to "boss". 

The actual situation
Other transponder in the lower frequencies were noisy Spenneberg already broken either or would use methods which are just as easy to crack. But even among the RFID solutions that worked in higher frequency ranges, there are already systems that are already broken for a long time - about Mifare Classic or Legic Prime. Affected are loud Spenneberg among other locking systems Winkhaus Blue Smart, Abus Seccor Codeloxx-L, Bosch Pegasys terminal and Uhlmann & Zacher Clex Prime. He announced that his company will publish on New Year a relevant security warning.
Some manufacturers have responded to the findings that the examined processes no longer correspond to the prior art. We have also never claimed that the RFID systems "safe", but they marketed only as "control or organizational systems". Tough luck for users in large private office complexes, hospitals and authorities, which often involve a number of locks. NXP was also contacted several months ago. The company has informed its customers internally then. 
(nij)
“Gone in 60 seconds - the high-tech version” - Volume 1
Stacks Image 18
Technik soll Autos sicher und bequem machen, schon beim Einsteigen: Der Komfortschlüssel bleibt zum Öffnen der Tür und Starten des Motors in der Tasche. Doch leider ermöglichen diese Schließsysteme auch das komfortable Stehlen der Fahrzeuge.
Die beiden Nachbarn, die in Wöllstein in Rheinhessen leben, staunten nicht schlecht, als sie Ende August morgens mit ihren 5er BMWs losfahren wollten: Beide Fahrzeuge waren über Nacht verschwunden. Dabei waren keinerlei Spuren wie zersplittertes Fensterglas zurückgeblieben.
Die Bestohlenen hatten beim Kauf des Autos dieselbe Sonderausstattung bestellt: den Komfortzugang, die BMW-Variante des schlüssellosen Schließsystems. Die Polizei geht davon aus, dass die Täter dieses System überlistet haben und so die Fahrzeuge entwenden konnten, ohne Spuren zu hinterlassen.

Lesen Sie den ganzen Artikel in der aktuellen Ausgabe c't 26/2015, S. 80
“Gone in 60 seconds - the high-tech version” - Volume 2
Stacks Image 27
Let's say you just bought a Mercedes S550--a state-of-the-art, high-tech vehicle with an antitheft keyless ignition system.
After you pull into a Starbucks to celebrate with a grande latte and a scone, a man in a T-shirt and jeans with a laptop sits next to you and starts up a friendly conversation: "Is that the S550? How do you like it so far?" Eager to share, you converse for a few minutes, then the man thanks you and is gone. A moment later, you look up to discover your new Mercedes is gone as well.
Now, decrypting one 40-bit code sequence can not only disengage the security system and unlock the doors, it can also start the car--making the hack tempting for thieves. The owner of the code is now the true owner of the car. And while high-end, high-tech auto thefts like this are more common in Europe today, they will soon start happening in America. The sad thing is that manufacturers of keyless devices don't seem to care.
Wireless or contactless devices in cars are not new. Remote keyless entry systems--those black fobs we all have dangling next to our car keys--have been around for years. While the owner is still a few feet away from a car, the fobs can disengage the auto alarm and unlock the doors; they can even activate the car's panic alarm in an emergency.
First introduced in the 1980s, modern remote keyless entry systems use a circuit board, a coded
radio-frequency identification (RFID) technology chip, a battery and a small antenna. The last two are designed so that the fob can broadcast to a car while it's still several feet away.

The RFID chip in the key fob contains a select set of codes designed to work with a given car. These codes are rolling 40-bit strings: With each use, the code changes slightly, creating about 1 trillion possible combinations in total. When you push the unlock button, the keyfob sends a 40-bit code, along with an instruction to unlock the car doors. If the synced-up receiver gets the 40-bit code it is expecting, the vehicle performs the instruction. If not, the car does not respond.
Unfortunately, the companies making RFID systems for cars don't think there's a problem.
A second antitheft use of RFID is for remote vehicle immobilizers. These tiny chips, embedded inside the plastic head of the ignition keys, are used with more than 150 million vehicles today. Improper use prevents the car's fuel pump from operating correctly. Unless the driver has the correct key chip installed, the car will run out of fuel a few blocks from the attempted theft. (That's why valet keys don't have the chips installed; valets need to drive the car only short distances.)
One estimate suggests that since their introduction in the late 1990s, vehicle immobilizers have resulted in a 90 percent decrease in auto thefts nationwide.

But can this system be defeated? Yes.

Keyless ignition systems allow you the convenience of starting your car with the touch of a button, without removing the chip from your pocket or purse or backpack. Like vehicle immobilizers, keyless ignition systems work only in the presence of the proper chip. Unlike remote keyless entry systems, they are passive, don't require a battery and have much shorter ranges (usually six feet or less). And instead of sending a signal, they rely on a signal being emitted from the car itself.
Given that the car is more or less broadcasting its code and looking for a response, it seems possible that a thief could try different codes and see what the responses are. Last fall, the authors of a study from Johns Hopkins University and the security company RSA carried out an experiment using a laptop equipped with a microreader. They were able to capture and decrypt the code sequence, then disengage the alarm and unlock and start a 2005 Ford Escape SUV without the key. They even provided an online video of their "car theft."
But if you think that such a hack might occur only in a pristine academic environment, with the right equipment, you're wrong.

Real-world examples

Meet Radko Soucek, a 32-year-old car thief from the Czech Republic. He's alleged to have stolen several expensive cars in and around Prague using a laptop and a reader. Soucek is not new to auto theft--he has been stealing cars since he was 11 years old. But he recently turned high-tech when he realized how easily it could be done.
Ironically, what led to his downfall was his own laptop, which held evidence of all his past encryption attempts. With a database of successful encryption strings already stored on his hard drive, he had the ability to crack cars he'd never seen before in a relatively short amount of time.
And Soucek isn't an isolated example. Recently, soccer player David Beckham had not one, but two, custom-designed antitheft-engineered
BMW X5 SUVs stolen. The most recent theft occurred in Madrid, Spain. Police believe an auto theft gang using software instead of hardware pinched both of Beckham's BMWs.
How a keyless car gets stolen isn't exactly a state secret--much of the required knowledge is Basic Encryption 101. The authors of the Johns Hopkins/RSA study needed only to capture two challenge-and-response pairs from their intended target before cracking the encryption.
In an example from the paper, they wanted to see if they could swipe the passive code off the keyless ignition device itself. To do so, the authors simulated a car's ignition system (the RFID reader) on a laptop. By sitting close to someone with a keyless ignition device in his pocket, the authors were able to perform several scans in less than one second without the victim knowing. They then began decrypting the sampled challenge-response pairs. Using brute-force attack techniques, the researchers had the laptop try different combinations of symbols until they found combinations that matched. Once they had the matching codes, they could then predict the sequence and were soon able to gain entrance to the target car and start it.
In the case of Beckham, police think the criminals waited until he left his car, then proceeded to use a brute-force attack until the car was disarmed, unlocked and stolen.

Hear no evil, speak no evil

The authors of the Johns Hopkins/RSA study suggest that the RFID industry move away from the relatively simple 40-bit encryption technology now in use and adopt a more established encryption standard, such as the 128-bit Advanced Encryption Standard (AES). The longer the encryption code, the harder it is to crack.
The authors concede that this change would require a higher power consumption and therefore might be harder to implement; and it wouldn't be backward-compatible with all the 40-bit ignition systems already available.
The authors also suggest that car owners wrap their keyless ignition fobs in tin foil when not in use to prevent active scanning attacks, and that automobile manufacturers place a protective cylinder around the ignition slot. This latter step would limit the RFID broadcast range and make it harder for someone outside the car to eavesdrop on the code sequence.
Unfortunately, the companies making RFID systems for cars don't think there's a problem. The 17th annual CardTechSecureTech conference took place this past week in San Francisco, and CNET News.com had an opportunity to talk with a handful of RFID vendors. None wanted to be quoted, nor would any talk about 128-bit AES encryption replacing the current 40-bit code anytime soon. Few were familiar with the Johns Hopkins/RSA study we cited, and even fewer knew about keyless ignition cars being stolen in Europe.
Even Consumer Reports acknowledges that keyless ignition systems might not be secure enough for prime time, yet the RFID industry adamantly continues to whistle its happy little tune. Until changes are made in the keyless systems, any car we buy will definitely have an ignition key that can't be copied by a laptop.
http://www.cnet.com/news/gone-in-60-seconds-the-high-tech-version/
How secure ist your Smarthome? Volume 1
What’s your password? - Social Engineering
ePayment - or would you trust your glove?
Die Alternative zur Spendierhose: Die britische Barclays Bank stellt gemeinsam mit einem Modelabel eine Jacke mit integrierten Chip für NFC-Zahlungen vor.
Die britische Modefirma Lyle & Scott hat gemeinsam mit der Barclays Bank eine Jacke vorgestellt, die sich auch zum kontaktlosen Bezahlen nutzen lässt: Im rechten Ärmelaufschlag ist ein Chip für NFC-Zahlungen integriert, die über das bpay genannte System der Barclays Bank abgerechnet werden. Damit sollen Zahlungen in bislang 300.000 Akzeptanzstellen in Großbritannien möglich sein, wie die Barclays Bank mitteilt. Das Zahlungslimit liegt pro Transaktion bei 30 britischen Pfund, die Nutzer müssen lediglich den Ärmel nah ans Terminal halten. Voraussetzung sind in Großbritannien ausgegebene Kredit- oder Debitkarten, die mit einem bpay-Account verbunden werden. Über eine App oder Online-Plattform muss dann noch Geld auf die virtuelle bpay-Geldbörse überwiesen werden, die dann bei den Zahlungen mit dem Wearable belastet wird.

Bezahlen mit Armband, Anhänger und Handschuh
Die Jacke soll im Londoner Flagship-Store der Modemarke sowie in deren Onlineshop für 150 britische Pfund erhältlich sein. Die Barclays Bank hat ihr bpay genanntes System im vergangenen Jahr vorgestellt und experimentiert mit verschiedenen Wearable-Formen, die das kontaktlose Bezahlen in den Alltag integrieren sollen. Im Juni wurden ein Armband, ein Schlüsselanhänger und ein Sticker etwa für Smartphones ohne NFC vorgestellt. Im vergangenen Winter wurde ein Bezahlhandschuh gezeigt. In Großbritannien erfreut sich das kontaktlose Bezahlen generell größerer Beliebtheit als in Deutschland: 2014 waren es auf dem Inselkönigreich 2,32 Milliarden Pfund, die kontaktlos gezahlt wurden, wie der dortige Branchenverband UKCards Association mitteilte – und allein im ersten Halbjahr 2015 bereits 2,5 Milliarden Pfund. Aus Anlass der offenbar steigenden Popularität setzte der Verband erst kürzlich das allgemeine Limit pro kontaktloser Transaktion von 20 auf 30 Pfund.

Das Problem
Woher wissen Mobiltelefon und Wearables (Armband, Handschuh, Anhänger,Sticker etc.) wer bezahlt? Wem sie gehören? Von wem sie eingesetzt werden? Wer haftet bei Missbrauch?
How secure ist your Smarthome? Volume 2
Stacks Image 939
300,000 American Homes Open To Hacks Of 'Unfixable' SimpliSafe Alarm

“There is something terribly wrong with the alarm industry.” Thus reads marketing material on the site of SimpliSafe, a Boston-based “smart” alarm provider with more than 300,000 customers in the US. It’s been on a mission to improve home security since it formed in 2006 by using cellular technology to warn customers via their smartphone if someone has broken in, whilst allowing them to control alarms from afar.
SimpliSafe, which received a $57 million investment from Sequoia in 2014, is not wrong about the industry. But like a growing number of alarm companies claiming their Internet-connected system provides better security than traditional services, SimpliSafe is actually leaving houses open to burglars with rudimentary hacking skills, researchers have told FORBES.
Anyone who can locate a SimpliSafe owner can use basic hardware and software, bought for between $50 and $250, to harvest customer PINs and turn alarms off at a distance of up to 200 yards away, said Dr Andrew Zonenberg, senior security consultant at IOActive. SimpliSafe has also installed a one-time programmable chip in its alarm, meaning there’s no chance of an over-the-air update. It means there’s no patch coming, leaving all owners without a remedy other than to stop using the equipment, Zonenberg said.
Such weaknesses, and more severe ones, have been found across the home and business alarm industry. In a
separate FORBES story released today, your reporter found it was easy to hack into an alarm system in San Francisco, all via a browser and armed with easily-guessable passwords. The access, which was attained with permission from the owner, allowed your reporter to unlock doors, turn off alarms and access the CCTV controls of the affected building from more than 5,000 miles away in London, though he didn’t go that far.

Read more: Exposing ‘Smart’ Security: I Hacked Someone’s Alarm From 5,000 Miles Away
The SimpliSafe flaw
With the
well-reviewed SimpliSafe alarm system, attacks need to be carried out in the vicinity of a device, as explained in a technical blog from IOActive shown to FORBES ahead of publication. The hack, as demonstrated in a video by Zonenberg, starts by intercepting the signals that turn alarms on and off. Those signals pass between the portable keypad and the base station within the house.
Zonenberg used a separate SimpliSafe system, disconnecting the main processors and hooking up his own microcontroller to the device radios. His code, written in the C language, would listen to incoming 433 MHz radio traffic and pick out a SimpliSafe “PIN entered” data packet. An LED would light up every time a PIN had been recorded. All he had to do then was press a button to replay the PIN signal and the alarm could be disarmed.
An attacker would have to pay at least $250 for their own SimpliSafe system to carry out this attack. But Zonenburg and IOActive head of research Cesar Cerrudo told FORBES an attack of this calibre could be carried out using a software defined radio and related hardware that could be bought for under $50. Just a few hours’ work would be required.


The attacks are not dissimilar to those demonstrated in 2014 against devices from bigger beasts than SimpliSafe. ADT ADT +0.32%, this week bought for $7 billion, and Vivint were also caught out using unencrypted signals between the sensors and devices used to manage alarms.
SimpliSafe spokesperson Melina Engel told FORBES that it was planning on releasing hardware with over-the-air firmware updates and that customers would be given a discount on those once they were available. She also pointed out that customers are notified every time someone disarms an alarm, so customers should notice when something was amiss even if not checking logs, whilst PINs could be changed from the SimpliSafe smartphone app.
“The security of our systems is our top priority. We’re working to resolve this concern, which also affects other major home security providers. It’s theoretically possible but highly unlikely, and we’re not aware of it being exploited.
“Our system provides customers notifications of their disarm events, so they could catch the criminal in the act. Also customers can change their passcodes anytime locally or remotely via our webapp; so if this ever did happen, any passcode data collected useless in a matter of minutes.
“Unlike with many alarm systems, SimpliSafe customers are protected from many of the more common, low-tech, and easy methods to bypass home security systems, such as cutting the phone line or power to the home.”
It’s unclear just how far away a hacker would have to be to hoover up PIN codes. The SimpliSafe keypad works up to 100 feet, but Zonenberg believes the attack could work up to 100 yards away, even taking into account the disturbances of obstacles and humidity in the transmission of radio waves.
Smart alarm ‘fraud’
Despite the irony of SimpliSafe’s marketing, it’s right: the alarm industry is doing plenty wrong. Alongside the problems identified in Bay Alarm’s products, FORBES is also reporting on
unfixed vulnerabilities in Samsung’s SmartThings home security devices and Comcast CMCSA +0.07%’s Xfinity service, which was determined vulnerable in January by Boston-based security consultancy Rapid7.
Cerrudo believes the collective failures of the alarm industry amount to a “fraud”. “They are promoting something to secure your home but they’re making your home more vulnerable. That should have repercussions, regulation or something. That’s kind of fraud,” Cerrudo said.
“The impression that I’ve got is that the home security product industry isn’t really actually putting any effort into security, whether it’s because they don’t realise the problem, or they don’t care, is not something I’m going to be able to tell you. It’s not just the SimpliSafe system that’s insecure,” Zonenberg added.
“These people are advertising security products that provide little to no actual security.”
Read more: Samsung Fails To Secure Thousands Of SmartThings Homes From Thieves
Troubles with disclosure
What also became apparent to IOActive and your reporter during our respective research was that disclosing these vulnerabilities to the companies responsible for them was not simple.
SimpliSafe did not have a direct security contact; IOActive decided to reach out to SimpliSafe via
LinkedIn LNKD +2.75% messages, the contact form on SimpliSafe’s website and the email listed on its website domain records. SimpliSafe’s spokesperson Engel said the company only saw the emails after FORBES reached out. Bay Alarm was difficult to contact too, with no security or press contacts, which had to be found from an external site by guessing email addresses. And according to the researcher who discovered the Samsung flaws, the firm promised patches that it didn’t deliver.
The myriad weaknesses across smart home devices is only exacerbated by the difficulties associated with warning the companies responsible. And yet it’s the end users who ultimately carry the risk.
Tips and comments are welcome at TFox-Brewster@forbes.com or tbthomasbrewster@gmail.com for
PGP mail. Get me on Twitter @iblametom and tfoxbrewster@jabber.hot-chilli.net for Jabber encrypted chat.