Digital gadgets often make security alarm systems vulnerable
Sharman Santosh, cyber security expert Kiwa
An alarm system used by many thousands of people across Europe can be remotely disabled by criminals. This is shown by research by Dutch television news program RTL Nieuws. The leak can also be used to turn the alarm siren on or off or to peek along with the security cameras.
The research by RTL Nieuws shows once again that in the case of modern alarm systems, general security and cyber security can no longer be seen in isolation. Before an alarm system is marketed, it is tested according to, among other things, safety standards such as NEN-EN 50131-1. These contain system requirements for intrusion and hold-up systems. Manufacturers have their products tested according to these standards to demonstrate that they function properly. For example, it should not be possible to cut the wires of the system without triggering an alarm.
The system investigated by RTL Nieuws contains quite a few state-of-the-art digital gadgets. They are very useful in themselves. They allow you, for example, to operate the system remotely, view camera images, etc. But in order to make this functionality possible, the system must be connected to the internet and that entails security risks. It requires a delicate interplay of servers, mobile apps, users, installers, etc. that form a chain whose lines often run criss-cross.
In this complex chain of parts (see the image below) there is a risk that things will go wrong because the overview is sometimes missing. Together with the dynamics that go hand in hand with the digital techniques in the ‘core’ of such systems this creates a potentially perfect breeding ground for data leaks, privacy incidents and hacks. Especially when you consider that, in addition to the complex digital chain, there is also the continuous challenge of properly coordinating everything concerning general safety.
At Kiwa we are convinced of the necessity of a chain approach when it comes to cyber security. This involves looking at various essential parts of the chain. Each part has its own role to play in the chain and thus influences the overall safety of a product or system. In the case of the alarm system that was investigated by RTL Nieuws, the remote access part of the alarm system was not properly configured, enabling malicious parties to take over control from a distance.
Remote access is an important aspect of many IoT and smart home devices: you can control just about anything via an app. To assess whether the remote access functionality of a system (not only alarm systems) is properly adjusted, Kiwa developed the assessment guideline K21048: Secure Remote Access for Remote Services (RARS). The RARS scheme contains requirements for, among other things:
- The security of the mobile and / or web application;
- Access levels;
- Encryption of connections;
- The development process of a remotely accessible system;
- The manufacturer's quality system.
By having all important parts of the chain tested according to the RARS scheme, manufacturers of remotely controlled systems that are connected to the internet can be assured that the chain of their product is basically cyber-secure. In the image below, we have indicated for a ‘smart lighting’ system which part of the chain is covered by the RARS scheme.
Cyber security is something that requires continuous and relentless effort. Manufacturers can take an important first step by structurally giving cyber security just as much priority as, for example, the functional security of their product. This can be done through vulnerability assessments, penetration testing or ‘bug and bounty hunting’. Kiwa can also help with this.
Cyber security should be an integral topic in the risk analysis and development phase of a product. And once the product is developed, it is crucial to test it for cyber security in such a way that it correlates with the risks of the product before it hits the market. Unfortunately, we are never completely cyber-secure, but we can - and must - make it as difficult as possible for malicious parties.