Protecting properties from modern criminals is a complicated challenge. If you are looking to secure your premises, you will need to first have it risk assessed. You may find that your insurance company and the risk assessment performed specifies a minimum security grade for the installation.
A quick reminder of the security grades available:
Grade 1: Typically only for low-risk domestic properties
Intruders attacking these installations typically would be opportunist thieves, utilizing tools such as screwdrivers or hammers or anything immediately available. These attacks would be less likely to be pre-planned or specific to the site attacked.
Grade 2: Higher risk domestic or very low-risk commercial properties
Such installations are in most cases protected by a remote monitoring facility and would potentially face attack from more experienced or knowledgeable criminals.
These systems are designed to defeat intruders whom may understand some principles of how alarm systems operate and may have access to some basic electronic tools to assist in gaining access undetected.
Grade 3: Higher risk commercial and residential systems
These systems perform more robust checks to ensure that they protect from a potential thief who may be very familiar with intruder alarms and who may carry a broad range of tools and equipment to help carry out a planned attack on a specific premises. At this security grade the attacker could use tools such as a laptop and trade-specific tools.
Grade 4: Very high risk facilities such as military / financial / research sites
At this grade the protection is designed to defend against the highest potential calibre of attacker who may be able to attempt to bypass typical high security systems through the use of sophisticated tools and substitution and may understand reverse engineering and remote and local electronic attacks.
Where is the flaw?
This sounds very thorough and robust, so why then is it potentially flawed?
The core principle behind these grades is the preparedness, capability, and knowledge of a likely offender attacking the property in question. There are very good reasons for this implementation and it has a grounding in common sense and real-world scenarios.
The issue where it begins to fall over is that while a grade 2 attacker may only understand how to use pretty basic tools, a grade 4 attacker could provide a generic, cheap, and simple-to-use tool that can defeat a grade 3 or 4 installation and requires no previous knowledge, capability or skill to use.
The small, white box with a big red button could carry all of the technology, sophistication, and capability of a grade 4 intrusion while in the hands of grade 2 opportunist thieves.
It could be argued that a Grade 2 thief wouldn’t be so prepared as to buy equipment in advance, but if such equipment were to become commonly available at little cost, then it changes the landscape of the threat immediately.
Security devices are far too often self-certified by manufacturers themselves, meaning that we simply accept their word that devices they provide are secure and free from the type of flaws that could be automatically exploited by this form of reproducible attack.
With an increasing usage of wireless devices, IP/GPRS communicators and remotely accessible interfaces, and a lack of transparency, it is crucial that you ensure that your suppliers’ products and services are independently audited to ensure that they are secure by their design and fit for purpose. Not all encryption is the same; if the device you are using has an easily defeated security encryption, then it is only a matter of time before the inevitable "ACME Alarm Buster 2000" appears on eBay.
Ask your suppliers today for confirmation of third-party certification for their products.
I don’t think the concept of a electronic “skeleton key”, produced by a grade 4 attacker but sold to grade 2 attackers at low cost, is too unlikely in the near future. As more and more alarms become wireless and include IP connectively, the available attack surfaces increase and the risk decreases for attackers.
Just to give an idea of what a £30 device can do:
http://adamsblog.aperturelabs.com/2013/03/you-can-ring-my-bell-adventures-in-sub.html
It raises other questions as well – as alarms become more vulnerable, they don’t appear to be moving forwards in terms of in-place firmware upgrades. A vulnerability could stick around for years.
The link was a really interesting read thanks cybergibbons, I loved the use of the watch and the level of detail was perfectly pitched. I also very much like the term ‘electronic skeleton key’, it’s an excellent way to communicate the intent of such a device quickly in a way many can understand. The issue you raise about firmware is a really quite fundamental oversight on the behalf of many manufacturers. Some providers of equipment do give us the ability to update OTA via GPRS or through IP – but where PSTN is utilised or in many cases where equipment… Read more »
We’re all in the security business and sometimes that is a lost message when pricing an installation. Buy cheap pay twice is a simple message to understand. If you need a secure system then make sure that the core of the solution is independently approved and has the necessary encryption to ensure that you wont get attacked electronically – i.e. the effort for the return on such an activity is just too high. Most end users and installers do not have the time, energy or knowledge to fully understand the ins and outs of encryption, substitution protection and firmware upgrades.… Read more »
Securing our property from thefts is really a toughest job before us,, and it becomes a biggest challenge when we have lots of important and valuable belongings with us,, so for this we often use alarm system, motion sensor security lighting, Burglar alarm etc and these really works great to protect our belongings.
But what do you think about EN security grading?
Thanks for this comment, which I must have missed, Chris. Couldn’t agree more about the importance of protecting data transmission. Do you find that people just aren’t interested in encryption processes, and would rather their tech just ‘works’ or is this something that end users show due diligence towards. I suppose compliance is the main issue for most?
No worries. If end user use independent approval and certification then they should be OK. For alarm transmission they need to look at the EN standards or the BRE’s LPS1277 standard. Your right that end users tend to “just want it to work”, but without a little due dilifence you can open yourself up. Certainly working with the UK’s banks lately they have been very hot on encryption and how the keys are updated and exchanged. The good news is that this is all software so the entire market benefits.
Kind of like the way safety tech from motorsport gradually drips through to road cars?