Protecting properties from modern criminals is a complicated challenge. If you are looking to secure your premises, you will need to first have it risk assessed. You may find that your insurance company and the risk assessment performed specifies a minimum security grade for the installation.
A quick reminder of the security grades available:
Grade 1: Typically only for low-risk domestic properties
Intruders attacking these installations typically would be opportunist thieves, utilizing tools such as screwdrivers or hammers or anything immediately available. These attacks would be less likely to be pre-planned or specific to the site attacked.
Grade 2: Higher risk domestic or very low-risk commercial properties
Such installations are in most cases protected by a remote monitoring facility and would potentially face attack from more experienced or knowledgeable criminals.
These systems are designed to defeat intruders whom may understand some principles of how alarm systems operate and may have access to some basic electronic tools to assist in gaining access undetected.
Grade 3: Higher risk commercial and residential systems
These systems perform more robust checks to ensure that they protect from a potential thief who may be very familiar with intruder alarms and who may carry a broad range of tools and equipment to help carry out a planned attack on a specific premises. At this security grade the attacker could use tools such as a laptop and trade-specific tools.
Grade 4: Very high risk facilities such as military / financial / research sites
At this grade the protection is designed to defend against the highest potential calibre of attacker who may be able to attempt to bypass typical high security systems through the use of sophisticated tools and substitution and may understand reverse engineering and remote and local electronic attacks.
Where is the flaw?
This sounds very thorough and robust, so why then is it potentially flawed?
The core principle behind these grades is the preparedness, capability, and knowledge of a likely offender attacking the property in question. There are very good reasons for this implementation and it has a grounding in common sense and real-world scenarios.
The issue where it begins to fall over is that while a grade 2 attacker may only understand how to use pretty basic tools, a grade 4 attacker could provide a generic, cheap, and simple-to-use tool that can defeat a grade 3 or 4 installation and requires no previous knowledge, capability or skill to use.
The small, white box with a big red button could carry all of the technology, sophistication, and capability of a grade 4 intrusion while in the hands of grade 2 opportunist thieves.
It could be argued that a Grade 2 thief wouldn’t be so prepared as to buy equipment in advance, but if such equipment were to become commonly available at little cost, then it changes the landscape of the threat immediately.
Security devices are far too often self-certified by manufacturers themselves, meaning that we simply accept their word that devices they provide are secure and free from the type of flaws that could be automatically exploited by this form of reproducible attack.
With an increasing usage of wireless devices, IP/GPRS communicators and remotely accessible interfaces, and a lack of transparency, it is crucial that you ensure that your suppliers’ products and services are independently audited to ensure that they are secure by their design and fit for purpose. Not all encryption is the same; if the device you are using has an easily defeated security encryption, then it is only a matter of time before the inevitable "ACME Alarm Buster 2000" appears on eBay.
Ask your suppliers today for confirmation of third-party certification for their products.