Imagine you are sitting on an airplane in Atlanta and just as they close the door you receive this picture.  You look a bit closer and confirm that in the background is the control panel for the security cameras in your new house.

img_5091Now luckily I know these guys.  That’s Lee on the left and Stuart on the right and they work with me at IronNet Cybersecurity.  Lee and Stuart have some special skills and they put those skills to work testing the security on my new “smart” home.  Turns out I was pretty smart to have them test the system.  Turns out the camera system is not all that smart.

So here is what happened.  We built a new home and moved in this summer.  One of the sub-contractors I engaged early on was the sound and security guy.  He did great work and overall we are happy with the system he installed.  As we were going through the design and installation process I asked several times about the security of the system.  The contractor said the security was top notch, don’t worry.  I explained that I was going to trust, but verify once the installation was complete.

During the configuration process, I asked what it would take for me to be able to view the cameras remotely when I was away from the house.  Conveniently there is a proprietary app but it requires certain communication ports to be open on my router.  This did not sound like a good idea to me, but I was assured that appropriate access controls were in place, no problem.

After everything was up and working I gave Lee and Stuart the IP address of my house and in about three hours they had full control of my security cameras. Sparing the technical details, suffice it to say that Lee and Stuart found a flaw in the code that runs the camera system and they were able to obtain admin access without compromising any user names or passwords.

The first thing I did was close the ports and install a business grade firewall.  While that does not make me bullet proof, I am a significantly harder target.  The next thing I did was notify the installation contractor.  To my surprise, he was not that excited about the picture I shared or the revelation that he was installing a product with a significant security vulnerability.  Guess he is lucky that I am not the type to go out on Yelp and make a stink.

The next thing I did was call the system distributor.  It took about 15 minutes before I found someone who could understand that I was calling to notify them of a security flaw in their product.  The next day I did get a phone call from the company.  I asked if this was the type of company that would try to sue me for violating the product terms of agreement or was this the type of company that welcomed the information.  It turns out they were the latter.  According to the gentleman we spoke to, they were aware of this particular vulnerability and there was a fix on the roadmap.  No time frame was suggested nor was there an offer to retrofit or patch.  I imagine this distributor is at the mercy of the overseas company that builds the product.  He added that this was a common issue with other systems.  I did not find that comforting.   We provided them a detailed report of our findings, at no charge I might add.  Further attempts to contact them regarding the filing of a Common Vulnerabilities and Exposure (CVE) report went unanswered.

Several interesting points to ponder here.  First as a homeowner or a business owner, do not take for granted the security of your security systems.  There is going to be a tradeoff between security, privacy and convenience.  Just make sure you are making a conscious choice.  If you want to have Lee and Stuart check out your setup, send me a note.  Second, if you sell and install tech equipment these days, you should care about the security characteristics of the equipment you are putting in people’s homes and businesses.  Reputation damage is hard to measure and hard to fix.  Third, if someone notifies you of a security flaw in a system you produce, have a plan on how you are going to treat them.  Make it easy to reach the right person and follow it through to conclusion.  Finally, if you know there is risk involved that the average consumer would not consider, explain the trade-offs.  Help them make the right decision.

If you thought this post was useful, please share it.  Also, consider liking my Facebook page, The CyberSpeaker.  And check out my website:  www.thecyberspeaker.com.