It was coming up to 9am Saturday morning in London. In California, nearly 1am.
I was sitting in front of some family-friendly sitcom with my Macbook open. On one tab was a login page for a security alarm carrying the logo for family-owned Martinez,
But with a remarkably simple way into the organization’s physical security system, I had the power to prize it wide open; it was one of hundreds of thousands, possibly millions, of companies and individuals paying for internet-connected alarms that are supposed to provide added security, but often leave customers’ vulnerable.
On that login page, I entered a username of “admin” and a password of “admin”. Bay had shipped this default administrator login - one that’s commonly used across web-connected devices even though it’s easy for any hacker to guess - when it installed the youth center’s alarm. I clicked through and there it was, access to the entire security of EOYDC. I could unlock doors, turn alarms on or off, access CCTV camera feeds. If I had a partner in crime over in Oakland, I could’ve told them exactly when to enter the building, do whatever they pleased, and leave without a trace.
I did none of those things. I wasn’t there to cause trouble. Quite the opposite. In order not to break any US computer crime laws, I’d gotten permission from the president of EOYDC, Regina Jackson, to check if those default credentials would let me in so we could start the process of securing the building. Once I had access to the Bay Alarm system, I simply navigated to some pages and looked around for a quick and easy way to change the security settings and update passwords. There was none, however, and no advice online either.
But working with Jackson’s colleagues, who were thankful, understanding and quick to act, the vulnerability was remedied. After a call to Bay Alarm, which had to send in technical staff to help EOYDC, the device is no longer accessible from the web, whilst the password has been changed. No longer can a hacker turn the organization inside out with the simplest of attacks.
Meanwhile, I’d contacted Jon Epsten, partner of the San Diego law firm Epsten Grinnell & Howell, to warn him that I'd managed to view the login page for his Bay Alarm system. The ramifications of an undetected burglary of a law firm are all too apparent and alarming: tampered evidence, theft of client information, surreptitious installation of surveillance kit.
Epsten, who is finishing up a trial, was unavailable to speak on the phone. But in his last email to me, he wrote: “I owe you a thanks, because we didn’t know that and we are in the process of fixing the problem.” The last time I tried to connect to the IP address for his Bay Alarm system, it was inaccessible. The company had asked Bay to change the password before it made the link public. After my disclosure, the company modified its firewall so that the link was only available internally. Problem number two swiftly solved.
Read more: Samsung Fails To Secure Thousands Of SmartThings Homes From Thieves
Unsecure alarms all over the web
Finding those alarm systems in the first place was trivial. The Shodan search engine allows anyone to find web-connected systems it has indexed. A query of title:"alarm" brought up 8,640 results. Searching for those specifically based in the US brought the results down to 892. Many of these led straight to websites of alarm providers. But looking specifically at California brought up numerous systems with the title “Bay Alarm”. Clicking through led to login pages. I then searched for "Bay Alarm" on its own, which delivered 72 IP addresses to check, most of which led directly to logins.
Those IP addresses that had the owner's name attached in Shodan, or those that could be looked up in the American Registry of Internet Numbers, would have been easy targets. I was able to find the exact location for at least four Bay Alarm customers and could have tried the admin login or guessed other passwords. This, however, is against the law: accessing systems without authorization is prohibited by the Computer Fraud and Abuse Act. Even where security researchers have tried to protect people by exposing unsecure systems, they've been threatened with CFAA lawsuits.
I had some luck finding out about the administrator account, having mentioned to San Diego-based security researcher Zachary Wikholm, an employee at hosting firm CARI.net, the discovery of Bay Alarm systems on Shodan. The name rung a bell for Wikholm. He recalled from prior research that the default administrator username and password for Bay Alarms was “admin/admin”. Wikholm contacted a former client who owned a Bay Alarm. They gave him permission to test the login, which let him right in. Wikholm declined to name the client and FORBES could not independently verify his findings.
Armed with that knowledge, I contacted EOYDC and Epsten Grinnell & Howell to address the flaws, but could not get in touch with the other organizations affected. Anyone with minimal technical skill could find the others. No hacking tools or skills are required, just the ability to point, click and type just four words: title, bay, alarm, admin.
Without the time to research and contact every organization I believed suffered from vulnerable passwords, I attempted to contact Bay Alarm to see if it could address the situation for its customers. Bay didn’t have any press or security contacts on its website. I was, however, able to contact Bay Alarm vice president Graham Westphal, one of the Westphal family that runs the company. He confirmed Bay is working on the issue. “We are currently reviewing the manufacturer recommended admin protocols and will be addressing any specific accounts immediately with the customer.”
Westphal declined to offer any more specifics, and did not respond to questions on how customers could address weak passwords themselves, so it remains unclear just how Bay will remediate the issue.
The booming home (in)security game
It’s little surprise companies are trying to capitalize on the web-connected home security trend. The market is huge and growing, expected to be worth close to $50 billion by 2020. This week, a $7 billion acquisition by Apollo Global Management of home security provider
But companies, whether industry heavyweights, family firms or burgeoning startups, have been caught forgoing crucial security measures. Bay Alarm is certainly not alone in undermining its own promise to secure customers. Internet-connected alarms designed to let people control their home security systems from anywhere often open up more problems than they solve. In a separate feature, FORBES today revealed more than 300,000 American homes have been left vulnerable thanks to unfixable flaws in the SimpliSafe alarm system. The weaknesses allow hackers to easily intercept unencrypted signals sent between the house alarm and the portable controller. They can then “replay” those signals to turn off the alarm.
FORBES is also today reporting unpatched vulnerabilities in Samsung's SmartThings hub and motion sensors. These flaws can be exploited to disable the motion sensing capabilities to enter a SmartThings home undetected. When combined with a "smart" lock connected to the hub, researcher Tobias Zillner showed it'd be simple for a criminal to enter the house too.
In January, Comcast was warned about vulnerabilities in its Xfinity home security system. Rapid7 researcher Phil Bosco discovered he could jam Zigbee signals travelling over a 2.4 GHz radio frequency band and the system would not warn the homeowner. This would allow an intruder to walk around a customers’ house without the sensors reporting the activity to the base station, the hub for the Xfinity alarm. The vulnerability remains, a
It’s far from a problem limited to America. Amongst the thousands of results of a simple search for alarms on Shodan, Taiwanese manufacturer Climax had more than 7,500 of its alarm panels exposed, far more than any other manufacturer of smart alarms. Close to 1,100 were based in the capital Taipei. FORBES could find no evidence of weak default the usernames and passwords, which were only asked for when certain features were requested once a user had navigated to the control panel.
Monica Lin, spokesperson for Climax, said accounts had been protected with "high-security passwords" and there were no default logins. But with so many accessible over the web, hackers could attempt to "brute force" alarms by repeatedly guessing usernames and passwords until they break in.
Read more: 300,000 American Homes Open To Hacks Of 'Unfixable' SimpliSafe Alarm
The smart home is an unsafe home
And it’s not just connected alarms and that threaten people’s home security. All manner of “smart” security technologies have been deemed vulnerable in recent months. Earlier this month, home CCTV devices from Motorola had to be patched after researchers discovered glaring weaknesses. UK firm Pen Test Partners have uncovered flaws in DVR systems, which handle feeds of multiple CCTV cameras, and a smart doorbell in the last two months.
Other smart home tech leaves people’s homes open to hackers too. A report from FORBES in 2013 found a number of home control systems from Insteon were vulnerable, meaning our reporter was able to switch users' lights on and off. Another simple search on Shodan reveals 25 Insteon machines that could be accessible to anyone with an Internet connection.
“Security flaws discovered in connected home security systems are consistent with security flaws persistent across all connected devices,” said Ted Harrington, who headed up the Internet of Things (IoT) village.
“This would suggest that connected security systems can most likely be trivially compromised, beyond the research that has already been published. Principles of secure design have not been effectively considered in most connected devices on the market today.”
Therein lies the problem: manufacturers of connected devices often only take security seriously once they've been called out, rather than embedding protections in the technology at the design stage. Even when their kit is deemed vulnerable, as in the cases with Samsung and Comcast, few move swiftly.
