Bild: Bettina Keim (illustration)
Many smart home security systems come with standard passwords. Potential intruders can deactivate them online and use them to spy on homes - the affected systems are in use in many countries globally.
(read this article in German).
Actually, home security systems are not part of the core fields of IT reporting. But in the last few years radio alarm systems have become more and more popular; they can be upgraded with little expense and can be operated by SMS or over the Internet via smartphone. At the latest, when the alarm systems included a network interface and rudimentary smart home functions, they became an issue for c’t magazine.
This is how the Blaupunkt connected radio alarm system Q3200 made it into the magazine (c’t 8/16, p. 56 (German). The product had a few rough edges, but more in passing we came across an undocumented web interface. The alarm could only be accurately configured through this interface. We were taken aback by the lax management of the login process for an alarm system: the user 'admin' was pre-set with the matching password 'admin1234'. At first glance it does seem sloppy, but not really problematic – after all, the equipment only operates in the local network. Or yet not?
From this point our investigation deepened. Blaupunkt is only the brand under which the Taiwanese OEM manufacturer, Climax Technology, sells its alarms in Germany. Climax is one of the big names in the security branch. The company sells its products in some markets under its own label, but more frequently it is active as a hardware supplier for other brands. In Germany, therefore, not only can you get Climax hardware from Blaupunkt, but also from Egardia or Lupus Electronics.
The testing of the Lupus alarms XT1 and XT2 was already fully underway, when we became more closely involved with the Web interface; because here, as well, the standard access to the alarm was set. In contrast to the products from Egardia and Blaupunkt, the Lupus alarms do not communicate via the circuitous route of the manufacturer’s own cloud server, but can be controlled directly from outside using a web interface optimised for mobile devices. In order to facilitate this access, the user must open a port in the router.
Lupus provides a step-by-step guide for this in the manual – the users are also guided through the setting up of a standard router on the FAQ of the homepage. However, a decisive piece of information is missing: at the very latest, when the device is connected with the network using via open ports, the standard access recorded in the company firmware should be changed. But how many users actually allocate a new password?
Made in Germany
Those who think that the issue with standard access is a Taiwanese problem, are nurturing false security. We bought a Secvest alarm manufactured by the ABUS security specialists from Amazon. Here, too, a glance in the manual provides you with a sense of foreboding: ABUS supplies Secvest with the pre-set user '1234' and the password '1234'. Actually, the professional alarm should be sold by specialist retailers and installation should be carried out by professional engineers. But how do the professionals deal with the password and are the alarms not installed by lay people as well?
The deficient state of delivery from a security point of view with standard access, and the conduct of the customers result in an explosive mixture with respect to this point. Considering that scanner portals such as Shodan index any equipment in the network in a Google-like search engine and make it trackable, you rapidly get the worst case scenario.
If the alarm system with a standard password is available in the network, the individual IP address is the last hurdle which malicious intruders need to overcome. Scanner services such as Shodan scour IP address fields automatically and register the responses of the web servers they come up against. And, in fact: already simply entering the term 'Climax' leads to numerous hits worldwide, of which about 15 percent have standard access in the network.
With our daily scans using modified search strings we found Climax clones scattered around the world, which were openly accessible in the network. In Germany, the majority of the alarms come from Lupus Electronics. Worldwide, alarms from Adesys, Altibox, Assa Abloy, SecPro, Yale and from Climax itself are openly accessible via the network – from Scandinavia through the Benelux countries to Australia, on average we find a three-figure number of open alarms in the network.
It was also possible to find ABUS Secvest using the 1234 access. Admittedly, it does not communicate using standard ports and therefore often falls through the search screen of the scanner portals. However, anyone who buys an alarm, can easily identify the port it uses and, with a selective scan, reach the goal even more reliably.
The web interface of the home security system provides full access to all functions. You can operate sockets which make sirens ring or activate and deactivate the alarm arbitrarily. The potential for misuse is terrifying. A burglar can approximately locate the alarms geographically using their IP address. The owner of the alarms himself often unintentionally facilitates the exact localisation, by providing the system with personal data. For instance: Max and Marion from Musterhausen might have registered as users and left their mobile telephone numbers in case of an emergency. Other owners might set their email to be informed in the event of a problem.
If your email is something like John.Doe1972@mycompany.com, you can just as easily be isolated together with the IP tracking in the Australian outback. In two of the scanned ABUS alarms even the responsible installation companies had immortalised itself in the alarm chain.
In addition, using the alarm logbook, the intruder can find out about daily routine: garage opener operates daily 7:30, alarm set at 7:35, wife drops in during lunch break and deactivates; alarm is set in the holiday mode with presence simulation. Particularly scary: the latest alarm systems from Climax also integrate cameras, the surveillance photos of which are likewise displayed in the web interface. In fact, the instances of access using the web interface are also recorded.
With further research we also came across several security problems in the app communications of the Blaupunkt alarm; in light of the password vulnerability, however, these are rather minor.
Who was it?
But who actually put the home security systems in the network? The owners themselves or have installation companies only kept a convenient back door open to enable remote servicing? We decide on an unusual step: We want to speak to the owners of the open systems and find out, what exactly has gone wrong.
Making contact is difficult. At least the first users informed by SMS or email responded by switching off the alarms or changing the password. Only the last attempt took us to Mr Pfeiffer, on the telephone: "Sorry, you have a security problem with your alarm." It rapidly emerges that he is anything but a naïve user. He is even magnanimous enough to explain to us how his alarms could land openly in the network.
He speaks positively in the discussion about the quality of the Lupus XT1, which – apart from minor bugs – has provided reliable service. He was also enthusiastic about the service, with which he had been provided by telephone and remote access for the configuration problems with his router. In the end, everything functioned perfectly – apart from the problem that everything was publicly accessible.
A visit at c't magazine
We confront the manufacturers before publication with the results of our research. On the one hand, we want to know what has led to the glaring gap in security. On the other, we want to ensure that the home security systems of the customers affected, have disappeared from the network, when this article is published.
The manufacturer of the system most severely affected in Germany, Lupus Electronics, set off immediately for Hanover, after we requested the company for an appointment for a meeting. Matthias Wolff, one of the three main shareholders of Lupus, comes with an engineer. "On the way here we have had the craziest thoughts about complicated firmware hacking or hardware defects of our alarms", Wolff said, at the start of the meeting.
"With our connected alarms, we consciously decided against those of Climax with the provided cloud control", he added. "We did not want users having to leave data on some server or another in the network and, instead, we backed a heavily overworked web interface and implemented direct control of the alarm using the app."
The fact that it is a question of a "simple" password problem, to him is a relief on the one hand, but on the other, also shocking: "We actually had a blind spot with respect to this point in development and did not see the wood for the trees." Security is a firm component of Lupus DNA, Wolff confirms. The developers had simply not thought of the fact that users could put the alarms online without changing the standard password.
Also, Adrian Porger, managing director of Climax Germany, appeared surprised in the meeting with c’t: "As a security manufacturer it sends shivers down my spine in view of the open systems." He talks about the lax way customers deal with passwords, but he also talks about the responsibility of the manufacturers: "Of course, as providers of security technology, we are obliged to supply as watertight a product as possible." He had at least already heard something of Shodan und Co. "We must get used to screening our products in future better for security gaps from outside."
With the publication of this article all alarms should have disappeared from the network – the manufacturers hope. In the case of the connected Blaupunkt alarm, this occurred due to a remote update. Web access should now be totally blocked. Customers of Egardia alarms are not affected by the bug, because an additional cloud server takes on authentication with respect to the web interface.
Lupus Electronics is introducing pressure to change with new firmware for initial connection. In addition, the entire retailer and customer base were informed about the issues by email. The new firmware for XT1, XT2 and XT2 Plus should be available with the publication of this article; however, customers must install the update themselves.
On request, Climax was not prepared to publish a list of all the brands and types affected; however, it wants to inform its OEM customers and make new firmware available. Therefore, it is up to the manufacturers, whether and how they contact the end customers. In future, with all Climax systems the allocation of a new password will be necessary for the initial configuration.
The Secvest alarm from Abus shall also now be provided with new firmware; the new configuration should only be possible after a new password has been allocated. Furthermore, the manufacturer wants to modify the documentation of the alarms accordingly and point out the problem in its training for professional installers. Abus has also promised to inform all specialist trade partners about the security gap.
If it goes well, most customers should emerge from this situation with new firmware and only an uncomfortable feeling on reading this article, provided they become active themselves. Above all, the manufacturers of home security system should, however, pay meticulous attention to how their customers use their products in real life. An alarm system failure on this scale must not happen a second time.
This is a translation of an article originally published in the German c't magazine, c't 14/16, p.78.