Flaw in home security system lets hackers remotely activate alarms

The company appears to have ignored the security report, months after it was filed.

(Image: CNET/CBS Interactive)

REVIEW

CNET: iSmartAlarm review

Do-it-yourself home alarm system changes the security game, says CNET's Ry Crist.

Read More

It turns out that a so-called smart home security system isn't so smart -- or even that secure.

A maker of one home security system built by iSmartAlarm, which bills itself as the leader in do-it-yourself, internet-connected smart home security, has failed to patch several security flaws after they were privately disclosed to the company months ago.

The worst of the bugs is an authentication bypass bug, which could allow an attacker, among other things, to remotely control the system's alarms.

On one hand that's a nuisance at best, or a home exposed to burglars.

Researchers at cybersecurity firm BullGuard, which has a commercial interest in the Internet of Things security space, found several bugs in iSmartAlarm's Cube hub system, which controls the various sensors and cameras around the house.

"An unauthenticated attacker can persistently compromise the iSmartAlarm by employing a number of different methods leading to full loss of functionality, integrity and reliability, depending on the actions taken by the attacker," said Ilia Shnaidman, head of security research at BullGuard, in a blog post. "For example, an attacker can gain access to the entire iSmartAlarm customer base, its users' private data, its users' home address, alarm disarming and 'welcome to my home sign'."

Shnaidman said through a technique that allowed him to generate a new encryption key, an attacker can sign and send a set of three commands -- disarm, arm, or panic (which sounds the alarm).

Several other bugs in the software remain unpatched, including a flaw that allows an attacker to disable the unit through a denial-of-service attack. The researcher also found hard-coded plaintext credentials stored in the software, allowing an attacker full access access to the company's support website -- which contains records and personal information on other customers.

Shnaidman published his findings after the company didn't reply to his private disclosure.

The company's website shows there is no firmware later than March 21, suggesting the bugs have yet to be fixed.

iSmartAlarm did not return a request for comment.

Contact me securely

Zack Whittaker can be reached securely on Signal and WhatsApp at 646-755–8849, and his PGP fingerprint for email is: 4D0E 92F2 E36A EC51 DAAE 5D97 CB8C 15FA EB6C EEA5.

Read More

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All