14 DAY TRIAL // Flaws in the authentication system used for RSI Videofied alarm systems allow attackers to spoof or intercept communications between an alarm panel and its server.
RSI Videofied is a French manufacturer of alarm systems. According to research carried out by Cybergibbons Limited, one of their recently launched alarm system lines has a few design flaws that put the alarm's users at risk.
The vulnerable alarm system is RSI Videofied W Panel, a wireless alarm system that starts recording video when an intrusion is detected. The alarm system is part of the recent wave of IoT devices that are connected with other devices and systems online.
IoT alarm systems are as insecure as other IoT devices
According to RSI's description, W Panel transmits alarms and video feeds when an intrusion is detected, or when a user requests access to the video feed via a mobile app. All these operations are centralized via one of RSI's servers. W Panel alarms are IP-based, so they work via regular Internet protocols.
Security researchers at Cybergybons were interested in the product and had a look under W Panel's hood to see how everything is handled in this modern Internet of Things alarm system.
Their work uncovered glaring security holes that should have never made it inside a home security product in 2015.
Problems with the alarm system's authentication system
Cybergibbons' staff discovered that the protocols used for authenticating W Panel alarm systems on RSI servers used a simple and easy to reverse-engineer authentication & authorization method, relying on the panel's serial number and a weak challenge/response authentication system.
The entire authentication process is decoupled from the actual device, and attackers can easily spoof device IDs and gain access and control over someone else's alarm system.
To make matters worse, nothing is encrypted, all communications are blurted out in cleartext, there is no message integrity protection mechanism and no sequence numbers for network packets.
Attackers are capable of taking full control over the alarm system
All this means that attackers can easily listen in on an alarm panel - server communications channels, and start altering network packets, prevent alarms from going off, send fake alarms, jam alarm video feeds, send fake video streams, or arm/disarm the system on command.
"The RSI Videofied system has a level of security that is worthless," concluded the Cybergibbons team. "It looks like they tried something and used a common algorithm – AES – but messed it up so badly that they may as well have stuck with plaintext."
The researchers say that they've discovered the security flaws this summer, but after their emails went unanswered for more than six weeks, they will be publishing a full security disclosure on CERT/CC (Computer Emergency Response Team Coordination Center) later on today.