Every now and again there is a news story discussing security experts breaching a wireless home security system. Such stories are often promoted with alarming headlines intended to grab your attention. But setting all the hype aside for one minute, what is the real risk for homeowners?
There has never been a home security system capable of withstanding every attempt to breach it. Nothing is that perfect. The other unavoidable reality here is that no home security system can prevent a determined criminal from entering a home. Security systems are designed to deter those unwilling to take the risk of getting caught.
Looking at home security through a realistic lens brings us back to the obvious question of risk. Yes, wireless security systems can be breached. But so can wired systems. The real issue is the level of risk homeowners take by installing wireless security equipment.
Disabling a System Remotely
One of the latest reports of a home security system being breached involves a cyber security company known as Rapid7. The company apparently uncovered two vulnerabilities in a popular wireless security system, vulnerabilities that allow the system to be deactivated remotely.
The first vulnerability revolves around a faulty API that makes it possible to obtain a security system’s unique IMEI with little more than the homeowner’s email address. Hackers armed with the information could remotely disarm the system at will.
The second vulnerability involves intercepting the radio signal sent between a homeowner’s security system and wireless fob. Intercepting and recording the signal would allow a hacker to simulate the signal to arm or disarm the security system.
Effort vs. Payoff
The name of the home security company in question will remain anonymous for the purposes of this post. Having said that, one of their competitors is a nationwide company known as Vivint Smart Home. Vivint says that security flaws have to be measured against risk. In other words, from the criminal’s perspective, how much effort is required as compared to the potential payoff?
There is no arguing that both of the vulnerabilities uncovered by Rapid7 should be fixed as soon as possible. Of the two, the fob issue is probably more pressing. As for the API issue, breaching a home security system through a faulty API is certainly possible, but you have to know what you are doing, and you have to have the resources to do it. Is someone just looking to score a couple of pieces of jewelry and some electronics willing to put forth that kind of effort?
Breaching Other Systems
The security package targeted by Rapid7 is just one of countless others on the market. Other systems can be breached, too. Moreover, nearly any home security system can be breached without having to mess around with email addresses, APIs, and wireless fobs. Any criminal can break a window or kick open a door in seconds.
It is always helpful when talking about these types of things to remember that a typical burglar wants to be in and out as quickly as possible. An ideal burglary is completed in under 10 minutes. Getting it closer to five is even better. If it takes a tremendous amount of time and effort to breach a security system, there are easier targets.
None of this is to say that security vulnerabilities should be taken lightly or outright ignored. It is to say that these sorts of things need to be kept in perspective. Any security system can be breached one way or another. The question is whether or not the payoff is worth the effort.
