Five fundamental security flaws spotted in the iSmart system
Have you ever thought of purchasing (or already own) the iSmart electronic security system? You might need to shop around. In spite of being known as the highest rated digital security system by the Cnet website, recent findings may sully its reputation. From BullGuard, a study by Ilia Shnaidman (Head of Security Research at BullGuard Dojo), noted five glaring issues.
The worst of the five bugs concern authentication. If besieged by hackers, the whole iSmart system (or your own installation) could be compromised. Potential attackers could gain access to iSmart’s customer database, your private data, and home address. Furthermore, attackers could also gain access to the alarm’s disarming process, and the Welcome To Your House sign. They can also create their own profile and lock you out from a great distance.
There is no security certificate, which can stop spoofing. The attacker can receive an encryption key, due to a Server Side Request Forgery issue. A ping flood can be created to disable the alarm system, whilst leaving its owner vulnerable.
The vulnerabilities were first noted by Ilia Shnaidman in January. He sent an email message to iSmart with his findings. There was no reply. On recent observations, it was found that iSmart’s last firmware patch was released on the 21 March this year.
Once again, there is no substitute for mechanical locks, but you pay your money and you take your choice. If you wish to purchase a digital security system, it pays to do your homework. Without a mechanical backup plan, you would be well and truly stuck.
CPPM Locksmiths, 19 July 2017.