A cool and innovative feature that is being offered to our clients by their security companies is connecting their security system to an app on key persons’ phones. This sounds great, and is admittedly a useful feature. However, there are huge security risks that must be mitigated before this feature is implemented.
Background on Security Systems
When a security system is isolated within your local network, it can have security flaws that are arguably “not as big a deal” because the system is not visible to the public Internet. It is not standing by the side of the digital Interstate waving a flag that says, “Hack me!” Security systems are notoriously deployed and forgotten. That is to say, the “DVR” or the box that controls the system and often houses the footage is rarely updated or patched with a firmware/OS update when security flaws are discovered in the wild and fixes produced and made available by the manufacturers. When was the last time your security company called you to advise you of a security flaw and to request permission to access the device and update it? I’m guessing probably never. However, if the device is isolated within your local network, this is “not as big a deal.”
Enter app-on-your-phone, front and center… The way an app works for you is that there is a server on the Internet that your security system is now talking to constantly (which is in turn talking to the app). This means your system is now visible to the public Internet and can be attacked using a variety of methods! If the security system can be successfully compromised by a 3rd party on the Internet, they can then execute attacks on anything within your local network… File servers with employee data, LOB databases, EMR software and health information–you name it.
#1. BizTech needs to be involved
This year alone, we have had three security vendors contact us “out of the blue” indicating they had already deployed this (or were in the process of doing so) with our clients! The only reason they contacted us was because “it wasn’t working.” This makes us wonder how many of our clients have this now implemented, and it IS working, and they are at risk. Please involve us before you allow your security company to connect your security system to an app.
#2. The security company needs to provide you (and us) with key information
This is what we need to assess the system and either work with the security company to mitigate risk OR to make recommendations to you:
- Make and model of system, including DVR box (the main device that controls the system and often)
- Local IP address of system and local username and password (because we intend to log in and review the system configuration, specifically the network configuration)
- Please do not have your security company email you these credentials. Rather call them to obtain these or let them know that BizTech will be calling them for these credentials. Email is always transmitted in plain text unless you have encryption software and intentionally encrypt your email.
- Name of the app
- Current deployment
- Has the app already been deployed?
- If so, who has it?
- Other external communication
- Does the security system report back to the security company?
- Does it report to any other known servers on the Internet?
- Is it currently accessible to you from home via a URL?
Obviously, we need the name of the security company and best person and method to reach them for technical questions and such.
#3. BizTech needs to research the system
Using the information above, we will carefully research the system to know what risk is involved. We may have recommendations for the security company. We may want to work with the security company on how the system interfaces with the local network and the public network (Internet). While obviously we have no desire to block you from useful features, we may in some cases have to recommend you do not use a feature because of the defined risks (if they cannot be mitigated).
Lastly, everything we have said here also applies to any device that talks to the Internet (i.e. available from a remote location, like from home or a phone/tablet). These devices are often called “smart” devices or IoT devices. There are ways to secure these devices so that your private network is not compromised! Security does not happen by default; actually, the opposite happens—risk happens by default! We have to proactively put security measures in place and keep them effective.
How serious is this? Well, we don’t want you (or us) to be the next company on public display in the news for all the world to learn about.