Home alarms let users keep default credentials

German investigative journalists from the c’t magazine said many home security systems come with a huge vulnerability which can put every home using the system at risk.

The vulnerability, however, is nothing fancy in hacking terms -- it’s pretty obvious and straightforward, but frequently overlooked. You see, similar to Internet routers, these home security systems are configured through a browser, and many come with easily crackable passwords like "1234" or "admin1234".

These passwords are easily changed when setting up the system, but because the setup doesn’t require a password change by default, many users simply don’t do it.

"When registering your alarm system, you don’t have to personalize your username and password, so this important step is simply forgotten by many users", explains c’t editor Sven Hansen.

By not changing the default password, these systems become easy targets for malicious actors. Once they’re in, they can see who was leaving the house, when, and whether the alarm was turned on or off in the first place.

It was even possible to access these alarm systems, to raise false alarms or turn the system off completely.

The weakness was found in alarm systems by Adesys, Altibox, AssaAbloy, SecPro, Yale, Lupus Electronics or Climax Technology, which are in use all over the world.

Most manufacturers have been notified of the breach, and some have already worked out a fix, c’t says.

"If it goes well, most customers should emerge from this situation with new firmware and only an uncomfortable feeling on reading this article, provided they become active themselves".

Published under license from ITProPortal.com, a Net Communities Ltd Publication. All rights reserved.

Photo Credit: Andrey_Popov/Shutterstock