I have recently contracted with a local security company to install a fairly extensive security system into my home. The system cost thousands upon thousands of dollars, and is made by one of the top brands in home security systems. This system provides full automation, including video monitoring and recording with coverage both outside and inside my home. I have large screen TVs that display every angle at the touch of a button, I have programming interfaces which allow me to extend the capabilities of the system limited only by what I am able to cook up in today’s Z-wave enabled IoT platforms. I can monitor my home from my bedroom or 2,500 miles away – it makes no difference. This is the ultimate enabler for the security conscious home owner.
There is however, one big problem about my home security system… the system is not secure.
Wait, what? I am saying that one of the top brands of home security companies is putting security systems onto the market that are not secure? Yes, that is what I am saying: my home security system has not been designed by the manufacturer nor configured by the installer in a secure fashion. In essence, the moat around my castle has multiple unprotected drawbridges by which a minimally savvy technical person could enter and plunder booty. My booty.
Interestingly, the installer has taken a fairly disinterested stance stating that technology changes so fast and they can’t be expected to understand how to secure computerized and network devices. I feel their pain. The manufacturer will (once I contact them) undoubtedly take the position that there are WAYS to secure the system, so the problem is due to the lack of knowledge and understanding of the installer. The homeowner is a consumer and expects that the security system they have contracted out for, will allow them to secure their homes. Everyone has been fooled.
Unfortunately, they are all right and all wrong at the same time. There are technologies and architectures that could be layered on the home security system that would ALLOW the installer to install and configure the security system in a secure fashion, and the homeowner should be savvy enough about their own personal security that they should spend some time asking questions and understanding the technology they are using. And yet, there is a significant lack of knowledge that intersects between understanding how information security and physical security need to coexist.
This has got to change.
This past week, I spent the week at Gartner’s 2015 Risk Management Summit. Gartner has decided it is now time to stress the fact that Physical Security and Information Security need to work together for the health and safety of the world. This is exacerbated by computerized healthcare devices, and computerized cars; and it is only going to get more and more challenging and risky as the physical and digital worlds amalgamate.
So, here is the question: when someone exploits the weaknesses of my home security system and breaks into my home and destroys or plunders whatever it is that I hold dear… who is responsible? Is it the manufacturer that has created a system that can easily be poorly installed and configured, is it the installer who trusts the manufacturer and knows only how to crimp the wires and program the interface, or perhaps it is the homeowner who has put their trust in the installer and only knows how to click a few buttons?
The answer is “yes”: the security of the home system is the responsibility of the installer, the manufacturer and the home owner. It comes down to this: trust, but verify.
Security is everyone’s responsibility.
Check back in a few weeks; once I have an opportunity to secure the vulnerabilities introduced by the manufacturer and the installer; I plan on documenting what the issues were, and if you have this security system, what you can do to protect your home, and more specifically, the types of questions you should continue to ask yourself as your digital lines continue to blur.
It is all about education.