Jump to content

Security issues with rules/program order


Recommended Posts

Posted

Has anyone ever experienced a security issue related to ordering of their rules? For example, if I have 2 programs and there's some kind of connection between them, say, thru a variable, and if the triggering conditions are set up in such a way that the 2 programs execute non-deterministically with respect to each other, certain unintended effects might occur, such as opening of a door automatically when a light bulb was turned off. Has anyone experienced this? If so, could you explain?

 

-Earlence

Posted

Has anyone ever experienced a security issue related to ordering of their rules? For example, if I have 2 programs and there's some kind of connection between them, say, thru a variable, and if the triggering conditions are set up in such a way that the 2 programs execute non-deterministically with respect to each other, certain unintended effects might occur, such as opening of a door automatically when a light bulb was turned off. Has anyone experienced this? If so, could you explain?

 

-Earlence

 

Are you talking about a data collision?

Posted

Yes, it is def. a bug in a person's implementation. I was just interested in hearing whether people have experienced these sort of bugs at all (and what were the bugs specifically).

Often, writing programs so that errors cannot happen is a very difficult process :)

Posted

To me, if an insteon command can open a door, then there is a security problem.... But that's just me.

Posted

I mean... you just write your programs so that can't happen. I'd call this a bug in your implementation. No?

There is no such thing as "can't happen".  One can take steps to minimize risk, but, ultimately, one has to balance and accept risk against other competing factors.

 

To me, if an insteon command can open a door, then there is a security problem.... But that's just me.

 

One could make this argument about many features in a home.  A wireless garage door opener, itself, is a vulnerability.  Doors and windows are a vulnerability.  Vinyl and foam are more vulnerable than concrete.  Furthermore, an open garage door without insteon is less secure than a closed door with insteon.  Does the fact that an IOLinc represent a new vulnerability automatically mean that I am not going to incorporate these kinds of things into my house?  For me, the answer is NOT an automatic NO.  Decisions like that are more nuanced than this.

 

Nearly everything we do is a balance between competing priorities.  Security is one priority.  Convenience is another.  The quality of living space is a factor.  Cost is a factor.  We all must make choices based on our personal tolerance for risk, the risk we perceive, based, in part, on where we live, our own habits and tendencies of those who live with us, and the weight that each individual priority.

Posted (edited)

Wireless garage door openers are, mostly, designed for security. Insteon is not (in fact it transmits without encryption, and devices don't authenticate incoming messages - so messages can be spoofed). There is a big difference between them, from a security perspective.

 

Other than that, I fully agree with you @oberkc. It's somewhat nuanced, but given I've been able to observe and decode Insteon traffic, deduce important IDs and can (technically) issue commands without any kind of authentication required means any access control in my house is now either Elk managed or zwave (secure profile), where things are either hard wired or encrypted, meaning third parties cannot (easily) manipulate what's going on.

 

To me, using Insteon for access control is rather like closing your front door but not locking it. Passers by will think your secure, but anyone trying the door is able to do bad things.

 

Now, I hasten to add, this is my view. Personally, I automatically dismiss any Insteon access control from consideration now that I better understand the protocol.

Edited by MWareman
Posted (edited)

Does anyone have any experience with mounting a rifle on a IP cam mount with full axis control?

 

I am using a mirror so I can look down the sites via the camera and I have a workable solenoid connected to an IOLinc but the view from MobiLinc always moves in reverse to what is intuitive and it takes a long time to change the aim in the direction I want it to go.

 

We don't need no stinkin' alarms! Intruders see the gun move and they all run back out the door. Imagine that?

 

It may take a lot of duct tape but who says Insteon isn't for security?

 

 

:)

Edited by larryllix
Posted (edited)

Wireless garage door openers are, mostly, designed for security. Insteon is not (in fact it transmits without encryption, and devices don't authenticate incoming messages - so messages can be spoofed). There is a big difference between them, from a security perspective.

 

Other than that, I fully agree with you @oberkc. It's somewhat nuanced, but given I've been able to observe and decode Insteon traffic, deduce important IDs and can (technically) issue commands without any kind of authentication required means any access control in my house is now either Elk managed or zwave (secure profile), where things are either hard wired or encrypted, meaning third parties cannot (easily) manipulate what's going on.

 

To me, using Insteon for access control is rather like closing your front door but not locking it. Passers by will think your secure, but anyone trying the door is able to do bad things.

 

Now, I hasten to add, this is my view. Personally, I automatically dismiss any Insteon access control from consideration now that I better understand the protocol.

 

GDO are offered primarily as a of convenience the fact you can open - close a door is simply a side effect of security. As I have written many times before security is a lifestyle of awareness and knowing the areas of faults and opportunity of penetration.

 

In more than 25 years in the security field I have yet to see ten houses in a row actually deploy any real security in their homes. 90% of the populace simply do with out and what ever is presently in the home thats what they use.

 

5% of the populace install some form of noise maker in the hopes of deterring potential thieves. Of the 5% of these people only 50% of them actually have their system monitored by a certified CS (Central Station).

 

Of the remaining 3% of the populace upgrade their dead bolts / door knobs. Of those 3% that do are basically living a lie in thinking these automated locks are providing themselves any real force protection.

 

It doesn't and simply siphon's money out of their thin wallets . . .

 

The remaining 2% are the only people who truly understand what security is. That is its a lifestyle, being aware, not advertising, and running stealth.

 

These people use force protection as the first line of hardening the premises. It is not a second thought or option it is the primary option and deployed first!

 

One only needs to go to NYC and see almost every building covered in rot iron gates, doors, bars etc. Does anyone believe this is simply for looks? This was done because no matter how loud a siren is, or how bright a strobe is, or even how fancy a lock set is with BLE, remote status.

 

You simply can not breach a out-swinging rot iron door in 30 seconds. Couple this with solid door reinforced strike plates, door jambs, door guards, and of course a real mechanical dead bolt.  

 

As oberkc indicated life is about balance and compromise . . .

 

I know lots of folks who live deep in the sticks and locking ones doors, leaving keys in the ignition is a way of life. Those who live in larger cities or where crime is prevalent need to do more.

 

To be fair to Smartlabs Insteon has never been endorsed as being a security system but does add value and auxiliary support to an existing security alarm system. People simply need to be realistic about what it can do and limitations of such.

Edited by Teken
Posted

While I have no doubts that wireless garage door opener are designed with security feature and are less vulnerable than insteon, I remember not too long ago stories of military using frequencies that cause unwanted opening and closing of garage doors. Yes, they may be more secure, but they do present a vulnerability to those with the skills to exploit. The chances of a garage door opening uncommanded are much higher with the presence of an opener than for a door without. Furthermore, a door is more secure when locked than when relying on the opener to resist forced opening.

 

But, neither would I control a garage door with insteon if I lived in a high threat area. Fortunately, i do not.

Posted

 

 

While I have no doubts that wireless garage door opener are designed with security feature and are less vulnerable than insteon, I remember not too long ago stories of military using frequencies that cause unwanted opening and closing of garage doors.

Differing technology though - modern garage door openers use rolling codes, and even newer ones have actual encryption in use. Older openers used a static code - and those are worse than Insteon from a security perspective. I think the older 'random' openings are with the static code openers - many of them are (unfortunately) still in use today. I saw a modified kids toy a while ago able to open these static code doors within seconds and on demand. It's scary that so many people still use them!

 

When I say 'designed for security' I'm referring to the latest generation of openers.

 

All of what you say though otherwise is true - security is a set of choices and compromises. To make those choices though people need to know that Insteon is not a secure protocol - and they can make their choices from there.

 

Insteon can be monitored and spoofed. And it's not too difficult.

Guest
This topic is now closed to further replies.

×
×
  • Create New...