The maker of a smart home security system has failed to patch five security issues in the firmware of his product. These flaws allow an attacker to bypass authentication, take over devices, and disable alarm systems, leaving homes exposed to burglaries.

The researcher who discovered these issues is Ilia Shnaidman, Head of Security Research for BullGuard's Dojo, a home appliance for securing local IoT devices.

The researcher says he found these flaws in iSmartAlarm, a DIY home alarm system that users can assemble from different components such as security cameras, door sensors, motion sensors, smart locks, and a central unit called iSmartAlarm Cube.

Vendor has not issued patches

Shnaidman says he reached out to iSmart, the company behind the product, earlier in the year, in January. iSmart acknowledged his initial email, requested more details about the vulnerabilities but did not reply afterward.

Attempts to contact the vendor through US CERT were also unsuccessful, and the researcher eventually decided to go public with his findings so iSmartAlarm owners could replace their alarm systems in case they use them to protect valuable property.

At the time of writing, iSmart has not issued firmware updates to patch the five flaws discovered by Shnaidman.

Researcher found five vulnerabilities

These five issues can be combined to carry out attacks that take over the home alarm system, allowing an intruder to disable it if necessary.

For example, the iSmartAlarm Cube doesn't validate the SSL certificate presented during the initial SSL handshake with the iSmartAlarm backend. An intruder can use a Man-in-the-Middle attack while on the local network and pose as the iSmartAlarm central server.

An SSRF (Server Side Request Forgery) vulnerability in one of the device's API allowed the researcher to retrieve an encryption key for the device.

Shnaidman says this encryption key could be used to generate another encryption key. This second key can then be used to sign commands sent to the iSmartAlarm Cube, including commands like arm, disarm, or panic.

Furthermore, an attacker can also launch a simple ping flood to temporarily shut down the alarm's central unit, a.k.a. the Cube.

Last but not least, Shnaidman also says he found login credentials hard-coded in the iSmartAlarm system that granted him access to iSmart's internal ticketing system.

Access to this ticketing system provides attackers with information on other iSmartAlarm home security systems installed across the US or other countries.

"Now all you need is an imagination. What would a black hat burglar be able to do with such exploits?," Shnaidman rhetorically asks. "He can gain full control of any iSmartAlarm cube and also retrieve all of their customers’ private data, including their home address – creating a perfect scenario for cyber assisted crime."

More details are available in BullGuard's security report. This is not the first home alarm system that was found to be vulnerable to various flaws. Here's a list of past incidents that affected vendors/products such as SimpliSafe, RSI Videofied W Panel, and Texecom Premier Elite series.

CVE-2017-7726 Remote Missing SSL Certificate Validation iSmartAlarm Cube CVE-2017-7727 Remote Server Side Request Forgery iSmartAlarm CVE-2017-7728 Remote Authentication Bypass iSmartAlarm Cube CVE-2017-7729 Remote Incorrect Access Control iSmartAlarm Cube CVE-2017-7730 Remote Denial of Service iSmartAlarm Cube

Image credits: iSmart