New Report Calls for Massive Alarm Panel Recall

Recall DOES NOT affect any My-Alarm equipment or customers!

For the past 20 years most hardwired alarm panels have been manufactured in deviation to UL 1023, UL 985 and NFPA 72 standards, Jeffrey Zwirn contends.

New Report Calls for Massive Alarm Panel Recall

Zwirn’s findings are supported by a peer review report conducted and written by Merton Bunker, a former veteran staff liaison to the National Fire Protection Association (NFPA).

   Jump to Comments

Photos and Videos

 View Slideshow

FRAMINGHAM, Mass. — Nationally recognized alarm and security forensic expert Jeffrey Zwirn is heading an effort to have the U.S. Consumer Product Safety Commission (CPSC) investigate the noncompliance of UL and NFPA 72 codes that he argues should result in the recall of tens of millions of alarm panels.

At the heart of Zwirn’s critical recall request are noncompliance dangers and vulnerabilities within single data-bus connected control units that are commonplace to hardwired residential and commercial alarm panels. Under a single fault condition, such as the introduction of a short circuit to the data-bus circuit, fire and intrusion alarm panels can be rendered partially or fully nonfunctional, Zwirns says he discovered as part of his forensic practice.

Nonfunctioning panels are therefore unable to communicate an alarm condition to the monitoring center. Also, peripheral devices such as smoke detectors, carbon monoxide detectors and intrusion alarm sensors will fail to audibly alert property occupants with the potential for severe injury or even death, according to Zwirn.

Zwirn, a contributor to SSI, is president of IDS Research & Development, an alarm and security consultation, expert litigation witness and training authority. He detailed his findings in a 43-page forensic analysis that focuses specifically on non-compliance issues involving UL 985, UL 1023, NFPA 72 of the National Fire Alarm Code, and NFPA 72 of the National Fire Alarm and Signaling Code. You can view video demonstrations of each non-compliance issue, here.

For the past 20 years the vast majority of hardwired alarm panels have been manufactured in deviation to UL 1023, UL 985 and NFPA 72 standards, Zwirn contends. The extensive nonconformity ought to result in “the largest recall the industry has ever seen,” he tells SSI.

“Concurrently, alarm companies will have many opportunities to help minimize property loss, serious personal injury and even death by correcting these serious deficiencies, which before now was not known by the alarm industry,” Zwirn says. “If that was not enough both UL, Intertek and other Nationally Recognized Testing Laboratories [NRTL] need to take responsibility as well for failing to comply with the standards which they represent that all of their control panels comply with, which was not accurate.”

Furthermore, he continues, manufacturers of alarm control panels have the duty to ensure the products that they designed, made and sold were code complaint to both UL and NFPA standards.

Connaughton Group, a product integrity consulting firm retained by IDS, assisted with the filing of a request for investigation of “Complaint of Non-Conforming Products” to the CPSC. In the filing, Connaughton Group President and CEO Thomas Connaughton states “ … it is estimated that the totality of the non-confirming control panels total hundreds of millions of units which were sold and installed across the country.”

The filing also makes reference to “documented losses of life and property where these control panels were installed and failed,” which Connaughton Group provided within its regulatory package.

According to the CPSC’s recall handbook, reporting a suspect product does not automatically mean the Commission “will conclude the product creates a substantial product hazard or that corrective action is necessary. The CPSC staff will evaluate the report and works with the reporting firm to determine if corrective action is appropriate.” Many reports submitted to the Commission require no corrective action, the handbook states, “because the staff concludes that the reported product defect does not create a substantial product hazard.”

UL, Intertek Investigating

Teams from UL and Intertek have undertaken investigations of the claims documented in Zwirn’s forensic analysis, according to the filing. The outcomes of both investigations are yet to be released. UL provided the following statement to SSI:

“UL’s public mission is to promote safer working and living environments for all people. We make every effort to confirm that UL-certified products meet stringent safety requirements, including opening a Product Incident Report for any issue that comes to our attention. Consistent with our usual policies regarding product safety matters, when UL received the alarm system claims, UL immediately opened a Product Incident Report and began an investigation.

During such investigations, certification documentation is reviewed, products are often re-tested, and if any issues are found, UL works with the product manufacturer to resolve the issues. In some instances, a public notice may be issued. Based on the investigation completed thus far, no safety issues have been identified. The investigation is still ongoing.”

Zwirn’s findings are supported by a peer review report conducted and written by Merton Bunker, a former veteran staff liaison to the National Fire Protection Association (NFPA). Among his vast credentials, Bunker was chief electrical engineer for the NFPA, responsible for the development of the National Electrical Code from 1998 to 2001.


In these videos, Zwirn demonstrates how various alarm panels and peripherals will fail when single data-bus connected control units are subjected to short circuiting.


In a formal letter provided to the CPSC as part of the Connaughton Group filing, Bunker states that he “technically duplicated, validated and verified” the findings in Zwirn’s forensic analysis report.

Addressing the gravity of the noncompliance issues and potential risk to life and property, Bunker calls for immediate steps to be taken, including: “Authorities having jurisdiction across the country and around the world need to be put on notice immediately.”

He continues, “All of the affected consumers and businesses where these control panels are installed should be put on notice that immediate corrective action is required since the control panels are non-conforming equipment.”

In all, Bunker lists a half-dozen brief  opinions in his two-page letter. The last one stresses, “A comprehensive and corrective action plan needs to be instituted immediately.”

Zwirn to Market Panel Fix

While UL and Intertek investigations continue, and the industry awaits a decision by the CPSC, Zwirn is ramping up marketing efforts for a device he claims provides an easy fix to non-compliant single data-bus control panels.

Some industry stakeholders may be familiar with the Interceptor, a small control unit module that Zwirn has previously attempted to bring to market. He introduced the Interceptor in 2017 at ISC West. The now UL-Listed device is billed as a first-of-its-kind microprocessor based on patent pending technology designed to protect critically vulnerable data-bus and auxiliary power output wiring.

In a press release describing the product at the time of its introduction, the control unit module was said to eliminate “potentially dangerous and serious vulnerabilities that a multitude of equipment manufacturers and alarm companies have not identified and/or recognized.”

Zwirn has teamed with security industry veteran Keith Jentoft who will lead the marketing efforts for the device. Jentoft’s industry tenure includes serving as president of Videofied/RSI Video Technologies, which was acquired by Honeywell in 2016. He also founded the Partnership for Priority Verified Alarm Response (PPVAR).

Jentoft explained to SSI they will look to license the product to one or more manufacturers or other entities.

“You can imagine a tremendous business opportunity because every panel that’s out there is going to need one of these modules, that is the cheapest way [to fix the non-compliance issue] in any case. And if I was Company X, maybe I want to buy this as an exclusive,” he said. “So with all those panels, now I have my fingers in there. And maybe I want to have them reporting to me. There is a whole bunch of things you could do if you’re the only one that had it.”

SSI asked Zwirn about the potential conflict of interest in pursuing an unprecedented panel recall while simultaneously marketing a quick-fix product to solve the non-compliance issues and panel weaknesses. He responded:

“The standards which I rely upon were created by the alarm industry itself to define what a safe and reliable system is. Based on the codes and standards, which have been used for decades, the industry supports my position. The issue here is not the standards; it is the egregious failure of UL to verify and test that the control panels which each manufacturer submits to them are compliant.

Manufacturers pay UL to test their products. UL tests and certifies that they comply. Then the manufacturers in good faith sell these control panels to the dealers and the dealers in good faith install them in both residential and commercial applications,” he commented.

He continued, emphasizing his belief that UL is clearly at fault “because the industry has already defined what a safe control panel looks like, and they depend on UL to certify that they comply.”

“As far as a conflict of interest, I spent my own money to develop a solution to address what I perceived as a life-safety weakness in control panels before I recognized that UL had not properly tested the control panels,” he said. “I was motivated by life-safety concerns then and I still am.”

Posted in Main | Leave a comment

Report: Ring Wanted 911 Calls to Activate Its Video Doorbells

Emails shows Ring and law enforcement were in the early stages of creating functionality that would turn on video doorbells in the vicinity of a 911 call.

Report: Ring Wanted 911 Calls to Activate Its Video Doorbells 

Ring has been on the hot seat ever since a report emerged in July that revealed the company essentially enlisted police departments as salespeople for its video doorbells.

The latest development to come out of that partnership is the revelation that Ring considered building a tool that would make 911 calls automatically activate its video doorbells.

According to emails obtained by CNET, Ring told a California police department in August 2018 that the function could be introduced in the “not-so-distant future.” The project has since been abandoned.

In emails to the police department, Ring described a system in which a 911 call would trigger the cameras on Ring doorbells near the site of the call. The cameras would then start recording and streaming video that police could use to investigate an incident.

“Currently, our cameras record based on motion alerts,” Steve Sebestyen, vice president of business development for Ring, said in an email that CNET obtained through a public records request. “However, we are working with interested agencies and cities to expand the device owners controls to allow for situations where a CFS [call-for-service] event triggers recording within the proximity of an event.”

Though Ring users would have to opt-in to the feature, it still raises privacy concerns. Currently, police departments that are partnering with the company are contractually obligated to provide Ring with certain information, such as access to call logs and incident data.

Additionally, Ring has partnered with several public safety software providers such as Central Square Technologies, NC4 and Motorola to harvest data, and even scrapes public records sources.

This computer-aided dispatch (CAD) data helps dispatchers improve call response times and determine the best way to provide resources, according to CNET.

“CAD data reveals a host of intimate and personal information from domestic problems to medical crises to who lives at a particular address and with whom,” says Andrew Guthrie Ferguson, author of The Rise of Big Data Policing and a law professor at the University of the District of Columbia. “While important, they are the product of emergency reactions and imperfect information.”

What is Ring doing with all of this data? The company’s Neighbors app, which is essentially an online neighborhood watch, posts alerts about local crimes and emergencies. For instance, it will alert users if there are reports of a shooting nearby.

The unfortunate truth is providing people with this type of platform can cause a rise in paranoia, which then leads to biases and false alarms. Imagine what would happen if suddenly every neighborhood video doorbell turned on when a 911 call is placed.

“What happens when someone calls the police because there’s a ‘suspicious person’ in the neighborhood?” asks Electronic Frontier Foundation policy analyst Matthew Guariglia. “Now every camera in that neighborhood is turned on and tracking a dog walker or someone out on a stroll just because of their race or the color of their skin.”

Posted in Main | Leave a comment

‘Amazon Choice’ Cameras Found to Have Huge Security Flaws

Tests conducted by a consumer watchdog group revealed certain cheap IP cameras found on Amazon can easily let hackers into user’s homes.

‘Amazon Choice’ Cameras Found to Have Huge Security Flaws 

If you are a frequent shopper on Amazon, you are likely familiar with the “Amazon’s Choice” label that appears next to certain products. Nowhere on the site is it explicitly explained what exactly that means. It would probably be safe assume that the label is only applied to products of reasonable quality, right?

In general, the label appears on certain products that are frequently purchased, have a high rating and are competitively priced. However, some of these products are less than reliable.

Take for example the countless wireless surveillance cameras that are being sold on Amazon. Which?, a UK-based consumer watchdog, recently purchased four wireless security cameras from the e-commerce giant.

All the cameras were from companies based in Shenzhen, China. Which? was unable to find much, if any background information on the manufacturers.

When testing the cameras, it immediately became apparent how vulnerable each device is. One camera, the Vstarcam C7837WIP, used “admin” as the default username and an easily guessable password. This would allow anyone with that information to take over the camera.

The ieGeek 1080p and Sricam 720p cameras appear to use the same app, which require the user to input their WiFi password which is then sent unencrypted over the Internet. This could enable a hacker to view any information being sent or stored on devices connected to the network, such as laptops or even smart speakers.

“There appears to be little to no quality control with these sub-standard products, which risk people’s security yet are being endorsed and sold on Amazon,” says Adam French, a consumer rights expert at Which?. “Amazon and other online marketplaces must take these cameras off sale and improve the way they scrutinize these products,” he continued. “They certainly should not be endorsing products that put people’s privacy at risk.”

Not only have these dangerous cameras caught the eye of consumer watchdogs, but of Amazon customers as well. There are numerous negative reviews on the cameras that explain their vulnerabilities.

One disturbing review for a Victure security camera that carries the Amazon Choice badge states, “Someone spied on us. They talked through the camera and they turned the camera on at will. Extremely creepy. We told Amazon. Three of us experienced it, yet they’re still selling them.”

Between dangerous products and fake reviews, it is always important to do your due diligence when shopping online, especially when it comes to security products. Or better yet, call a professional.

MY-ALARM 1-866-641-6599

 

Posted in Main | Leave a comment

3 in 4 Broadband Households to Acquire a Security or Privacy Service in Next 12 Months

A new report by Parks Associates shows that 62% of these U.S. consumers would opt to pay an additional fee for these services.

   Jump to Comments
3 in 4 Broadband Households to Acquire a Security or Privacy Service in Next 12 MonthsAccording to Parks Associates, with increased device ownership consumers show greater levels of interest for all types of data privacy and security solutions, though there is a significant deficit between interest and adoption.

DALLAS — A large majority of consumers in the United States are expressing greater levels of interest for all types of data privacy and security solutions, according to new research by Parks Associates.

The report, “360 Deep Dive: Consumer Privacy: My Smart Home, My Castle,” found that 75% of heads of U.S. broadband households intend to acquire a security or privacy service in the next 12 months. Almost 40% of these consumers rank receiving these services bundled with their broadband service at no additional charge as most desirable, while the remaining 62% would opt to pay an additional fee for these services, either through a subscription, warranty, or one-time fee.

“Security and privacy services include parental controls, malware detection, and network activity monitoring. While interest is high, consumers still show a reluctance toward recurring fees — only 27% of data security/privacy intenders would opt for a subscription model,” says Lindsay Gafford, research analyst, Parks Associates.

Gafford continues, “The challenges to securing the smart home will intensify as consumers acquire more devices, creating ample business opportunities throughout the value chain for security solution providers. Vendors can differentiate by providing security expertise and flexible solutions that keep pace with changing security requirements.”

With increased device ownership, consumers show greater levels of interest for all types of data privacy and security solutions, though there is a significant deficit between interest and adoption. Among all U.S. broadband households, 63% are interested in a solution preventing identity theft, but only 19% actually use identity theft solutions.

“Consumers are struggling to understand what services are available to them, which service will actually protect their data, and which services fit into their payment preferences,” Gafford explains. “The service potential is immense, and broadband service providers are entering this space by partnering with data security solution providers to provide value-added services for consumers.”

“360 Deep Dive: Consumer Privacy: My Smart Home, My Castle” provides consumer data on current attitudes around data privacy, the value of data, privacy controls, and preferences for how companies collect and manage their data.

Additional results from the study:

  • Nearly 40% of consumers do not take any action to protect themselves from unauthorized access to their connected devices.
  • Only 15% of consumers strongly believe they receive a lot of benefit in sharing access to their data.
  • 63% of U.S. broadband households use at least one data security service for any purpose.
Posted in Main | Leave a comment

SimpliSafe DIY Security System Can Be Bypassed With $2 Emitter

The $2 wireless emitter fools the SimpliSafe security system by mimicking the frequency of its door and window contact sensors.

   

DIY home security systems continue to soar in popularity. However, they also continue to show why they are not always as reliable as professionally installed security systems.

SimpliSafe, one of the first major DIY security companies, has faced scrutiny over the past several years for vulnerabilities in its smart security system.

In 2016, the SimpliSafe system was found to be “inherently insecure and vulnerable to even a low-level attacker.” Later that year, SSI contributor and forensic alarm expert Jeffrey Zwirn analyzed SimpliSafe’s DIY offering and found disturbing results.

The latest person to find a flaw in the SimpliSafe system is a YouTuber that goes by the name “LockPickingLawyer.” He recently posted a video that demonstrates how the system can be fooled by a $2 wireless emitter that mimics the frequency of its door and window contact sensors.

This is possible because the DIY security system’s base communicates with its sensors on the 433.92MHz frequency, which is used by many other electronic consumer products.

The system can be fooled by using the emitter the same time as opening a door or window (breaking the contact of the sensors). The emitter is apparently powerful enough to block the sensor’s communication back to the base, preventing the alarm from sounding.

However, if the emitter is close enough to the alarm base, the end user will be notified of wireless interference. You can watch the demonstration in the video above.

Tech website The Verge reported on this video and received the following response from SimpliSafe:

The video is misleading, and it doesn’t apply to how security systems work in real life.

As the video demonstrates, SimpliSafe systems are engineered to detect this kind of interference.

In this video, the videomaker finds a precise frequency, signal strength, and orientation of system components in which they can thread the needle of blocking system communication without triggering an alert.

In real life, this is unlikely. Because signal strength degrades unpredictably depending on distance and landscape, it would be very difficult for anyone to hit on the “right” strength without triggering an alert.

In addition, the setup the videomaker demonstrates (in which the sensors, base, keypad and “jammer” are all close together) does not resemble the setup of an actual home. In other words, prior knowledge of the layout of the motion sensors, door sensors and base station in the customers home and a rehearsal of how to move about the home would be necessary to confidently select a strength that will both jam and not be detected. In order for a real bad actor to effectively interfere with the system in this way, they would likely have to already be inside the home and have had ample practice.

We take very seriously anything that might interfere with our mission of keeping every home secure. We have the ability to tune the detection parameters and regularly release security and usability updates, making it increasingly difficult for anyone to use this type of attack.

The Verge then reached out to LockPickingLawyer to get his comment on SimpliSafe’s statement. He says he didn’t have to tune the $2 device in any way to get it to reliably bypass the alarm system and it was able to do it right out of the box. He also said it sometimes triggered an interference notification, though never an alarm.

He said:

The farthest from the base station I tested was about 60 feet (through two walls), and it worked the same as shown in my video.

SimpliSafe takes issue with the system components being arranged close together during the video. That was a necessity of filmmaking, not a physical limit of the exploit. In my testing, I carried sensors away from the base station to the far reaches of my home, then conducted the same tests with the same device and obtained the same results. If anything, testing at realistic distances showed a more significant problem insofar as the SimpliSafe system was less likely to detect the interference.

SimpliSafe’s other criticism is that someone would need prior knowledge of the system’s arrangement to avoid the detection of interference. The company is attacking a straw man. What is necessary to avoid detection of this exploit was outside the scope of my testing. In fact, my video explicitly notes that SimpliSafe may detect the interference. Detection of interference, however, never triggered an alarm in my testing. It only sent an “alert” that the resident may or may not investigate. As such, my video specifically advised owners of this system to take these alerts seriously regardless of how many prior alerts they’ve received as a result of non-malicious interference. It’s also important to note that if the system owner doesn’t have security cameras with which to investigate, the alert is of very limited usefulness. This is why I recommend the system be used in conjunction with security cameras.

As more DIY solutions hit the market, it’s important for security professionals to educate consumers about the dangers of going DIY. Though no solution is 100% bulletproof, it is important to choose a solution that can’t be compromised with something as simple as a $2 wireless emitter.

Posted in Main | Leave a comment

Alerts from Amazon Ring are often false alarms

www.cnet.com
ring-door-view-cam-22Residents with Ring doorbells have been frequently pinging police with footage that doesn’t contain any crimes.

Chris Monroe/CNETIn May, police in Hammond, Indiana, got a suspicious-person alert from a concerned resident. She could see a man, she told officers, through her Ring smart doorbell.

The resident had already sent police another message, along with footage from her internet-connected video doorbell, about an earlier incident. Now the resident was even more frightened, having watched a new incident unfold on her phone through a live feed from her Ring app.

She sent police the video recorded from the doorbell. Police immediately knew the man wasn’t a criminal.

“It was one of our detectives. He was going there to interview the person for whatever the situation was,” said Steve Kellogg, a public information officer for Hammond Police, adding that the cop was wearing plain clothes but had a badge around his neck. The badge was out of the Ring camera’s line of sight, but the resident would have spotted it immediately had she gone to the door, the officer added.

“He’s clearly on the camera saying he’s with the police department,” Kellogg said.

The incident is among the growing number of false alarms involving Ring cameras, which have spread around the country as police departments partner with Amazon’s smart doorbell company. False alarm calls are nothing new, but police say the Ring doorbells make it easier for citizens to report anything they find suspicious and send video for law enforcement to review.

Ring and police have promoted these partnerships on social media, often demonstrating their value by highlighting incidents in which Ring has stopped package thefts.

“The more people involved in your neighborhood watch, the safer our neighborhoods become,” Ring says on its website. “Ring connects citizens with each other and local law enforcement to make a true impact on your community.”

Ring’s limitations, however, aren’t prominently featured.

Once you start having all of these cameras and start linking them to automatic notifications, the public may get the sense that crime is on the rise when it actually isn’t.Dave Maass, senior investigative researcher at the Electronic Frontier Foundation

In towns where police have signed up for Ring, officers told CNET that having the extra sets of eyes in neighborhoods doesn’t mean the police are solving more crimes. In some cases, it simply means there’s more worry among residents.

At the International Association of Chiefs of Police conference in May, police from Chandler, Arizona, said apps like Ring’s Neighbors have prompted residents to believe crime is prevalent even though violent crime is at historic lows in the city, according to notes provided by Dave Maass, a senior investigative researcher at the Electronic Frontier Foundation, who attended the conference.

“Once you start having all of these cameras and start linking them to automatic notifications, the public may get the sense that crime is on the rise when it actually isn’t,” Maass said.

Detective Seth Tyler, a Chandler police public information officer, told CNET that the department has received an average of two alerts a day from residents through the Neighbors app since the department partnered with Ring in April. Typically, the footage is of cars driving in neighborhoods, people walking or strangers at doorsteps, Tyler said. These aren’t crimes, but Chandler police will still investigate those leads, the officer said.

“Some people are better than others at determining crimes,” Tyler said. “But from our perspective, I can tell you that we would be more than happy to investigate all of those.”

The department’s crime prevention unit has three officers responsible for watching footage from Ring’s app and investigating leads. Last December, Ring CEO Jamie Siminoff and Neighbors general manager Eric Kuhn told CNET that roughly one in three posts shows crimes or public safety issues. About 65 percent of posts on Neighbors are “suspicious behavior” or solicitors and strangers on people’s property.

“Ring is proud of how engaged our users are within their communities, which includes alerting local law enforcement if something seems out of the ordinary,” a Ring spokesperson said in a statement. “Reaching out to local law enforcement for help is exactly what the public has been taught to do and gives local law enforcement the chance to decide if further action is needed. This is a key part of the community’s relationship with law enforcement, and that is not exclusive to owning a Ring device or engaging on the Neighbors app.”

Amazon doesn’t disclose how many police departments it works with, but a CNET investigation found more than 50 law enforcement agencies had developed relationships with the Ring business over the last two years. Fight for the Future, a tech-focused nonprofit, has created an interactive map to identify where police have partnered with Ring. Motherboard reported that Ring told police it’s partnered with 200 law enforcement agencies in the US.

Amazon purchased Ring in 2018 for $839 million, according to SEC filings. At the time, analysts forecast that more than 3.4 million video doorbells would be sold that year.

Some Ring trueNot all calls to Ring are false alarms.

The cameras have helped solve plenty of crimes, including a double homicide in Gary, Indiana. Prosecutors in a murder case in Texas used Ring footage to show an alleged killer entering a home. In Bloomfield, New Jersey, an entire town covered in Ring cameras, the system has helped solve an armed robbery as well as car thefts, according to Capt. Vince Kerney, Bloomfield’s detective bureau commander.

Still, there’s often more footage of innocent behavior than there is of actual crime, police say.

Kerney recalls an incident in which his department received footage from four homes about a truck suspected of following a child around. They were able to identify the truck based on the video provided. After investigation, it turned out to be a false alarm.

“There was no crime that was being committed. It was just a coincidence that this person pulled over in front of a kid, and he got scared and ran away,” Kerney said.

It’s unclear how many false alarms have been sent to police. Amazon doesn’t provide overall statistics on usage of the device.

In February, The Outline detailed an incident in which a resident called police after seeing footage of someone walking through her front door in California. The dispatcher helped the caller realize she was watching footage of herself entering her home.

Though Ring has helped police solve some crimes, it’s unclear if the technology has any significant effect on crime rates. Amazon says it does, citing a 2015 pilot program in Los Angeles that found Ring doorbells helped to more than halve burglaries. Last October, MIT Technology Review looked at crime data and found the study wasn’t as accurate as its authors claimed.

In some cases, police don’t get information from Ring or Neighbors quickly enough to be useful. In Hampton, Virginia, police put out an alert for a missing person on Neighbors, asking residents to send any footage they could. The missing person was found before any footage was received, police said.

More footage, more problemsIn March, Eric Piza, an associate professor at the John Jay College of Criminal Justice, released a study that found surveillance cameras were mostly effective when they were being actively monitored. They did little to reduce crime rates if police were receiving footage after an incident.

With Ring, police are receiving even more footage, and Piza found that officers often don’t have resources dedicated to watching it all.

“What my research has found is that police can have too many videos to actively monitor,” he said. “If police plan on integrating Ring footage into their operation, technology requires manpower to be effectively used.”

Because Ring partnerships give citizens a direct line to police through the Neighbors app, Piza is concerned about overreporting of innocuous activities. In February, Motherboard reviewed more than 100 Neighbors posts, the majority of which were reports of people of color going about daily life.

We’ve seen from research that people are not the best judges of criminal behavior.Eric Piza, associate professor at the John Jay College of Criminal Justice

Often, the footage simply captures people walking through a neighborhood. They aren’t engaged in any activity that could be considered suspicious, Piza said.

Ring’s relationship with police has created more cameras in residential neighborhoods and more opportunities to find footage to solve crimes, but it’s also opened up the pipeline for unfounded concerns.

“We’ve seen from research that people are not the best judges of criminal behavior,” Piza said. “Especially recently, with white citizens reporting black citizens for innocent and innocuous behavior.”

Posted in Main | Leave a comment

Vivint’s Solicitation Permit Revoked in N.C. Town After Breaking Door-Knocking Rules

Huntersville, N.C. police say residents complained about Vivint door-knockers “being pushy, argumentative, sometimes cursing and coming late at night.”

   Jump to Comments
Vivint’s Solicitation Permit Revoked in N.C. Town After Breaking Door-Knocking Rules 

HUNTERSVILLE, N.C. — Door knockers present a bit of a quandary for the security industry. On one hand, door-to-door sales can be an effective marketing tool. On the other, a public nuisance.

Huntersville police have kicked Vivint door-to-door salespeople out of its town after hearing complaints from residents.

“We received a lot of complaints from residents throughout Huntersville about them being pushy, argumentative, sometimes cursing and coming late at night,” Officer Odette Saglimbeni told WBTV.

Huntersville Police say it ran background checks on the employees who would be soliciting in the town when Vivint applied for the solicitation permit.

The permit was granted after everything came back okay. The permit was issued with the understanding that the workers would operate under the usual door-knocking parameters, including a town ordinance that bans soliciting between 8 p.m. and 7 a.m.

However, police say the workers broke the rules within two weeks. Because issues persisted, even after being warned, police decided to revoke the solicitation permit.

“If they’re being pushy and argumentative causing an issue with residents that’s not what we want. If they want to go out there and solicit business that’s fine but they need to do it in a professional manner that does not cause people to be concerned, doesn’t scare people or feel like they’re being pressured,” says Saglimbeni. “We felt that they were enough complaints and they were pretty consistent with everybody that was complaining that they were being pushy, argumentative, and trying to get into homes, not leaving when asked to leave – so we felt best interest of the public we should revoke that permit.”

Posted in Main | Leave a comment

How Nest, designed to keep intruders out of people’s homes, effectively allowed hackers to get in

Reed Albergotti, The Washington Post

 Published 

Tara Thomas thought her daughter was just having nightmares. “There’s a monster in my room,” the almost-3-year-old would say, sometimes pointing to the green light on the Nest Cam installed on the wall above her bed.

Then Thomas realized her daughter’s nightmares were real. In August, she walked into the room and heard pornography playing through the Nest Cam, which she had used for years as a baby monitor in their Novato, California, home. Hackers, whose voices could be heard faintly in the background, were playing the recording, using the intercom feature in the software. “I’m really sad I doubted my daughter,” she said.

SHOCKING FIND: Opossum lived in 7-year-old’s room for 3 days before anyone noticed

Though it would be nearly impossible to find out who was behind it, a hack like this one doesn’t require much effort, for two reasons: Software designed to help people break into websites and devices has gotten so easy to use that it’s practically child’s play, and many companies, including Nest, have effectively chosen to let some hackers slip through the cracks rather than impose an array of inconvenient countermeasures that could will detract from their users’ experience and ultimately alienate their customers.

The result is that anyone in the world with an internet connection and rudimentary skills has the ability to virtually break into homes through devices designed to keep physical intruders out.

As hacks such as the one the Thomases suffered become public, tech companies are deciding between user convenience and potential damage to their brands. Nest could make it more difficult for hackers to break into Nest cameras, for instance, by making the log-in process more cumbersome. But doing so would introduce what Silicon Valley calls “friction” – anything that can slow down or stand in the way of someone using a product.

At the same time, tech companies pay a reputational price for each high-profile incident. Nest, which is part of Google, has been featured on local news stations throughout the country for hacks similar to what the Thomases experienced. And Nest’s recognizable brand name may have made it a bigger target. While Nest’s learning thermostats are dominant in the market, its connected security cameras trail the market leader, Arlo, according to Jack Narcotta, an analyst at the market research firm Strategy Analytics. Arlo, which spun out of Netgear, has around 30 percent of the market, he said. Nest is in the top five, he said.

Nik Sathe, vice president of software engineering for Google Home and Nest, said Nest has tried to weigh protecting its less security-savvy customers while taking care not to unduly inconvenience legitimate users to keep out the bad ones. “It’s a balance,” he said. Whatever security Nest uses, Sathe said, needs to avoid “bad outcomes in terms of user experience.”

Google spokeswoman Nicol Addison said Thomas could have avoided being hacked by implementing two-factor authentication, where in addition to a password, the user must enter a six-digit code sent via text message. Thomas said she had activated two-factor authentication; Addison said it had never been activated on the account.

JOHN CORNYN CHALLENGED: A Texas Democrat has launched a campaign 

The method used to spy on the Thomases is one of the oldest tricks on the Internet. Hackers essentially look for email addresses and passwords that have been dumped online after being stolen from one website or service and then check to see whether the same credentials work on another site. Like the vast majority of Internet users, the family used similar passwords on more than one account. While their Nest account had not been hacked, their password had essentially become public knowledge, thanks to countless other data breaches.

In recent years, this practice, which the security industry calls “credential stuffing”, has gotten incredibly easy. One factor is the sheer number of stolen passwords being dumped online publicly. It’s difficult to find someone who hasn’t been victimized. (You can check for yourself here.)

A new breed of credential-stuffing software programs allows people with little to no computer skills to check the log-in credentials of millions of users against hundreds of websites and online services such as Netflix and Spotify in a matter of minutes. Netflix and Spotify both said in statements that they were aware of credential stuffing and employ measures to guard against it. Netflix, for instance, monitors websites with stolen passwords and notifies users when it detects suspicious activity. Neither Netflix nor Spotify offer two-factor authentication.

But the potential for harm is higher for the 20 billion Internet-connected things expected to be online by next year, according to the research firm Gartner. Securing these devices has public safety implications. Hacked devices can be used in large-scale cyberattacks such as the “Dyn Hack” that mobilized millions of compromised “Internet of things” devices to take down Twitter, Spotify and others in 2016.

In January, Japanese lawmakers passed an amendment to allow the government to essentially do what hackers do and scour the Internet for stolen passwords and test them to see whether they have been reused on other platforms. The hope is that the government can force tech companies to fix the problem.

PRO TIP: Stop using these same dumb passwords everyone is using 

Security experts worry the problem has gotten so big that there could be attacks similar to the 2016 Dyn hack, this time as a result of a rise in credential stuffing.

“They almost make it foolproof,” said Anthony Ferrante, the global head of cybersecurity at FTI Consulting and a former member of the National Security Council. He said the new tools have made it even more important to stop reusing passwords.

Tech companies have been aware of the threat of credential stuffing for years, but the way they think about it has evolved as it has become a bigger problem. There was once a sense that users should take responsibility for their security by refraining from using the same password on multiple websites. But as gigantic dumps of passwords have gotten more frequent, technology companies have found that it is not just a few inattentive customers who reuse the same passwords for different accounts – it’s the majority of people online.

Credential stuffing is “at the root of probably 90 percent of the things we see happening,” said Emmanuel Schalit, chief executive of Dashlane, a password manager that allows people to store unique, random passwords in one place. Only about 1 percent of Internet users, he said, use some kind of password manager.

“We saw this coming in late 2017, early 2018 when we saw these big credential dumps start to happen,” Google’s Sathe said. In response, Nest says it implemented some security measures around that time.

It did its own research into stolen passwords available on the Web and cross-referenced them with its records, using an encryption technique that ensured Nest could not actually see the passwords. In emails sent to customers, including the Thomases, it notified customers when they were vulnerable. It also tried to block log-in attempts that veered from the way legitimate users log into accounts. For instance, if a computer from the same Internet-protocol address attempted to log into 10 Nest accounts, the algorithm would block that address from logging into any more accounts.

But Nest’s defenses were not good enough to stop several high-profile incidents throughout last year in which hackers used credential stuffing to break into Nest cameras for kicks. Hackers told a family in a San Francisco suburb, using the family’s Nest Cam, that there was an imminent missile attack from North Korea. Someone hurled racial epithets at a family in Illinois through a Nest Cam. There were also reports of hackers changing the temperature on Nest thermostats. And while only a handful of hacks became public, other users may not even be aware their cameras are compromised.

The company was forced to respond. “Nest was not breached,” it said in a January statement. “These recent reports are based on customers using compromised passwords,” it said, urging its customers use two-factor authentication. Nest started forcing some users to change their passwords.

This was big step for Nest, because it created the kind of friction that technology companies usually try to avoid. “As we saw the threat evolve, we put more explicit measures in place,” Sathe said. Nest says only a small percentage of its millions of customers are vulnerable to this type of attack.

According to at least one expert, though, Nest users are still exposed. Hank Fordham, a security researcher, sat in his Calgary, Alberta, home recently and opened up a credential-stuffing software program known as Snipr. Instantly, Fordham said, he found thousands of Nest accounts that he could access. Had he wanted to, he would have been able to view cameras and change thermostat settings with relative ease.

While other similar programs have been around for years, Snipr, which costs $20 to download, is easier to use. Snipr provides the code required to check whether hundreds of the most popular platforms, from League of Legends to Netflix, are accessible with a bunch of usernames and passwords – and those have become abundantly available all over the Internet.

Fordham, who had been monitoring the software and testing it for malware, noticed that after Snipr added functionality for Nest accounts last May, news reports of attacks started coming out. “I think the credential-stuffing community was made aware of it, and that was the dam breaking,” he said.

Nest said the company had never heard of Snipr, though it is generally aware of credential-stuffing software. It said it cannot be sure whether any one program drives more credential stuffing toward Nest products.

What surprises Fordham and other security researchers about the vulnerability of Nest accounts is the fact that Nest’s parent company, Google, is widely known for having the best methods for stopping credential-stuffing attacks. Google’s vast user base gives it data that it can use to determine whether someone trying to log into an account is a human or a robot.

The reason Nest has not employed all of Google’s know-how on security goes back to Nest’s roots, according to Nest and people with knowledge of its history. Founded in 2010 by longtime Apple executive Tony Fadell, Nest promised at the time that it would not collect data on users for marketing purposes.

In 2013, Nest was acquired by Google, which has the opposite business model. Google’s products are free or inexpensive and, in exchange, it profits from the personal information it collects about its users. The people familiar with Nest’s history said the different terms of service and technical challenges have prevented Nest from using all of Google’s security products. Google declined to discuss whether any of its security features were withheld because of incompatibility with Nest’s policies.

Under Alphabet, Google’s parent company, Nest employed its own security team. While Google shared knowledge about security with its sister company, Nest developed its own software. In some ways, Nest’s practices appear to lag well behind Google’s. For instance, Nest still uses SMS messages for two-factor authentication. Using SMS is generally not recommended by security experts, because text messages can be easily hijacked by hackers. Google allows people to use authentication apps, including one it developed in-house, instead of text messages. And Nest does not use ReCaptcha, which Google acquired in 2009 and which can separate humans from automated software, like what credential stuffers use to identify vulnerable accounts.

Sathe said Nest employed plenty of advanced techniques to stop credential stuffing, such as machine learning algorithms that “score” log-ins based on how suspicious they are and block them accordingly. “We have many layers of security in conjunction with what the industry would consider best practices,” he said.

When asked why Nest does not use ReCaptcha, Sathe cited difficulty in implementing it on mobile apps, and user convenience. “Captchas do create a speed bump for the users,” he said.

The person behind Snipr, who goes by the name “Pragma” and communicates via an encrypted chat, put the blame on the company. “I can tell you right now, Nest can easily secure all of this,” he said when asked about whether his software had enabled people to listen in and harass people via Nest cams. “This is like stupidly bad security, like, extremely bad.” He also said he would remove the capability to log into Nest accounts, which he said he added last May when one of his customers asked for it, if the company asked. Pragma would not identify himself, for fear of getting in “some kind of serious trouble.”

That’s when Fordham, the Calgary security researcher, became concerned. He noticed the addition of Nest on the dashboard and took it upon himself to start warning people who were vulnerable. He logged into their Nest cams and spoke to them, imploring them to change their passwords. One of those interactions ended up being recorded by the person on the other end of the camera. A local news station broadcast the video.

Fordham said he is miffed that it is still so easy to log into Nest accounts. He noted that Dunkin’ Donuts, after seeing its users fall victim to credential-stuffing attacks aimed at taking their rewards points, implemented measures, including captchas, that have helped solve the problem. “It’s a little alarming that a company owned by Google hasn’t done the same thing as Dunkin’ Donuts,” Fordham said.

A spokeswoman for Dunkin’ declined to comment.

According to people familiar with the matter, Google is in the process of converting Nest user accounts so that they utilize Google’s security methods via Google’s log-in, in part to deal with the problem. Addison said that Nest user data will not be subject to tracking by Google. She later said that she misspoke but would not clarify what that meant.

Knowing that the hack could have been stopped with a unique password or two-factor authentication has not made Thomas, whose daughter’s camera was hacked, feel any better. “I continuously get emails saying it wasn’t their fault,” she said.

She unplugged the camera and another one she used to have in her son’s bedroom, and she doesn’t plan to turn them on again: “That was the solution.”

Posted in Main | Leave a comment

Resolving Smart Home Device Problems: Growing Opportunity for Support Services

There is a growing opportunity open for security integrators to address the support needs of connected consumers and their smart home devices.

Resolving Smart Home Device Problems: Growing Opportunity for Support Services 

 

As the connected home ecosystem continues to grow and the technical complexity of broadband households increases, the technical support needs of consumers change. Currently consumers own an average of 10.5 connected devices, including an average of 1.4 smart home devices.

Smart thermostat and smart security cameras lead the smart home market in reported adoption, with 11% of US broadband households owning a smart thermostat and 10% owning a smart camera.

With these connected devices come technical issues, and consumers take a range of actions after experiencing problems. These actions include seeking to resolve the problem, either on their own or with professional help, as well as returning or replacing the device.

Self-Help versus Professional Support

Among self-help support options, consumers are slightly less likely to use self-help applications on their devices than other support resources. This is likely driven by lower availability of the self-help applications compared to other self-help resources.

Among professional support resources, consumers are least likely to email a device manufacturer or contact an independent support provider. Compared to other resources, email is a less popular means of support, especially for computing device owners.

Ultimately, the decision to use self-help versus professional support resources will depend on competence and convenience.

  • Competence – Consumer familiarity with devices in the market helps to drive perceived competence.
  • Convenience – Seeking professional support, via phone, in-store services, or even a truck roll, can be inconvenient regardless of the channel. Consumers can be frustrated by long wait times to connect to remote support services through the phone or chatbots. Also inconvenient are trekking to a store for in-store support and scheduling a time for a tech to provide support at home.

The most extreme option, from an industry perspective, is to return or replace the device, but this is generally the least likely option, although consumers are slightly more likely to return smart home devices than computing or entertainment products.

Consumers are more familiar with the latter, more mature category of products and more likely to consider them essential. One in five consumers who found the smart home device setup process “very” difficult returned their device, so product returns are a threat to industry growth for the smart home.

As the smart home industry increases market penetration rates, minimizing product returns will be critical, and doing so will require increasing consumer perceptions of product familiarity and convenience when setting up, using, and troubleshooting these devices.

Premium Support

Just over one-half of smart home device problems resolved by a professional technician are resolved for free. This represents a slight increase over the past year and corresponds with a significant decrease in the percentage of consumers covering the cost of services using one-time fees.

The falloff in one-time fee payments also corresponds with a slight increase in the percentage paying for services with an existing support and warranty service.

Traditionally, companies offering premium support services for smart home devices, such as HelloTech and Amazon Home Services, did so for one-time fees. However, existing subscription support service providers — including Best Buy (Geek Squad) and Verizon — have expanded their device coverage to include smart home devices.

Support Subscriptions

While adoption of premium technical support services experienced slight growth in 2016, adoption has remained fairly constant over the past few years. Approximately 20% of broadband households report having a technical support subscription. The primary factors influencing adoption in the US market are as follows:

Top 4 Barriers

  1. Increasing device reliability – Just over 40% of consumers who do not have a technical support subscription report that they have not subscribed to a service because their devices usually perform well. If consumers perceive that they will not need support, it is highly unlikely that they will pay monthly or yearly for a support subscription.
  2. Consumer ability and desire to resolve technical problems – More than half of the technical problems consumers encountered with their devices over the past year were resolved without professional help. Among consumers who do not have technical support subscriptions, approximately one quarter report that they do not have a service because they do not need help resolving technical problems.
  3. Lower-cost technology – Given that the cost of consumer technology is declining, some consumers may choose to replace a problematic device, rather than acquire a subscription service to resolve its problems.
  4. Consumer preference to pay when they have a problem – When given the option to pay for technical support services per incident or use a monthly or annual fee, the majority of consumers (70%) prefer to pay for each incident. More than 40% of consumers who do not have a technical subscription report that they do not have one because they prefer to pay for technical support services only when they encounter a problem.

Top 5 Drivers

  1. Increasing technical complexity in the home – As consumers attempt to enable complex use cases within the smart home, interoperability issues can emerge, prompting the desire/need for support subscriptions.
  2. Connectivity issues – Maintaining reliable WiFi connectivity throughout the home is complex, and monitoring is required to prevent service interruptions.
  3. Device innovation and emerging devices – Consumers’ lack of familiarity with new products drives enablement support needs, including assistance with product setup and use.
  4. More devices in the home – Consumers with more devices in the home experience more technical problems on average, making them more likely to acquire a support subscription.
  5. Increased security concerns – Nearly two-thirds of broadband households report concerns about security and privacy when using their connected devices. Protecting consumers from ongoing threats requires ongoing monitoring – a model best served by a subscription service.

The market for support subscriptions remains fairly fragmented. A number of consumer technology brands, including security software companies and independent companies like HelloTech, all capturing a small share.

With the increasingly competitive market for consumer technology products and services, providing robust technical support services is a competitive differentiator. There is a growing opportunity open to all players to address the support needs of connected consumers, and the smart home industry in particular is making investments in technical support resources.

  • Ayla Networks, a proven smart home platform offering Cloud services to smart home device manufacturers, recently partnered with PlumChoice to offer enhanced technical support services to its device manufacturer partners.
  • Puls Technologies, a San Francisco-based company providing smart home support, recently received $50 million in funding, an indication of an anticipated need for support services in the industry.

The consumer decision process regarding support solutions in the face of device problems depends on their perceptions of the devices and the convenience of the available options. As the number of services increase, consumers will have multiple options to choose from, so convenience being a key factor in determining their success. Support services with intuitive self-help solutions, which can be scaled up to more robust and engaging services when necessary, will find a receptive customer base among today’s smart home households.

Posted in Main | Leave a comment

Lowe’s to Shut Down Iris Smart Home Platform After Failure to Sell Off the Business

Lowe’s will shut down the Iris smart home platform on March 31, but allow customers to be reimbursed for certain devices.

Lowe’s to Shut Down Iris Smart Home Platform After Failure to Sell Off the Business 

MOORESVILLE, N.C. – Well, you can’t say they didn’t give it the ol’ college try. After failing to find a new owner for its Iris smart home business last fall, Lowe’s has announced it will shut the platform on March 31, according to an email sent to subscribers last Thursday.

Customers with eligible products that exclusively work on the Iris platform are able to redeem them for a prepaid VISA gift card. So if a device works with Iris in addition to another hub, such as SmartThings, you’re out of luck. Customers also no longer have to pay for the service and can use it until their account is deactivated.

Considering there’s nothing worse than investing money in a platform only for it to shut down and leave users with useless devices, this isn’t a terrible deal.

A Lowe’s spokesperson told Digital Trends, “After carefully evaluating a range of options, the decision was made to shut down the Iris platform once it was determined that none of the alternatives would allow Iris to continue to deliver the experience our customers have come to expect of us. Lowe’s remains committed to carrying the breadth and depth of smart home products and brands to meet our customers’ needs now and in the future.”

Posted in Main | Leave a comment