How secure is the stuff you're connecting to the www?

[PeterJames]

https://nvd.nist.gov/vuln/search

[sixwheeledbeast]

These CVE lists only cover known and reported vulnerabilities.

More interesting is that Hikvision are now a CNA as of this month.

 

[PeterJames]

17 minutes ago, sixwheeledbeast said:

These CVE lists only cover known and reported vulnerabilities.

More interesting is that Hikvision are now a CNA as of this month.

 

Certified Nursing Assistant?

[sixwheeledbeast]

CVE Numbering Authority

[PeterJames]

1 hour ago, sixwheeledbeast said:

These CVE lists only cover known and reported vulnerabilities.

More interesting is that Hikvision are now a CNA as of this month.

 

I note that Dahua and Hauwei are too 

[captain-midnight]

Replying to the topic question .... as safe as the risk assessment, installed hardware design and it's software configuration can make it, with reference to customer requirements, solution design and level of funding they want to pay - it's always a trade off.

 

I've worked on customer sites that have had no network security and their internal network is completely using public IP addressing without a firewall in sight, technically just hanging off the internet - vs - a soho customer who's paid for the latest cutting edge network security only to be virtually taken out by their own users due to a lack of internal security policies and procedures.

 

What I'm trying to convey is hardware/software vulnerabilities are important but misconfigurations and/or lack of network user security policies and procedures have the greater potentail of  damage. 

[sixwheeledbeast]

This video covers the issue with our "need" for IoT going forward, which is mostly consumer led.

https://www.youtube.com/watch?v=PLiE0Nr8VOE

A must watch for anyone interested in apps for there home devices.

Apply the topic of cars and planes from the video to your security systems and consider the consequences, both from a installer and user perspective.

 

[captain-midnight]

Without doubt, there'll be either known or currently unknown, unreported, undivulged or unrealised vulnerabilities and viable attack vectors in the current range of IoT connectable alarm systems - all generations, as threats never really disappear they just evolve and mutate over time.

Attack vectors against individual stand-alone installations on their own are relatively low, but only through their relative obscurity on the internet and limited ability to identify individual locations based on purely the ISP's host DNS identifiers. Meaning if you found it's presence on the internet it would be much more difficult to identify the actual physical site location without access to ISP documentation/systems. But still the potential to make the system at least unavailable from legitimate remote access would be a trivial matter that would require minimal knowledge.

Where as any alarm systems that use a manufacturer's central servers/services to aid remote connectivity by mobile phone apps for example (eg to remove the requirements for the installer/user setting up of host to dynamitic dns services) are prone at the very least to denial of service attacks if the manufacturer's central system is compromised. This could result in an alarm system becoming unaccessible to remote management/reporting all the way through to possible disruption at the individual alarm system locations i.e the building alarm could be activated if the individual systems are then compromised. As long as you still have onsite manual hardware protection i.e mechanical door locks - it'll just possibly be an inconvenience - but when electronic door locks become more available/common and these themselves become interlinked to online services or internet connected alarm systems the game is definitely on for a would-be attacker whoop! whoop!