23
Just found out most alarm panels are sending data unencrypted to the monitoring station
I was doing a routine firmware update on a new Vista 21iP last Tuesday and got curious about the actual data stream. So I hooked up a Wireshark session between the panel and the cellular communicator just to see what was going across. Turns out the panel ID, zone descriptions, even the customer name came through as plain text. No encryption at all. I called the tech support line for the monitoring company and the guy basically said 'yeah that's standard for most systems under 200 zones.' I've been installing for 7 years and never thought to check this. Now I'm wondering about liability if a customer data breach traces back to a system I put in. Has anyone else actually verified what their panels are sending on the backend?
2 comments
Log in to join the discussion
Log In2 Comments
veraw4710d ago
Honestly, I think this is a lot of noise over nothing. The monitoring station is a closed network, right? It's not like some random hacker is sitting there sniffing your customer's zone descriptions. I've been doing this for 12 years and never once had a data breach through the alarm panel. If someone really wants your customer's name, they'll get it way easier from a public records search than they will from your panel's data stream. How many of these supposed breaches have actually happened?
5
williamt4410d ago
and see that's exactly the kind of thinking that gets us into trouble lol. 'closed network' means nothing when you've got contractors, ex-employees, or even just a misconfigured router somewhere in the chain. I had a buddy who worked at a central station and they found out a tech was just casually logging into the monitoring software from his home PC using the default admin password. That's the real world. Plus think about all those cellular communicators that update firmware over the air, if that link is plain text then someone could theoretically inject stuff or replay zone data to trigger false alarms or worse. The fact that nobody's had a big public breach yet doesn't mean the data is safe, it just means nobody's bothered to look or the bad actors haven't found it worth their time yet.
1