Envisalink 2DS & Security Of Access to my alarm system

[sparky2708]

When I logged in to my Eyez-On account I clicked the link "Mobile Portal Link" and it generated the URL I am supposed to use to access Eyez-On on my mobile device. Two issues:

(1) I found it strange that it doesn't ask me for a username/password when I go to the "Mobile Portal Link" on my mobile device. Shouldn't it?

(2) If it doesn't ask me for a username/password in (1) above then how is this site secure? Couldn't a hacker just keep trying URLs and eventually guess the URL of my Mobile Portal Link and then he would be able to issue commands to my alarm system?

[bpsmicro]

This isn't an "official" reply, but...

On your mobile device, if you're concerned about security, you'll have a password on the device. A lot of people learn *that* the hard way.

If your system is armed, then even if somebody accesses the link they can't disarm the system without knowing your alarm code, just as if they were standing in front of the panel. While I've never tried, I was under the impression that a lot of other functionality was restricted (by the panel itself) if the system was armed.

That just leaves the possible issue of somebody doing something while the system is disarmed. How much of a security concern that might be isn't clear to me. I don't know, for example, if somebody can add a new "user" to your panel remotely without knowing the master password.

Brad.

[sparky2708]

Brad,
thank you for the unofficial response but it is a little worrisome for me. Given enough time (and hey hackers have all the time in the world) someone could access your panel and wreak all kinds of havoc like putting your alarm in test mode every 5 seconds or re-programming it. The 2DS is like a keypad and I believe it can do anything that a keypad can do. Guessing a 4 digit installer code (if hacker could get access to installer section) would be trivial. A computer can brute force attack the code and try EVERY 4 digit code in a matter of minutes or quicker. More concerning is that I am sure a lot of people don't udnerstand the risk and AREN'T changing the DEFAULT installer code or the DEFAULT master code which IS REALLY BAD!

[sparky2708]

This isn't an "official" reply, but...

On your mobile device, if you're concerned about security, you'll have a password on the device. A lot of people learn *that* the hard way.

Brad.

But I don't need your mobile device to find the URL. I could try a bunch of things:

(1) I could try every URL until I find one (more like a Denial-of-Service attack). Something like "try all URLs in the form of: "https://www.eyez-on.com/EZMOBILE/index.php?mid=(long hash)&action=s. Although "(long hash)" is long which is somewhat of a relief and hopefully "Eyez-On" would discover someone who tries to check every string combination out there.

(2) But maybe you DON'T need to check every "long hash" out there. The "long hash" is sent as a plain-text email to you so someone could potentially capture the URL as it is relayed to your e-mail address. After all e-mail is not secure and is public which is why you don't send SS# in e-mail - this URL is kind of like your SS#. Isn't it? Maybe the URL should be sent using something like "Secure Mail" (www.hushmail.com) or something internal. Although this won't really solve the problem of someone eventually guessing it or see (3) below.

(3) Or I could try sniffing your IP address assigned by your network provider (Verizon FIOS, CableVision, Time Warner, etc) to see where your packets are going. I would eventually see the "secret" URL after sniffing your packets for a couple of days.


PROPOSED SOLUTION:
----------------------
Adding a username/password to the mobile site would pretty much defeat all these methods of attack and make me feel that my system is safer. I don't know if relying on the URL to be secret is the right thing to do as it is transmitted publicly in too many places...

[GrandWizard]

Hi, this comes up from time to time. The reason for the option to use the QuickLink was due to the flood of complaints about how long it takes to log-in on mobile phones. If you don't want to use the quicklink just go directly to the mobile portal and you will be prompted for username and password just like in the "old days".

I do want to correct some of things that you said though. This is NOT a glaring security hole. It was well thought out and it is a good comprimise between security and convenience. It is very similar to an RF keyfob in the nature of risk.

The unique link contains a one-way SHA2 HASH of a number of things including a very long random number that changes everytime you generate a link. If an attacker was trying to randomly access your account, it would be much simpler to attempt to guess your username and password than it would to unravel the one-way hash. As we limit access to portal to one access per second, that means it would take approximately 4 x 10^69 years to go through all possible combinations to get access to your house. Guessing that your password is your girlfriend's birthday might be a little easier

Per your number 3, the URL uses SSL so your link is NEVER sent in the clear. Run a packet sniffer yourself and you will see that secure socket is set up before your GET is even sent from your browser.

Regardless, if you're not comfortable using it, then don't. You can just go to the regular login prompt at

https://www.eyez-on.com/EZMOBILE

[sparky2708]

Thank you for the reply GrandMaster. Also, can I send ANY command to my 2DS or only certain commands?

[GrandWizard]

We only support 0..9, * and # keypresses from the portal. You can't use the scroll keyps or the user defined keys.

[britben]

One more thing, you can change the system to use six digit codes. Since the majority of systems, and hackers expect 4 digits, they may just move along to someone else "easier" if they find you using six. You don't have to have the most secure house in the neighborhood, so long as you are more secure than the majority. Easier targets are a sad fact of life.