Ring the alarms: researchers able to hijack internet-connected security system

Updated on: 15 November 2023

Vilius Petkauskas
Deputy Editor

Researchers identified multiple vulnerabilities in internet modules from the Paradox Security Systems. Researchers claim that threat actors could use flaws to disarm physical security and insert themselves inside the network.

Researchers at Critical Security, a cybersecurity company, found issues with Paradox Security Systems IP150 and IP150+ internet modules. Vulnerable modules are used in combination with security alarm panels to enable control and monitor the security alarms over the internet.

According to the press release by Critical Security, company researchers identified over 30,000 public-facing modules by the Canadian company using the Shodan network.

Threat actors could employ discovered vulnerabilities to disarm physical security and gain a foothold inside the network to which the affected IP150 or IP150+ modules are connected.

The company claims to have reverse-engineered a proprietary protocol used by Paradox internet modules. The protocol in question utilizes the ‘security through obscurity’ principle as its authentication layers use ‘paradox’ as the hardcoded password that cannot be changed in 4.x and the latest firmware versions.

The press release states that Critical Security used the hardcoded password as a remote exploit. That, in turn, allowed them to overwrite the firmware of an IP module over the internet with a custom malicious image that would act as a persistent backdoor to the network it is connected to.

“Since alarm systems are usually installed and managed by specialized physical security solution providers, homeowners and organizations may not realize that a vulnerable device is present on their network,” Miroslav Lucinskij, general manager of Critical Security, is quoted in the press release.

The company claims their attempts to contact Paradox were met with a wall of silence. Therefore information about the discovery was made public. In depth communication protocol design flaws and other details are discussed in a technical blog post.

Researchers behind the discovery advise users to put the affected IP150/150+ devices behind a firewall, granting permission to connect the device only to whitelisted IPs. Ideally, a potentially compromised device should be put inside an isolated network or have connectivity terminated altogether.

“Hopefully, this discovery will help to increase the level of overall security awareness, and manufacturers will spend more efforts securing their product as the flaws allow the malicious actors to disable security alarms which is a huge threat alone,” claims Lucinskij.

Connected curse

As the recently published research by the CyberNews team shows, once a device is connected to the internet, more attention needs to be paid to guaranteeing security.

As recently as in April, our team found over 380,000 remote-access cameras from the 30 most popular brands. Twenty-seven of them sell their products with default credentials.

These are all CCTV/IP cameras that can be used for CCTV surveillance, outdoors, indoors, for commercial and personal use. That is to say, that it can be everything from a remote parking lot or a warehouse to a smart doorbell or a baby camera.

Last week, we published research that found over 38,000 VoIP devices identifiable worldwide, some with suspected vulnerabilities. Ideally, none of those devices should have been identifiable as phones to avoid unwanted attention from threat actors.

Therefore, businesses must keep their software and firmware of devices connected to the internet up to date.