10.12.19 -SIW –
So, the only serious threat relating to these vulnerabilities is a fire that damages the wiring in a way that disables the alarm control panel, before any of the sensors has the chance to initiate an alarm signal or annunciation, and before any of the occupants has an early chance to notice the fire.
The subject line of an email that arrived in my inbox earlier this week read, “Largest alarm panel recall in industry history could be coming.” It was followed by a half dozen emails from friends and colleagues – fortunately none from clients yet –expressing concern about risks to their clients and customers. My first thought was, “What are the life-safety risks and what should be done about them?”
My second thought, after a quick scan of the provided documents, was, “We’ll need to help our clients make sense of the situation from a true risk perspective.”
Serious Dangers Asserted
The announcement linked to several documents, a 43-page report, a letter to the U.S. Consumer Product Safety Commission (CPSC), and a third-party confirmation of the vulnerability testing with a statement describing the danger. The third paragraph in the letter to the CSPC says, “Dangerously, the non-conforming control units are unable to communicate the alarm condition to the Central Monitoring Station and/or to audibly alert the property owner and their family within the household occupancy of the alarm or life safety emergency and dangers that the system has detected such as smoke detector alarm, carbon monoxide detector alarm and/or an burglar alarm sensor event which is in gross deviation to statutory requirements, UL and NFPA Standards.”
The third-party analysis by a professional engineer and standards expert states:
- All of the affected control panels should be immediately corrected.
- All of the affected consumers and businesses where these control panels are installed should be put on notice that immediate corrective action is required since the panels are non-conforming equipment.
- None of these control panels can be deemed to be reliable or safe.
- Non-confirming equipment substantially increases the risks of property loss, serious personal injury and/or death to occupants within the premises during an intrusion, fire, smoke and carbon monoxide emergency event.
- A comprehensive and corrective action plan needs to be instituted immediately.
These are all serious-sounding statements, and the provided documents stress the danger factor throughout. The tests were well-demonstrated and easy to understand. The two product vulnerabilities (one regarding communications wiring and one regarding low voltage power wiring) clearly exist – there is no doubt about that.
The report states that the totality of the non-conforming control panels total hundreds of millions of units sold and installed in the U.S. Thus, there aren’t enough replacement panels in stock to handle the recall. So, what should people do?
I’m educated and experienced in electronic device and system design, but I’m also a trained and experienced risk professional. What concerned me, as a risk professional, was the lack of accurate risk characterization, which is typical for individuals, no matter how technically savvy, who are not trained in risk evaluation. Thus, my first questions were, “What are the risk scenarios? Under what conditions will these technical problems assert themselves and keep an alarm notification from being annunciated or transmitted? How likely are those risk scenarios to occur? For each scenario, what risk mitigations should be put into place?”
Closely reading the 43-page report, I was surprised at the lack of risk characterization, given the dangers asserted. Certainly, a third-party risk professional should have been consulted to perform a risk analysis and provide recommendations to be included in the report. But the report wasn’t intended to be an announcement to alarm panel owners, but an industry (manufacturers and service providers) clarion call focusing on the security industry players themselves. In all fairness, the first statement in the Expert Report document says that it’s a “forensic analysis of single circuit data-bus connected household burglar and fire alarm system control units” and not a risk analysis.
Though I can empathize with the technologists’ reactions, I was still surprised at the omission of critical risk-related information relative to the danger assertions.
Last of all, what prompted my “drop everything” immediate investigation was the third-party analysis by a product integrity services firm stating that the alarm control panel vulnerabilities “present a clear and present danger to the hundreds of millions of homes, families and businesses where all of these non-conforming control units are installed.”
The product integrity services firm states, on their website home page, “. . . we speak the language of code, standards, laboratories and product certification (such as UL, ETL, CE, G-marking) and we know how to make sense of this expensive, timely and complicated 3rd party laboratory process.”
In other words, they are technologists and perhaps scientists, not risk professionals.
Clear and Present Danger?
Clear means obvious to see. Present means immediate. While it’s obvious to see with simple testing that the product vulnerabilities do exist, the immediacy of the danger exists only for those homes and businesses that are about to catch on fire or are about to be invaded by a technically-informed criminal or malcontent, and the occupants are unaware of the pending situations. That’s not hundreds of millions of homes and businesses.
A “clear and present danger” to hundreds of millions of homes, families and businesses is a pending disaster on the order of a wildly fast-spreading pandemic, a serious nuclear radiation event, multiple raging wildfires, a tsunami event and so on. The History channel’s website tells us that the most deadly earthquake ever recorded happened in China on January 23 in 1556 A.D. It killed 830,000 people. I just can’t consider an alarm panel vulnerability as having a potential human fatality impact greater than any previous disaster in recorded history.
What we’re dealing with here is a potential danger, not an immediate danger, for all or nearly all of the affected homes and businesses.
I can’t fault the technical folks for their opinions, because I’m nit-picky, too, and I find myself wanting to rant and rave (and sometimes have done so) about poor software or hardware design – and I’ve seen plenty of that over the past few decades. Fortunately, I’ve seen many more good designs than bad. So, I don’t blame the technical folks for getting worked up about avoidable technical flaws in a life-safety product whose functionality plays a critical role in home and business protection. The design in question is an old design from a different era, but the products haven’t all been retired or replaced yet, so that does present a situation to be addressed.
Making Sense of the Situation
From a threat and vulnerability risk perspective, there are two threats mentioned in the report and its related videos: a fire that melts any portion of the wiring between the alarm panel and the alarm sensors, and an intruder who disables the alarm system via one of the two vulnerabilities. This applies to alarm systems whose sensors have a hard-wired connection, or where there is a mix of wired and wireless sensors. If the system is disabled by shorting out the wiring to any sensors, the control panel doesn’t function and can’t receive wireless signals. But a purely wireless system doesn’t have that vulnerability.
It’s unlikely that an intruder will be able to enter a protected property to disable the alarm system unless that entry occurs during a time when the system is disarmed or if the alarm system keypads don’t have physical security protection such as motion detection that is active when the system is armed. In such a case of poor system design, an intruder could, for example, enter a vehicle garage, rip the keypad off the wall, cut and twist the wires together. If the keypad has no tamper protection in place, that would work. That’s an untypical but still realistic risk scenario.
However, the access vulnerability of the keypad can be addressed in several ways, and should be, so let’s focus on the other threat – a fire that melts the wiring (or its insulation) to the alarm sensors. Note that rodents could also eat the wiring insulation and similarly disable the alarm control panel. However, it’s likely that the home occupants or someone in a commercial building would notice that they can’t arm or disarm their alarm system. So, the only serious threat relating to these vulnerabilities is a fire that damages the wiring in a way that disables the alarm control panel, before any of the sensors has the chance to initiate an alarm signal or annunciation, and before any of the occupants has an early chance to notice the fire.
To assess the likelihood of that situation requires some understanding of the types of fires that occur and how many of them would likely take out the wiring before an alarm signal could be sent or the fire could be noticed.
National Fire Protection Association (NFPA) articles about top fire causes identify cooking, heating, electrical, smoking and candles as the leading fire causes. A cooking fire will likely trip an alarm or be noticed before any alarm system wiring is damaged. The same goes for a smoking-caused fire or fire from candles. That leaves fires caused by heating equipment and electrical hazards.
The issue with heating equipment and other electrical hazards that relate to damaging the alarm system wiring is that some portion of the fires are due to excessive wattage that overheats in-wall wiring. If that type of fire happens in a wall containing alarm system wiring, it could take out the alarm system wiring before any of the alarm sensors detect the problem. Granted, in most modern buildings ground fault circuit interrupters (GFCI) – required by building codes – would cut the over-wattage equipment source off from the power supply, instantly eliminating the threat. But those aren’t required for all power outlets, so there is still a potential risk.
There is also a separate risk from previous-generation heating equipment that fabric, paper, cardboard or other flammable substances could come into direct contact with the heating coils. But that kind of fire is almost certain to trigger a smoke detector or other sensor and the alarm system would act before its wiring gets affected.
Addressing the Real Risks
Of course, I recommend replacing the alarm systems in question with a more modern alarm system. That would eliminate these specific alarm system vulnerabilities, but more importantly, modern wireless alarm systems have much greater capabilities than systems using the decades-old vulnerable design.
However, even before upgrading the alarm systems, I would immediately check to ensure that in a potentially at-risk home or building the risks from heating equipment and electrical hazards are addressed. Please realize that the conditions bringing the alarm system vulnerabilities into play are still fire risks for homes and businesses. Fixing the alarm system won’t eliminate those fire risks! Details are provided in the NFPA fire causes and related information.
The Full Picture
There are other aspects to this alarm panel story that this article’s space doesn’t permit covering, and which aren’t of as much interest to alarm panel owners as they are to the consultants who specify and security service providers who install and service alarm systems. An in-depth article appears on the IPVM website, which closely examines the product vulnerabilities and also sheds some light on a possible motivation for issuing an alarming report about a situation that isn’t actually so alarming.
UL and Manufacturer Responses
In response to the allegations brought forth in the letter sent to the CSPC and the accompanying documents, UL told SecurityInfoWatch (SIW) that it has not identified any safety issues in its investigation into the matter thus far, which is still ongoing.
“UL’s public mission is to promote safer working and living environments for all people. We make every effort to confirm that UL-certified products meet stringent safety requirements, including opening a Product Incident Report for any issue that comes to our attention,” read a statement provided to SIW by UL. “Consistent with our usual policies regarding product safety matters, when UL received the alarm system claims, UL immediately opened a Product Incident Report and began an investigation.”
Resideo, one of the manufacturers identified in the letter as having impacted panels, said their products meet the “UL standards with which they are marked at the time of sale.”
“Resideo takes compliance with standards seriously and the design, testing and marking of our new products to meet market requirements are among our core competencies,” the company said in a statement.
DSC also responded to the report in a similar fashion. “DSC works closely with the appropriate certification agencies in the US and Canada, including the UL Testing and Certification agency. Our security panels are in compliance with the applicable standards set by these agencies at time of manufacture,” said Rob Davis, Product General Manager, Intrusion, Johnson Controls.
Intertek (ETL), ELK Products, The Monitoring Association (TMA) and the Electronic Security Association (ESA) all declined to comment on the matter. As of press time Friday, inquiries seeking comment from Napco were not returned.
This situation gives me a chance to bring up a bigger-picture topic. If you are a homeowner, when was the last time you did a safety/security assessment of your property? If you are a business end-user of security products, when was the last time you had a professional physical security assessment performed at your facility?
Each time I read a scary assertion about the topic of this article, I thought: it’s a much scarier situation that so many homes and facilities haven’t paid attention lately to their safety and security risks. City police and fire department provide sound advice for homeowners and renters of homes. Businesses should engage a professional to perform an all-hazards risk assessment, including a physical security technology evaluation, if there hasn’t been one performed at all or within the past three or four years.
The reason most business people don’t perform such assessments when they should, is that they are super busy building their business and they just don’t have time to think about it. Well, how about soundly protecting what you’re building?
About the Author:
Ray Bernard, PSP, CHS-III is the principal consultant for Ray Bernard Consulting Services (RBCS), a firm that provides security consulting services for public and private facilities. Mr. Bernard has also provided pivotal strategic and technical advice in the security and building automation industries for more than 23 years. He is an active member of ASIS International and its IT Security, Physical Security and Security Applied Sciences member councils. For more information about Ray Bernard and RBCS go to www.go-rbcs.com or call 949-831-6788. Mr. Bernard is also a member of the Subject Matter Expert Faculty of the Security Executive Council (www.SecurityExecutiveCouncil.com).