Hey Alexa, Unlock My Back Door & Potential QR Vulnerabilities

I am not a proponent of smart home devices such as Google’s Nest or Amazon’s Alexa. I suspect that part of my reluctance to install these devices is the numerous potential security problems to which such systems can be susceptible.

I will admit to a certain amount of paranoia; but I really don’t think that putting a smart device that listens to voices and conversations in my home is a great idea. Every day I read on the internet about different security problems that such systems can pose.

There are a number of DIY and installed alarm systems that support these voice-activated systems, including Simplisafe, Cove, Vivint, Ring and other major alarm suppliers. Connecting these systems to a smart home voice controller is simply asking for trouble.

Part of the problem is the DIY installation by the end users. These systems come pre-programmed to be as simple as possible for an uninitiated user to hook up and make operate. These simplified programming features can result in major security holes that can be easily and quickly exploited to allow the degrading or complete disarming of a connected alarm system.

Some of the common ways to hack into such systems include exploiting the universal plug and play Wi-Fi feature found in many residential-grade system routers. The hacker gets onto the target’s network and can access the smart systems to disable devices, open door locks, control PTZ cameras, and the like.

Another common path to hacking these systems is the creation of third-party apps that contain malware to assist the hacker in controlling the system. Once loaded into their smart phone, such apps can allow unauthorized users to take control of smart systems.

And perhaps the simplest attacking method is to simply yell, “Alexa, open the (garage, back, front) door” through a window.

And while the manufacturers issue patches and warnings to users, how many people will update their system when notified? I suspect that most system security upgrades are performed after the burglary has occurred

If a security system is connected to one of these systems and a successful attack occurs, I believe that the customer will likely blame the alarm company and not the mega-corporation that provided the porous “smart” gateway into their building. They have their alarm company’s phone number; who do they call at Google or Amazon?

This headlong dive into smart home system installations (millions are sold every year) can leave owners quite vulnerable to hacking attacks. Security dealers might carefully consider whether customers' vital security devices and functions are made controllable by one of these smart systems. In my world, the security system is separate from every other network in my houses, except for central station reporting. I guess I’m just old school.

Now, to the QR codes. During one of my last airplane trips this past year I was at Midway Airport and it was lunch time. I found an open bar/restaurant and asked the waiter for a menu. “We don’t have menus,” he said. “Just scan the QR code on this placard.” Because of COVID-19 many of the restaurants that are still open don’t want to provide a written menu and expect their customers to do the QR shuffle to get the listings of menu.

I don’t scan QR codes. When the waiter said that they had no menus I had to interrogate him regarding the lunch sandwich options available. I did get lunch, so I guess I dodged the QR problem temporarily.

QR codes were first developed in 1994 by a subsidiary of Toyota. The idea was to automate the manufacturing and assembly of cars and trucks. Now QR codes are everywhere, with everything from TV news to catalogs to programming smart home devices requiring that a QR code be scanned onto a user or technician’s smart phone.

What most all unsuspecting users don’t understand is that QR codes are easily manipulated to provide opportunities for bad guys to steal passwords and other information. QR codes often will connect users to particular websites, such as a restaurant. Often the hacker will dummy up a fake web page that looks exactly like the restaurant’s, and slip it into the plastic holders while no one is looking. If the user scans the rogue QR code and punches in his/her credit card info to buy lunch, that information is grabbed and exploited by the hacker(s).

This proliferation of QR codes and the trusting nature of the connected public is going to provide increasing opportunities for exploitation and invasive actions. Phones may be “smart,” but that doesn’t mean the user is.

Warning your technicians about not randomly scanning QR codes onto their smart phones which they also use for business functions is probably a good idea. The more “connected” we get, the more hacks will sprout to attack our digital worlds.

Bio: Dave Engebretson provides fiber optic and networking training for low-voltage technicians. He recommends the Little Richard version of the Rolling Stones’ “Brown Sugar,” available online. And if you have the time, binging “Ozark” provides a quality if convoluted story with money laundering being the central theme.

PSA Security Network is one of the nation’s leading sources for education, training, and industry networking events. With multiple settings and events throughout the year to meet and exchange industry knowledge, there is something for everyone.

The Electronic Security Expo, owned by ESA, is designed to help electronic security pros to network with other like-minded professionals and to educate about improving your company’s efficiency and productivity

Hey Alexa, Unlock My Back Door & Potential QR Vulnerabilities

Get our new eMagazine delivered to your inbox every month.

Stay in the know on the latest security marketplace trends.

Hey Alexa, Unlock My Back Door & Potential QR Vulnerabilities

Share This Story

Related Articles

Related Products

Get our new eMagazine delivered to your inbox every month.

Stay in the know on the latest security marketplace trends.