A critical software flaw in Carrier Global’s system, utilised by the SMC alarm center in the Netherlands, has resulted in the exposure of secret logout codes from thousands of alarm systems. The breach, first brought to light by software developer Joris Talma, has raised concerns over the potential compromise of sensitive security systems and personal data.
Key Points:
- Massive Scale: Over 26,000 active Dutch security systems managed by the SMC alarm center have been affected by the leak, including those belonging to prominent institutions and individuals such as supermarkets, banks, government agencies, and high-profile executives.
- Data Exposure: The flaw in the MAS Mobile Classic app allowed unauthorized access to critical data, including logout codes used to disarm alarm systems, and personal information of CEOs, celebrities, and public figures.
- Long-standing Issue: Despite being alerted to the vulnerability over a year ago, neither Carrier Global nor SMC took adequate measures to address the issue, leaving thousands of alarm systems vulnerable to exploitation.
- Whistleblower’s Efforts: Talma’s persistent efforts to raise awareness about the breach, including warnings to Carrier Global and SMC, went unheeded, prompting him to escalate the matter to the Dutch Data Protection Authority.
Expert Insights:
- Security researcher Matthijs Koot emphasises the severity of the breach and its potential exploitation by organized crime and foreign intelligence services.
- Technical director Ralph Moonen highlights the risk posed by such vulnerabilities, enabling unauthorized physical access to buildings.
Response from Authorities:
- Member of Parliament Barbara Kathmann demands an investigation into the extent of the breach and the delay in addressing it, expressing concern over the significant impact of cybercrime on the economy.
- SMC has initiated an investigation into the breach, implementing additional security measures and resetting all logout codes as a precautionary measure.
- Carrier Global is conducting an investigation into the matter, emphasizing their commitment to prioritizing customer data security.
- Securitas, upon learning of the leak, promptly disabled the affected system and reported the breach to the Dutch Data Protection Authority.
Conclusion: The breach underscores the critical importance of robust cybersecurity measures and prompt response to vulnerabilities. As investigations continue, stakeholders are urged to remain vigilant and take proactive steps to safeguard sensitive data and security systems.
Source Article :
Geheime afmeldcodes van duizenden alarmsystemen opvraagbaar door softwarefout