ALARM monitoring’s future looks both threatening and full of opportunity – new technology offers plenty if the right business models can be found but there’s a chance the shift to networked security and automation solutions could impact on the underlying nature of alarm monitoring and the alarm monitoring industry.

PROBABLY the most interesting thing to happen to the alarms industry in last year is UL’s 1023 approval of the Z-Wave wireless mesh protocol which allows the technology to be incorporated into professional-grade UL-rated alarm sensors. Sigma Z-Wave transceiver models to which UL1023 applies include ZM5101, ZM5202, and ZM5304, and all now feature protocol SDK version 6.60 and are evaluated to UL’s standards for home security. The transceivers feature anti-jamming and AES 128-bit encryption provisions and moving forward this means every device in a Z-Wave system from sensors to locks can reside in a secure ecosystem. 

This ratification of Z-Wave by UL was important because the market feared – and I think these fears were at once slightly justified and yet well off the mark – that Z-Wave was hackable and that once a device had been breached it would give an attacker ready access to an entire Z-Wave security and automation mesh. The threat was revealed when U.S. Black Hats intercepted a Z-Wave transmission and impersonated a device last year but it’s my opinion that as a raw wireless technology, Z-Wave is superior to consumer-grade 433MHz comms found in most alarm sensors and garage remotes. Adding anti-jamming and AES encryption to Z-Wave simply takes things to an even higher level. If there’s any negative about Z-Wave in security sensors, it’s an issue of battery life. That issue is being resolved as manufacturers develop more efficient designs but it battery life is likely to remain lower with Z-Wave. 

“Our manufacturers and their networks of installers and monitoring providers are yet to come up with holistic, futureproof security and automation ecosystems fronted by competitively priced and yet profitable business models”

What does all this mean for alarm monitoring? It means that serious security manufacturers of quality alarm sensors – Vivint, Risco, Bosch, Interlogix, Honeywell and others – are going to be motivated to incorporate Z-Wave into alarm sensors for a number of reasons. The first is that many of their controllers already include Z-Wave transceivers and it makes no sense to use 2 independent wireless networks when one will do a better job for less money. Security manufacturers will also find themselves competing with manufacturers of UL-endorsed Z-Wave sensors spilling over from the automation market. There are around 350 Z-Wave manufacturers globally and the chance some of them won’t take a tilt at professional grade alarm sensors is a big fat zero. 

From here out, things get interesting from a temporal standpoint. What will the future look like? Proper UL security sensors running on Z-Wave don’t need to work with traditional solid state alarm panels with Z-Wave bolted on. Instead they can be deployed around any one of dozens of controllers like Samsung’s SmartThings Hub, which supports Zigbee and Wi-Fi and Z-Wave and Bluetooth and has USB ports and is addressed by a comprehensive (probably a much too comprehensive) mobile app. 

That’s really the fulcrum of upheaval right there when it comes to threats facing traditional solutions – home automation hubs handling proper security sensors that link via existing WiFi to existing and increasingly reliable IP networks for pro-grade monitoring and remote user managment. Smart networkable hubs which integrate with any of 1500 or more Z-Wave security and automation devices can only be seen as the market disrupter of the future. Some manufacturers are well aware of this, as their router-looking security and automation systems loudly declare. 

Annoyingly, it’s not as if electronic security manufacturers can’t do it better – the industry’s sensors, cameras, locks, keypads, mobile interfaces and its underlying comprehension of the robust dependability required by alarm systems with a 20-year lifespan, is second to none. But our manufacturers and their networks of installers and monitoring providers are yet to come up with holistic, futureproof security and automation ecosystems fronted by competitively priced and yet profitable business models. 

It’s not all scary, however. Convenience and security are not the same things. The Internet of Things is sure to riddled with back doors in a way that makes serious security managers and cautious business and home owners shudder in their shoes. For instance, IoT search engine Shodan recently discovered a teddy bear was vulnerable to hacking and found video monitors could be accessed by unauthorised mobile phones.  

What’s interesting is that most backdoors to IoT devices are things like default passwords or flawed configs – those guilty of the former misstep include anyone who’s stuck with Admin 12345 or Root Pass as a user name and password for their network camera, then promptly forgot they did so. According to Tom Lysemose Hansen, of app security firm Promon, part of the IoT vulnerability when it comes to consumer DIY gear is due to the ease with which consumer goods can be cracked. 

“If the default passwords are not changed bypassing them is relatively simple,” explained Hansen recently. “A patch can be introduced retroactively but until then, the device could be a single entry point into an entire private network, enabling hackers to uncover sensitive data or relay false information. The model of using default passwords must be put to bed if IoT is to become an integral feature of domestic life, otherwise its associated dangers will overwhelm any perceived benefits.

“The security of the IoT hinges on the apps used to access, monitor and control the device – whether it’s a mobile app used to control a doorbell or a teddy bear. It is crucial this app is able to self-protect, otherwise sensitive data, such as passwords, may be leaked and misused. Ideally, the device should verify that it’s being accessed from a trusted app, and this verification process should not rely on single static factors, like default passwords, but multiple factor authentication to ensure the integrity of the private network.

“While the implications of a hacked banking application are widely recognised, wireless consumer goods now pose an uncertain threat,” Hansen explains. “How app developers and manufacturers handle these threats will determine the success and legality of their entry into the consumer IoT market. It’s important that these early incursions on unsafe networks are nipped in the bud with effective security measures, namely the replacement of ineffective or unavailable anti-malware software with perennial in-app security and a more individualised, user-friendly password system. 

“The developers of applications are all too eager to crack the simplest and least demanding way of controlling a device remotely, but in order to maintain IoT’s pace of growth without muddying its image – adequate security must be developed in tandem.”

Is it likely automation and app developers will create secure home automation solutions interfaces and networks able to seriously challenge traditional security solutions? Perhaps, and the UL listing of Z-Wave is a step in that direction. But in the medium term it’s still the traditional solutions that offer users the pinnacle of reliability, sensor quality, network isolation, professional monitoring support and integrated comms backup. In the longer term, however, it’s a mistake to think that Z-Wave hub controllers are not going to become powerful and flexible security solutions in their own right. But exactly what that means for the electronic security market in the long term remains difficult to say. ♦

By John Adams