Posts

Sound Intelligence from SPG Controls resonates with our European partners

Digital Audio Verification to manage Alarm Events

Another addition to SPG Control’s product line provides encrypted two-way VOIP data for alarm verification, intercom and public address. Our latest Audio Listen-In Module provides connectivity to our S1000 Smart Controller through an encrypted OSDP bus. Digital audio is then delivered from the S1000 over wifi, ethernet or 4G to our central ARCO software platform or via Industry standard protocols to commercial security monitoring stations.

Two leading French monitoring companies have just successfully completed testing of our digital audio products in anticipation of several new projects. ESI and Azuresoft have been working alongside our European distributor, JMP Controls, based in Paris. Pascal Creff, CEO, said, “I’m delighted with the new capability and industry-leading audio quality available from SPG Controls Audio Listen-In Module. I expect to be able to offer improved alarm management and risk reduction to my growing portfolio of customers.”

 

 

 

 

Up to 8 microphones and 8 speakers can be attached to an S1000. Audio playback is possible using SIP (IP telephony), RTP streams or can be sent direct-to-browser. Our technology remains compatible with any central station monitoring provider, with audio control possible via DTMF commands or through Industry-standard contact ID reverse commands. Audio feeds may be triggered by alarm events governed by our “rules engine,” pre-alarm audio is also available. Pre-recorded messages may be stored within the S1000 Smart Controller and can be enunciated when triggered by specific circumstances.

Contact us to learn more about how SPG Controls applies the science of sound to help your business.

How to Improve Mobile App Security

Mobile Application Security Improvement

Mobile App security issue

With the increasing popularity of Mobile Devices, almost everybody uses mobile applications, but hardly anyone thinks of their data security while using them! At the same time, when developing system applications, there’s a tendency to focus on Site security rather than on the Application. Security is taken for granted, relying on the backend, where there may also be vulnerabilities.
A poorly protected mobile application can be a serious threat to an entire system. Mobile devices are where we store and work on critical data such as in payments, access, for medical and banking information, almost certainly for personal data, etc.

The problem of mobile application security is, especially concerning in various Android systems. Mainly because as it’s an open system, it is more vulnerable to data breaches at the operational level than Apple iOS (which is a closed system). Android is very fragmented, new versions of the system are deployed to customers’ devices very slowly, which directly impacts the improvement of the entire system’s security. It does not mean your Apple iOS system is completely safe – there are threats related to storing data or web server communication (a Man in the Middle attack) which may make your application vulnerable.

To add perspective to the problem, let’s consider the following examples;

Data and device interception

A Mobile App security breach can be related to several issues, from storing users’ data without encryption in the localised database (which was the case of a popular communication app in 2011) to session token change (a problem for a well-known marketplace application in 2016). The mobile app switched sessions to a different user’s token, most probably collected from deep links. This, through a fake marketplace site, made way for the potential theft of other users’ account data, such as user ID, profile photo, phone numbers, date of birth, access logs, and much other private information.

There are also several examples where an entire device has been compromised through a system vulnerability. Back in 2017, there was a significant security loophole discovered in a Bluetooth driver called BlueBorn; this allowed attackers to obtain complete control of a mobile phone by remotely executing code. In 2018, another issue was discovered; in order to control device modems, an Android firmware used AT commands (dating back to the 1980s). Manipulating these commands allowed hackers to gain control of the entire mobile device. Luckily, you don’t have to worry about BlueBorn issues anymore – it is already fixed on the majority of Android devices running 6.0 or greater and in iOS 10 and greater.

Such vulnerabilities can be used for a variety of reasons, for example, to create false certificates to obtain the data streaming out of your mobile app or install malware to obtain user data. These issues were rather quickly fixed at the operational level, but the question remains as to the extent of the breach. Normally, system loopholes unfortunately result in users waiting for an upgrade and ensuring app security personally.

Ensuring Mobile Application Protection

Ensuring mobile protection is an ongoing process, A most common methodology is to follow a standard security practice; more are now being adapted;.

Standard security practices may include:

  • The encryption of sensitive personal data, including encryption of the local database, cache, or API communication
  • The correct cryptographic key management and user session authorisation (tokens)
  • Token validations – the assigning of one to each consecutive device separately and with different session expiration times
  • Implementation of safe communication standards, e.g. certificate pinning in the case of HTTPs

Mobile-specific security methodology may include:

  • The protection against malicious apps
    • blocking screenshots or masking
    • Masking the mobile app view in the app switcher – preventing any preview of the mobile app’s content when switching to a different app
    • securing the clipboard – so a copied password is not visible in other mobile apps
    • IPC protection (Inter-Process Communication) – a security measure applied to system components to enable communication between mobile apps and the system, such as Activities, Services, Broadcast Receivers, Content Providers
  • UI security analysis, specifically in terms of data leaks (e.g. password masking or data validation)
  • Anti-tampering
  • Android-specific:
    • Code Obfuscation – these limit reverse engineering
    • Proper handling of mobile app signatures
    • Blocking access to overlapping active mobile apps – protection against content scraping done through different apps layered on top of the active mobile app
    • managing permissions in Android apps
  • iOS-specific
    • Using App Transport Security (ATS) for all internet connections
    • Enable the File Data Protection
      All the stated methods cover just some of the risks but be aware of them! Secondly, implementation or verification may require particular expertise.

How does SPG Controls ensure the security of Mobile Applications?

Mobile security is our priority. SPG Controls will ensure our Mobile Applications adhere to industry standards and are robust and resilient to attack.

Security Review

The security review can be done in five steps:
1. SPG Controls review the project to better understand the source code, structure, and purpose of the application.
2. SPG Controls make a list of the application’s various elements responsible for introducing risk to the project.
3. SPG Controls prepare a list of the application security features that should be implemented for all elements, and then verify if all the required security features are in place.
4. After a thorough analysis, if needed, a rescue plan will be created – SPG Controls prepares the list of security protocols which should be implemented.
5. Finally, SPG Controls will maintain the security level of the Mobile Application and ensure it is in the future updates.

Secure Authorisation

Specific permissions dictate the features available to the end user. Permissions are based on asset of assigned roles (or access groups). There are also “Access Policies” defined, which are additional rules needed to access a resource, such as what times an operator is allowed to access a specific resource. An operator who is logged in to the system with more than one role, for example as an Administrator, an Engineer and as a Guard, will be able to select a role and this will define which objects can be viewed with what permissions.

API Integration

The ARCO Platform provides the ability to interface to many 3rd party systems using an Open API. The API is based on the latest Web-based Restful Architecture. All data contained within the ARCO Platform is securely exposed to the 3rd party systems. All commands, events and configuration changes are logged by ARCO including the property changes made, so there is a full Audit trail.

To know more about how SPG’s ARCO Platform and how it can help secure your assets, click here.

Top 5 Encryption Best Practices That Will Protect You

Best Encryption Practices to Protect Your Business

Growing in importance, Encryption is something that every business needs! Not only to provide better online security but to prevent data breaches and business interruption.

What is Encryption?

In its simplest form, Encryption is the process by which data is encoded to prevent that data from being easily understood by an unauthorised person.  Only the parties involved in the communication are authorised to decrypt the data. As examples, those parties can be between your browser and a website, a storage device and an individual authorised user.

Normally a message is encrypted with a key, but for demonstration purposes and in a very simple way, characters may be “shifted” to another place in the alphabet. For instance, B might become A. The word “AZS” is an encrypted form of “BAT” as the places have been shifted by one place to the left. One of the most popular shift cyphers is the ROT13, which is short for “rotate by 13 places”.

Why Use Encryption?

Encryption prevents unauthorised actors from seeing sensitive data, whether that data is static or in transit. Data is considered to be transmitting whenever it is sent to another party or endpoint. For instance,  transferring a file to another device. For the duration of the transmit, a third-party can “eavesdrop” on the communication and create an opportunity for a  man-in-the-middle attack (MITM).

A man-in-the-middle attack can alter the communication between two parties and can happen in real-time. It can alter the data that is being transmitted and received and can lead to serious complications. For instance, a patch that seems normal might end up carrying a payload of viruses and backdoors which hackers can use to gain entry and compromise an otherwise secure system. Some everyday computer users and even administrators do not often see that their systems are already compromised because the altered data will be presented just as a normal software update. Another grave consequence is that sensitive data can be taken by hackers. If a system regularly transmits bank details or credit card credentials, they could be taken by malicious actors. Some systems would also be unable to detect whether data was compromised.

What practices can be implemented to make sure that data is secure and sound?

Multiple Encryption Methods

Having layers of Encryption for data can be beneficial. They can act as a separate layer of security for each encryption method available. If one of the Encryption fails, there are other methods that can be used to slow down or even deter hackers from taking further action.

ARCO Platform communicates with each component using wolfSSL.

The wolfSSL library is a lightweight SSL/TLS library targeted for embedded, RTOS, and resource-constrained environments – primarily because of its small size, speed, and feature set. It is used in many common platforms because the wolfSSL library supports over 30 different operating environments, industry standards up to the current TLS 1.3 library and offers progressive cyphers such as ChaCha20, Curve25519, NTRU, and Blake2b. User benchmarking and feedback report dramatically better performance when using wolfSSL versus other similar implementations of TLS.

Detailed Logs and Audit Trails

System design should incorporate the creation and storage of traffic logs for every event. This should include tracking which users are logged in and from where they are logged in. This can help administrators and cybersecurity experts to identify suspicious activities. In the case of an attack, investigators can see location data which may be helpful in building better fortification strategies.

ARCO Platforms includes real-time events, reports and alarms throughout the system.

Access to real-time information will help Companies visually understand changing security and business conditions to enable better decisions. Ones based on the real-time data and collated in pre-designated reports. ARCO enables you to identify trends and measure the impact of system activities.

Set Minimal Privileges for Users

Integrated systems tend to provide a lot of user privileges. It is important to limit access to a system to the minimal privileges required by each user. The temptation is to incorporate more system privileges than are required. For instance, a guest user does not need administrator privileges.

ARCO Platform gives users a set of permissions from a set of configurable roles.

 

Roles are only allowed to access the information necessary to perform specific tasks effectively. Access can be based on several factors, such as authority, responsibility and job competency. In addition, access to ARCO Platform can be limited to specific tasks such as the ability to view, create or modify a device.

Backups

It is also important to create regular system backups. This permits authorised users to restore data in case of a disruption to service.

Get Better Security

Invest in accredited and tested products and select fully trained and experienced partners for implementation and support services. SPG Controls has the right products and track record for securing your business as well as a global network of authorised Value-Added Resellers. Contact us to know more.