3 min Security

An exploit could lead to remote shutdown of security systems: who is responsible?

An exploit could lead to remote shutdown of security systems: who is responsible?

A security systems app appears to have leaked highly sensitive data. MASmobile Classic, intended for alarm systems installers to look up customer data, could unintentionally send codes to disable security systems online to malicious people.

This is according to research by the Dutch station BNR. The deregistration codes for security systems of the Dutch Tax Authority, Rabobank, supermarket chain Jumbo, water provider Vitens, infrastructure company Strukton and security firm Fox-IT, among others, were retrievable. The news broke nationally, but it’s unclear which international companies (if any) were affected. Vulnerability CWE-639 was the culprit, a flaw in the authorization system that let users modify a key to gain access to others’ data.

Developer Carrier Global was notified by whistleblower “Talma” about the software flaw as early as the beginning of 2023. Dutch security systems provider SMC followed suit in June. The MASmobile Classic app had already been removed from the App Store and Play Store on March 31, 2022, and Carrier Global chose not to patch the leak. The app also reached end-of-life on that date.

Dutch software vendor Securitas maintains that no users were actually at risk. “For the sake of completeness, our procedures include additional security measures that prevent crucial information from being changed unilaterally.” Stanley Security, which used MASmobile Classic to protect customers, was acquired by Securitas a year ago. That’s how the app ended up with this vendor.

Leak not plugged for a year

In June 2023, Carrier Global warned its customers about this software flaw within the outdated app, but SMC failed to react. Whistleblower Talma went to the Dutch Personal Data Authority, but that too led nowhere. Only when BNR knocked on SMC’s door, did it actually take action.

In fact, the software error is the cause of the data breach, but public communications show that alarm center SMC should have abandoned the app a year before it was discovered. Especially given the critical role the switchboard plays for organizations, end-of-life applications should never be used for such purposes. It is the responsibility of organizations to ensure their entire software supply chain security.

It’s hard to say who’s the most responsible of the parties involved. After all, when Securitas acquired Stanley Security, it missed the fact that an end-of-life app was in use. Supplier Carrier Global simply seems to have acted according to plan: no software maker can keep supporting apps and fixing vulnerabilities indefinitely, after all.

A striking fact is that as recently as January of this year, a user on the Dutch website Tweakers asked how to install the MASmobile Classic app, since it was required for a new job. At the time, another user advised that this application was outdated. Meanwhile, the app with only the name “MASmobile” is still supported. Likewise, MASmobile EX is a more modern variant that customers can opt for. However, Securitas appears to only have provided Dutch-language support for older version, so customers such as the security systems operator SMC could not yet switch over.

Also read: Personal data exposed at Air Europa