Connect with us

Hi, what are you looking for?



Videofied Alarm System Flaws Allow Hackers to Intercept Data

Researchers have identified several high severity vulnerabilities in the Videofied alarm system offered by RSI Video Technologies.

Researchers have identified several high severity vulnerabilities in the Videofied alarm system offered by RSI Video Technologies.

France-based RSI Video Technologies provides physical security solutions for residential, commercial and outdoor facilities, including critical infrastructure and construction sites. The company says its wireless security products have been deployed in more than 70 countries.Videofied

Videofied is a wireless alarm system designed to send alerts and videos when an alarm is triggered.

Researchers with UK-based security consultancy Cybergibbons analyzed W Panel, one of the Videofied control panels designed for use in residential, small business and enterprise environments. The W Panel is capable of transmitting videos and alarms over Ethernet, Wi-Fi and GPRS to ensure that police can quickly be alerted of a crime in progress.

One of the problems found by experts is that the authentication between the panel and the server is based on a key that is derived from the device’s serial number, which can be easily obtained by an attacker since it’s transmitted in plain text. This issue has been assigned the CVE-2015-8252 identifier.

Another vulnerability is related to the fact that the authenticity of the data is not properly verified, allowing an attacker to spoof messages in an effort to send false alarms and even deactivate alarms. This security hole has been assigned CVE-2015-8254.

Experts also determined that communications are not encrypted – messages are sent in plain text and videos are sent as MJPEG files (CVE-2015-8253).

These vulnerabilities allow a remote attacker to spoof alarms and intercept data, including videos, researchers said.

Advertisement. Scroll to continue reading.

According to CERT/CC, the vulnerabilities exist in Frontel, a software package used by Videofied customers for monitoring alarms. Frontel uses a custom protocol running on TCP port 888 for communications with the server.

“The RSI Videofied system has a level of security that is worthless. It looks like they tried something and used a common algorithm – AES – but messed it up so badly that they may as well have stuck with plaintext,” Cybergibbons said in a blog post.

The company said it found the vulnerabilities in mid-2015 after testing the latest W Panel. CERT/CC, which was notified after the vendor failed to respond to Cybergibbons for six weeks, says the vulnerabilities have been patched with a Frontel update that introduces version 3 of the communications protocol. Users are expected to receive the update by the end of December.

Cybergibbons specializes in penetration testing of IoT devices and embedded systems. Last year, the company reported finding serious vulnerabilities in Wi-Fi thermostats from Heatmiser.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.