CryWolf.us Gripes

Overview

I live inside the Atlanta, Georgia city limits.  Our City Council recently enacted an ordinance requiring every home and business with an alarm system to "register" their alarm with the City, basically providing the name and contact information for someone responsible for that address.  The reasoning was to reduce the number of false alarms requiring the expense of a police response.

The registration is made via a third-party, non-government website called CryWolf.us (note the link goes to the Atlanta-specific part of the site, which I'll be discussing).  According to "About" page on their website, "CryWolf False Alarm Solutions" is a product made by a company called the Public Safety Corporation, with address 103 Paul Mellon Court Waldorf, Maryland 20602.  They also appear to go by the name "AOT Public Safety Corporation."  Their web address www.publicsafetycorp.com apparently points to the same site as crywolf.us.

After registering my own alarm and discussing the process with others in my neighborhood Facebook group, it is clear CryWolf is a poorly-designed product -- especially where security is concerned.  For a product that is government-mandated, this is troubling from an individual rights perspective.  I address the identified issues below and will update the page as more issues are discovered or the issues are resolved.

Security Issue: No Identity Verification

When a person registers an address with the CryWolf system, there is no attempt to verify that person is truly the responsible party.  As long as a property has not been registered, a criminal could go to the site and register a property with false information.  Then, when they rob the property and set off the alarm, the police will be directed to an impersonator who assures them the alarm was false, keeping the police away.

Security Issue: Unregistered Addresses Are Visible

Related to the "No Identity Verification" issue, it is easy for a criminal to discover which addresses have been "registered" and which have not.  The screenshot below shows an address (blacked out for privacy) that a user is trying to register.  The CryWolf system has informed the user that "An account with this same address already exists".  Conversely, if the address has not yet been registered, the Street Number and Street Name show up green and the user is allowed to proceed.

(h/t to a concerned neighbor for pointing this one out)

Click through for full-size.

Security Issue: Password Sent Over Email

When you first register a property, instead of immediately setting up a password your first password is (hopefully) randomly-generated and sent via email to the email address you gave.  Anyone with a Computer Science degree will know email is (usually) sent unencrypted, meaning any computer that routes the email through the Internet can read the message.  In other words, sending passwords over email is a big no-no and not doing so is a fundamental "best practice" of good computer security.

Update: 9/22/14: a neighbor claims they sent a renewal email containing their password.

Update: 9/23/14: apparently they use incremental account numbers, making it very easy to "guess" account numbers for, example, sending out spoof renewal emails.

Comments