Security Failure: Empty Your Garage

garage openerWhen I was visiting a friend, she told me that her garage door opener no longer worked. For once, I did not suspect to find any security failures.

Occasionally, I am wrong.

This is my friend who lives in an upscale, assisted living facility. I first mentioned her in Security Failure: Empty Your Drawers.

My friend parks her car in an underground garage that she shares with the other residents. I figured that the maintenance guy changed the garage opener code or frequency and forgot to tell her.

This time I was right, and the remedy led me to the security failure.

I found the maintenance guy and asked about the opener. He said he changed the transmitter frequency the previous week, and he would be happy to reset it.

“Follow me,” he said, picking up a stepladder.

So I followed him to the outside of the big garage door.

He positioned the stepladder under the garage opener receiver box, which had an antennae on it (see graphic above).

He asked me to hand him my friend’s opener, which I did. He opened it, climbed the ladder, and opened the receiver box.

He pushed a button in the receiver box, then a button on the opener, which programmed the opener with the new frequency (remember, we are standing outside the garage).

He tested the opener, which worked.

The maintenance guy then closed the receiver box, climbed down the ladder, and handed me the opener.

“Aren’t those receivers normally inside the garage,” I questioned, slipping into auditor mode.

The guy had no clue where this was going. “Yes, but the signal won’t go thru these concrete block walls. I tried that and had to move it.”

Then I said, “Next time, I’ll just come and program it myself.”

“You could certainly do that, Mack,” he said, hopefully. “Yes, you could.”

“Don’t you think you should enclose that box in a locked compartment, with the antennae sticking out?” I asked.

“Anyone,” I continued, “could easily program their own opener and enter the garage as well as the building.”

We both knew that all the outside doors in the facility was locked 24/7, but like most garages, the inside doors were not locked. That put the residents and their property at risk.

“Yes, I should,” he agreed, as he walked away, not only from me, but this problem.

He never looked back at either.

3 Comments

Filed under Security Scout, Technology

3 responses to “Security Failure: Empty Your Garage

  1. L

    your anecdotes on security controls never fail to make me laugh, mack. interesting story, indeed!

    anyway, this might be a little off the topic, but i would just like to ask if you have performed any security health checks in one of your audit clients before. reason i’m asking is because i wanted to know if privileged access is part of the areas checked when performing a security health check. i’ve never performed health checks before so i’m not really sure what things are done during this activity. tried to research online but the descriptions i get are pretty much vague and worded in general terms. hope you can enlighten me on this one.

    thanks again.

    avid IT audit security reader,
    L

    Like

    • L,
      Glad you liked it and laughed. Making people laugh is one of my goals (see About).

      Not sure what you mean by security health check, but I always look at privileged access. Who has it, is it appropriate for their job level/position, how many people have it (usually too many), was it approved, and who reviews that access and how often.

      I also look at the same things regarding normal user access, and don’t forget segregation of duties. Then I look at who has access to change the configs or data for the application (usually a directory/folder or database permission), whether the OS/application are updated regularly (patches), is login and data transport encrypted, and is change management followed for all code and data changes (are they documented, tested, approved, and implemented as requested). And whether the data is backed up. Based on what I find on those things, I decided whether to go deeper.

      Like

    • L,
      One other thing… these stories are really true. You just can’t make this stuff up.

      Like

Leave a Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s