Software leak: False alarm passwords for thousands of alarm systems searchable online

The false alarm passwords for thousands of Dutch alarm systems were easily findable online due to a leak in Carrier Global software, which is used by the SMC alarm center, among others, in the Netherlands. SMC and Carrier Global have known about the issue for a year, whistleblower Joris Talma told BNR.

Research by BNR showed that the leak affected at least 26,000 Dutch alarm systems linked to SMC, including those of supermarkets, banks, government services, city halls, utility companies, a money printer, and Fox-IT - a company that keeps state secrets.

The leak involves the password customers verbally give the alarm center after a false alarm to say that all is well and the alarm center shouldn’t dispatch the police. The leak also included customers’ names and addresses. Celebrities and other prominent people received a separate designation from SMC, making them easy to find in the mountain of data.

Whistleblower Talma, a software developer, discovered the leak by accident early last year while doing work for a small theater in the east of the country, which is an SMC customer. He was looking for a way to automatically turn off the theater’s lights if someone activated the alarm system for the weekend. By chance, he found out that he could access data from other SMC customers via the alarm installer app.

Talma immediately understood the implications of his discovery and warned Carrier Global in February 2023 - BNR has seen the correspondence. He reported the leak to SMC in June. After his warning, Carrier Global warned its customers about the leak but did not actually close it. SMC also did not act effectively. Talma then raised the alarm with the Dutch Data Protection Authority multiple times, with no result. The data was still accessible a year later.

The whistleblower worried that other alarm centers also used the Carrier Global app, called the MAS Mobile Classic App. He checked last month and found that the leak also impacted Securitas systems, though here only personal data, and not false alarm passwords leaked. He informed the company, and Securitas locked the vulnerable system.

According to BNR, SMC only did the same after questions from the broadcaster, almost a year after Talma’s first report to the company.

The broadcaster asked independent experts from Secura to verify the leak. “These types of tricks can be used by organized crime and foreign intelligence services to gain physical access to buildings,” technical director Ralph Moona said. Security researcher Matthijs Koot said he was shocked by the scale. “It is very unfortunate that this emergency center software is connected to the internet with such serious vulnerabilities.”

GroenLinks-PvdA parliamentarian Barbara Kathmann has asked the Minister of Justice and Security to investigate. “We have to look very carefully at how big this leak actually is, whether more emergency centers are involved, and how this could have happened in the first place,” Kathmann said. She called the fact that SMC and Carrier Global took a year before closing the leak the “biggest shock.”