Secret logout codes from thousands of alarm systems can be retrieved due to a software error

Software developer Joris Talma brought the leak to BNR’s attention after several warnings to SMC and Carrier Global fell on deaf ears. “I’ve had a stomachache because of this for a year,” says whistleblower Talma.

According to SMC, there is ‘no indication’ that the leak has been abused, but BNR research shows its massive scale. At least 26,000 active Dutch security systems of the SMC alarm center have been affected. This includes alarm systems from supermarkets, banks, government services, city and provincial halls, utilities, a money printer and even Fox-IT, a company that keeps state secrets. Dozens of branches of large retailers are often affected at the same time. The thousands of compromised systems may only be the tip of the iceberg: the offending software was also in use at other emergency centers.

Addresses and deregistration codes for Quote 500 members can be requested

The leak was in an app that alarm center installers use to access data from their own customer base: MAS Mobile Classic, a product of the American company Carrier Global. This data also included the so-called ‘logout codes’ of 14,000 locations secured by SMC. These are passwords with which the owner of an alarm system can identify himself at the control center to report a false alarm. The police are then not alerted.

Due to a bug in the software of the server on which the app stored the data, the secret data was accessible online. In addition to unsubscribe codes, the home addresses of CEOs, Quote 500 members, celebrities and even a former minister could also be requested. Prominents received a separate designation from SMC, which made them easier to find in the mountain of data.

BNR contacted some of those affected and was able to verify that much of the information was correct and up to date. None of them wanted to be named, but the leak was met with anger and incomprehension among the owners of the alarm systems. “Very bad,” said one of the affected prominent figures. ‘And it’s unimaginable that people waited so long to inform people.’ One of the Quote 500 members announced that they would contact SMC management.

Leak only repaired after a year

Whistleblower Talma discovered the leak in early 2023 during work he carried out for a small theater in the east of the country, which is a customer of the SMC emergency center. The software developer then looked for a method to automatically turn off the lights in the theater if someone activated the alarm system for the weekend. “You then become creative,” says Talma. By chance he came across the possibility of accessing data from other customers of the alarm center via the alarm installer app. ‘A fatal mistake by the designer.’ Talma immediately understood the implications of his discovery and warned Carrier Global in February last year, according to correspondence seen by BNR. He also reported the leak to SMC in June.

Carrier had already removed the offending app from the Google and Apple app stores in early 2022. However, the company left the leak in the server that supported the app untouched, allowing Talma to access secret data a year later. After Talma’s report, Carrier warned its customers, but the leak was not closed. SMC also did not act effectively.

Because no action was taken, Talma raised the alarm with the Dutch Data Protection Authority several times, again without result.

Because Talma now suspected that all alarm centers that used the MAS Mobile Classic App were vulnerable, he also investigated Securitas systems last month. Data from tens of thousands of alarm systems also appeared to be accessible here, although logout codes could not be retrieved. The leak was limited to personal data. Talma also informed this company. Shortly afterwards, Securitas locked the vulnerable system.

SMC only did this after questions from BNR, almost a year after the first report from whistleblower Talma.

‘This is how foreign intelligence services get in’

BNR asked independent experts to verify the leak. “I am shocked by the scale,” says security researcher Matthijs Koot of Secura. ‘It is very unfortunate that this emergency center software is connected to the internet with such serious vulnerabilities.’ “These types of tricks can be used by organized crime and foreign intelligence services to gain physical access to buildings,” says technical director Ralph Moonen.

GroenLinks-PvdA demands investigation into leak

Member of Parliament Barbara Kathmann (GroenLinks-PvdA) demands that the Minister of Justice and Security investigate the issue. “We have to look very carefully at how big this leak actually is, whether more emergency centers are involved and how this could have happened in the first place,” says Kathmann. She finds it especially painful that whistleblower Talma was not heard. “The biggest shock is that it took a year,” says Kathmann. ‘Shame is a great danger, because cybercrime costs us billions. Now someone does something once and then nothing happens.’

Tips? To ask? Send an email to our research editing.

Selection of affected companies and institutions

Of which unsubscribe codes are accessible

• Tax authorities
• FIOD
• Rabobank
• Strukton
• Jumbo
• Fox IT
• Vitens

SMC response

SMC is still investigating the extent of the leak and why it took so long before adequate action was taken. According to the emergency center, the leak has now been closed and there is ‘no indication’ that malicious parties have abused it.

“As a precaution, we have engaged a reputable cybersecurity company to conduct an investigation and have decided to reset all logout codes for all users and take additional authentication measures,” a spokesperson said. ‘Our verification and security process contains several levels, of which the unsubscribe code is only one part.’

Carrier Global

A spokesperson said the company is “aware of the issue” and is currently investigating the matter further. “The security of our customers’ data is always a top priority,” Carrier said.

Security

Securitas says it was only informed of the leak last week. A spokesperson said that action was immediately taken by temporarily disabling the system that gave access to customer data. “We take this very seriously, because safety is our core business,” the spokesperson said. ‘Security procedures at Securitas make it impossible to unilaterally change crucial data. As a result, safety was not at risk.’

Securitas says it has reported the leak to the Dutch Data Protection Authority