« Subtext
Good customer service for CDBaby »

Secret alarm code word

[update: Also sent the story to Stupid Security, considering that this blog have a very small amount of readers so far... In addition, there's a slight followup with my boss]

My building at work has a burglar alarm system. The alarm is controlled by a keypad, and when the office doors are opened (when the alarm was set and is working) a numerical code has to be entered in order to prevent it from going off.
So far so good, pretty ordinary and pretty much like what I have at home.

Another part of the burglar alarm service I have at home is that if the alarm goes off, but the code is entered to shut it down a few second afterward, we get a phone call by someone at the service to verify that it’s really us, and that we were just slightly delayed or mistyped the number by accident. In order to make sure it’s really us we are asked to provide a secret code word that we supplied the service in advance, and which no one else knows.
That’s also normal. As long as we keep this code word secret, and it’s not something easily guessable, we can trigger the alarm by mistake without causing too much havoc.

The service at the office is somewhat similar, but there’s another feature that my boss decided to use. They also call in case the doors are opened and the alarm is turned off properly using the numerical code, if the time is suspect. The idea is that while it’s expected for someone to turn off the alarm in the morning of a workday, and set it at night, it’s not normal to turn it off at night or during the weekend, so they should make sure it’s not a burglar that waited until the office is empty.
Makes sense. The burglar is not supposed to know the numerical code, but the keypad is probably not too sophisticated, so this makes it complicated to just bypass it or hack it in some way.

The problem is that this service apparently does not quite get the idea of a secret code. A few months ago I left the office last, set the alarm, locked the doors, and then remembered that I forgot something in the office. I went back, opened the door, entered the alarm code, took whatever it was I forgot, and as I was ready to go out again, the phone rang.
A lady on the line identified herself as calling from the security company, and asked for the secret code. I was not aware of any secret code, and told her that. I then added that if she can wait a moment I’ll get my boss on his cellular and ask him.
To which she replied that it’s alright, the code is his cellular phone number, so I can just give her that. I gave her the number, and that was that. Seemed very silly, since it’s basically security by obscurity (You need to know that the code is the number). And security by obscurity as a rule doesn’t work. In the time it took me to search for his cellular phone number, anyone else could have found it either. There are various business cards, and papers with company stationary, in the office.
I assumed, however, that I was only told that I need to provide the number since I already said I knew it.

Until today. I left the office, and then noticed I forgot my cellular phone inside. So I got back, opened the building, and turned off the alarm. About a minute and a half later the phone rang. The delay itself was a problem, since if I didn’t expect the call, I could have easily picked my cell and lock everything out again before they called, causing them to believe there was an illegal entry. But I waited for the phone this time, so this was not a problem.
There was another problem, though. The girl on the phone asked for the code. I mumbled something like "sure… give me a sec…" and searched my phone book. She apparently understood that I wasn’t sure what the password is, and decided to be helpful. She told me I need to give the phone number of my boss (By his name, of course, not by saying he’s my boss). And this time I didn’t give any previous indication I knew it, or him. I could have just been stalling, or panicking, or whatever.
Naturally, after being told that I need the number, there was no problem to find it in the office. Not for me, but also not for anyone else

So we have a secret code which is a phone number easily found on the premise. The only hindrance to finding it is protection by obscurity, namely that one needs to know that the code is this phone number. But the nice and helpful people from the security service tell the unknown person answering them that it is so, thereby removing any last bit of obscurity. (which is also why I feel comfortable stating it here. It’s not a secret apparently).

I don’t quite get how is this supposed to do anything beside rendering the alarm moot… Surely that can’t be the desired effect, right? Unless they use this as a way to avoid work, knowing they can claim the person answering knew the code so it’s not their fault… Hmm…

Update: I’ve spoken with my boss about this, telling him how bad the whole cellphone number as code idea is. He was surprised. It turns out that actually there is a secret code word. Which is not the phone number. The security company apparently decided the phone is good enough without agreeing on it with him, or letting him know. I expect there will be some very loud phone calls between him and them ;-)

November 4th, 2004 at 1:30 EET | Categories: Security | Track comments. You can skip to the end and leave a response. Pinging is currently not allowed.

Leave a Reply

You can use these tags in the comment:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong>