[HH] the insecurity of wireless alarm systems
Tom Metro
tmetro+hhacking at gmail.com
Wed Jul 23 23:39:28 EDT 2014
Wireless home alarm manufacturer's (like Visonic, 2GIG, or United
Technologies (formerly known by brands such as GE Security, ITI, and
Cadix)) have always used proprietary wireless protocols, and insisted
that they are secure, but "a cybersecurity researcher at the Department
of Energy's Oak Ridge National Laboratory" did some reverse engineering
with a software-defined radio (SDR) and discovered that not only were
the sensor communications not encrypted, but that he could detect sensor
triggers from up to 250 yards away.
So to case a house, all you need is a Raspberry Pi, a $10 SDR dongle,
some custom software, and a battery stuffed into a small box that you
toss in the bushes, then retrieve a week later, and you've got a full
record of the pattern of the home oner's movements.
Of course the alarm companies view this as "exotic" tech that's beyond
the capabilities of most thieves. But how long before we see this
reduced to a $20 dongle that attaches to an iPhone and a $10 app?
(Though I suppose Apple would banish such an app as soon as they figured
out what it could be used for. So perhaps side-loading onto your Android
phone is more likely to be the deployment scenario.)
What's worse is that the researcher found he could jam the signals going
to the panel, so it never saw sensors being triggered:
http://www.forbes.com/sites/kashmirhill/2014/07/23/how-your-security-system-could-be-used-to-spy-on-you/
Lamb [the researcher] asked the [home owner] to arm the system and
then let the guests wander normally. The alarm did not get triggered
as it should when the system's armed and a door opens, and the Vivint
central control station that would call the police when such a thing
happened did not get a heads up. Lamb was able to suppress the alarm
through intercepting the system's unencrypted wireless communications
with the sensors around the home, and sending his own signals to the
main controls.
The silver lining to this is that it actually might not be that time
consuming to reverse engineer these wireless protocols or require exotic
hardware if you want to repurpose widely available, inexpensive wireless
sensors in your home automation system. (For example, I can get GE
compatible wireless door sensors or motion detectors for about half the
cost of an equivalent product made for the "open" protocols, like
Z-Wave. A concealed door jamb sensor can be had for a mere $26[1].)
1.
http://www.discounthomeautomation.com/iON-Digital-Plunger-Wireless-Door-Security-Sensor-IONPLUNGERx
Several years back I looked into using United Technologies compatible
wireless sensors with a home automation system. United Technologies
actually makes a board with the wireless transceiver and a serial link
that connects it to their wired alarm panels. I figured buying that
transceiver would be the least effort solution. So I emailed United
Technologies asking if they had any documentation covering that serial
communication. Of course their reply was that it was proprietary, and
they felt disclosing it would compromise the security of their products.
-Tom
More information about the Hardwarehacking
mailing list