Tuesday, February 16, 2016

Tabula Rosa Systems Blog For 2/16/2016 - How Thieves Can Hack And Disable Your Home Alarm System

Author: kim zetter.kim zetter security

Date of publication: 
Time of publication: 6:30 am.6:30 am

How thieves can hack and disable your home alarm system.

When it comes to the security of the Internet of Things, a lot of the attention has focused on the dangers of the connected toaster, fridge and thermostat. But a more insidious security threat lies with devices that aren’t even on the internet: wireless home alarms.
Two researchers say that top-selling home alarm setups can be easily subverted to either suppress the alarms or create multiple false alarms that would render them unreliable. False alarms could be set off using a simple tool from up to 250 yards away, though disabling the alarm would require closer proximity of about 10 feet from the home.
“An attacker can walk up to a front door and suppress the alarm as they open the door, do whatever they want within the home and then exfiltrate, and it’s like they were never there,” says Logan Lamb, a security researcher at the Oak Ridge National Lab, who conducted his work independent of the government.
Lamb looked at three top brands of home alarm systems made by ADTVivintand a third company that asked that their name not be identified. The Vivint system uses equipment manufactured by 2Gig, which supplies its equipment to more than 4,000 distributors.

Separately, Silvio Cesare, who works for Qualys, also looked, independent of his job, at more than half a dozen popular systems used in Australia, where he lives, including ones made by Swann, an Australian firm that also sells its systems in the U.S.

The Swann security system. No matter what the brand or where they’re sold, the two researchers found identical problems: All the wireless alarm systems they examined rely on radio frequency signals sent between door and window sensors to a control system that triggers an alarm when any of these entryways are breached. The signals deploy any time a tagged window or door is opened, whether or not the alarm is enabled. But when enabled, the system will trip the alarm and also send a silent alert to the monitoring company, which contacts the occupants and/or the police. But the researchers found that the systems fail to encrypt or authenticate the signals being sent from sensors to control panels, making it easy for someone to intercept the data, decipher the commands, and play them back to control panels at will.
“All of the systems use different hardware but they are effectively the same,” Lamb says. “[They’re] still using these wireless communications from the mid-90s for the actual security.”
The signals can also be jammed to prevent them from tipping an alarm by sending radio noise to prevent the signal from getting through from sensors to the control panel.
“Jamming the intra-home communications suppresses alarms to both the occupants and the monitoring company,” Lamb says.
Although some alarms use anti-jamming counter measures to prevent someone from blocking signals from sensors to control panels—if they detect a jamming technique, they issue an audible alarm to the occupant and send an automatic transmission to the monitoring company—but Lamb says there are techniques to beat the countermeasures as well, which he’ll discuss at his talk.
One of the Australian products that Cesare examined had an additional vulnerability: Not only was he able to intercept unencrypted signals, he could also discover the stored password on the devices—the password a homeowner would use to arm and disarm the whole setup.
Logan LambThe two researchers plan to present their findings separately next month at the Black Hat security conference in Las Vegas. Lamb will also present his research at the Def Con hacker conference. The researchers both focused on home-alarm systems, rather than commercial-grade models used to secure businesses.
The two researchers each used a software-defined radio to intercept and replay communications. Lamb used a USRP N210, which costs about $1,700. For a serious home-burglary ring, this would be a small investment. Lamb says he was able to do a replay attack—copying signals and sending them back to the system to trigger false alarms—from 250 yards away using this device without a direct line of sight to the sensors. Software-defined radios are controlled with software and can be tweaked to monitor different frequencies. With minimal changes to the code in his SDR, Lamb was able to “have my way in all the systems.”
But he could also use an RTL-SDR—a device that costs about $10 from Amazon to monitor signals. These devices don’t transmit signals, so an attacker wouldn’t be able to disable the alarm system. But he could monitor the signals from up to 65 feet away. Because the transmissions contain a unique identifier for each monitored device and event, an attacker could identify when a window or door in a house was opened by an occupant and possibly use it to identify where victims are in the house—for example, when occupants close a bedroom door for the night, indicating they’ve gone to bed.
“So as people go about their days in their homes, these packets are being broadcast everywhere,” he says. “And since they’re unencrypted, adversaries can just sit around and listen in. Suppose you have a small [monitoring] device to chuck in a [rain] gutter. With minimal effort you could tell when someone leaves the house … and establish habits. I think there’s some value there and some privacy concerns.”
Logan LambCesare found that some systems used a remote that let homeowner to arm and disarm their alarms without entering a password on a control panel. This data is transmitted in the clear, also via radio frequency, and can be monitored. He found that most of the systems he examined used only a single code. “I captured the codes that were being sent and replayed them and defeated the security of these systems,” he says. Cesare notes that the systems could be made more secure by using rolling codes that change, instead of fixed ones, but the manufacturers chose the easier method to implement with their hardware, at the expense of security.
Cesare was also able to physically capture stored passwords a system made by Swann. All he had to do was attach a microcontroller programmer to read data off the EEPROM. Although he says the firmware was protected, preventing him from reading it, the password was exposed, offering another attack vector to disable the alarm.
Cesare points out that commercial-grade systems are likely more secure than the home systems they examined. “In the home-alarm product, there is an expectation that you’re not going to have as strong security as a commercial-grade system,” he says. But customers still expect at least basic security. As Lamb and Cesare show, that’s debatable.
For a great satire on email, please see the following:
Good Netiquette And A Green Internet To All! 

Special Bulletin - My just released book

"You're Hired. Super Charge Your Email Skills in 60 Minutes! (And Get That Job...) 

is now on sales at Amazon.com 

Great Reasons for Purchasing Netiquette IQ
·         Get more email opens.  Improve 100% or more.
·         Receive more responses, interviews, appointments, prospects and sales.
·         Be better understood.
·         Eliminate indecision.
·         Avoid being spammed 100% or more.
·         Have recipient finish reading your email content. 
·         Save time by reducing questions.
·         Increase your level of clarity.
·         Improve you time management with your email.
·        Have quick access to a wealth of relevant email information.
Enjoy most of what you need for email in a single book.


**Important note** - contact our company for very powerful solutions for IP
 management (IPv4 and IPv6, security, firewall and APT solutions:

Another Special Announcement - Tune in to my radio interview,  on Rider University's station, www.1077thebronc.com I discuss my recent book, above on "Your Career Is Calling", hosted by Wanda Ellett.   

In addition to this blog, Netiquette IQ has a website with great assets which are being added to on a regular basis. I have authored the premiere book on Netiquette, “Netiquette IQ - A Comprehensive Guide to Improve, Enhance and Add Power to Your Email". My new book, “You’re Hired! Super Charge Your Email Skills in 60 Minutes. . . And Get That Job!” has just been published and will be followed by a trilogy of books on Netiquette for young people. You can view my profile, reviews of the book and content excerpts at:


In addition to this blog, I maintain a radio show on BlogtalkRadio  and an online newsletter via paper.li.I have established Netiquette discussion groups with Linkedin and  Yahoo I am also a member of the International Business Etiquette and Protocol Group and Minding Manners among others. I regularly consult for the Gerson Lehrman Group, a worldwide network of subject matter experts and I have been contributing to the blogs Everything Email and emailmonday . My work has appeared in numerous publications and I have presented to groups such as The Breakfast Club of NJ and  PSG of Mercer County, NJ.

I am the president of Tabula Rosa Systems, a “best of breed” reseller of products for communications, email, network management software, security products and professional services.  Also, I am the president of Netiquette IQ. We are currently developing an email IQ rating system, Netiquette IQ, which promotes the fundamentals outlined in my book.

Over the past twenty-five years, I have enjoyed a dynamic and successful career and have attained an extensive background in IT and electronic communications by selling and marketing within the information technology marketplace.Anyone who would like to review the book and have it posted on my blog or website, please contact me paul@netiquetteiq.com.

No comments:

Post a Comment