Author: kim zetter.kim zetter security
Date of publication: 07.23.14.07.23.14
Time of publication: 6:30 am.6:30 am
How thieves can hack and disable
your home alarm system.
When it comes to the security
of the Internet of Things, a lot of the attention has focused on the dangers of the connected toaster, fridge and thermostat.
But a more insidious security threat lies with devices that aren’t even on the
internet: wireless home alarms.
Two researchers say that top-selling home alarm setups can
be easily subverted to either suppress the alarms or create multiple false
alarms that would render them unreliable. False alarms could be set off using a
simple tool from up to 250 yards away, though disabling the alarm would require
closer proximity of about 10 feet from the home.
“An attacker can walk up to a front door and suppress the
alarm as they open the door, do whatever they want within the home and then
exfiltrate, and it’s like they were never there,” says Logan Lamb, a security
researcher at the Oak Ridge National Lab, who conducted his work independent of
the government.
Lamb looked at three top brands of
home alarm systems made by ADT, Vivintand a third company that asked that their name not be identified.
The Vivint system uses equipment manufactured by 2Gig, which supplies
its equipment to more than 4,000 distributors.
Separately, Silvio Cesare, who works
for Qualys, also looked, independent of his job, at more than half a dozen popular systems used in Australia,
where he lives, including ones made by Swann, an Australian firm that also sells its systems in the
U.S.
The Swann security system. No matter what the brand or
where they’re sold, the two researchers found identical problems: All the
wireless alarm systems they examined rely on radio frequency signals sent
between door and window sensors to a control system that triggers an alarm when
any of these entryways are breached. The signals deploy any time a tagged
window or door is opened, whether or not the alarm is enabled. But when
enabled, the system will trip the alarm and also send a silent alert to the
monitoring company, which contacts the occupants and/or the police. But the
researchers found that the systems fail to encrypt or authenticate the signals
being sent from sensors to control panels, making it easy for someone to
intercept the data, decipher the commands, and play them back to control panels
at will.
“All of the systems use different hardware but they are
effectively the same,” Lamb says. “[They’re] still using these wireless
communications from the mid-90s for the actual security.”
The signals can also be jammed to prevent them from tipping
an alarm by sending radio noise to prevent the signal from getting through from
sensors to the control panel.
“Jamming the intra-home communications suppresses alarms to
both the occupants and the monitoring company,” Lamb says.
Although some alarms use anti-jamming counter measures to
prevent someone from blocking signals from sensors to control panels—if they
detect a jamming technique, they issue an audible alarm to the occupant and
send an automatic transmission to the monitoring company—but Lamb says there
are techniques to beat the countermeasures as well, which he’ll discuss at his
talk.
One of the Australian products that Cesare examined had an
additional vulnerability: Not only was he able to intercept unencrypted
signals, he could also discover the stored password on the devices—the password
a homeowner would use to arm and disarm the whole setup.
Logan LambThe two researchers plan to present their findings
separately next month at the Black Hat security conference in Las Vegas. Lamb will also present
his research at the Def Con hacker conference. The researchers both focused
on home-alarm systems, rather than commercial-grade models used to secure
businesses.
The two researchers each used a
software-defined radio to intercept and replay communications. Lamb used a USRP
N210, which costs about $1,700. For a serious home-burglary ring,
this would be a small investment. Lamb says he was able to do a replay
attack—copying signals and sending them back to the system to trigger false
alarms—from 250 yards away using this device without a direct line of sight to
the sensors. Software-defined radios are controlled with software and can be
tweaked to monitor different frequencies. With minimal changes to the code in
his SDR, Lamb was able to “have my way in all the systems.”
But he could also use an RTL-SDR—a device that costs about $10 from Amazon to
monitor signals. These devices don’t transmit signals, so an attacker wouldn’t
be able to disable the alarm system. But he could monitor the signals from up
to 65 feet away. Because the transmissions contain a unique identifier for each
monitored device and event, an attacker could identify when a window or door in
a house was opened by an occupant and possibly use it to identify where victims
are in the house—for example, when occupants close a bedroom door for the
night, indicating they’ve gone to bed.
“So as people go about their days in their homes, these
packets are being broadcast everywhere,” he says. “And since they’re
unencrypted, adversaries can just sit around and listen in. Suppose you have a
small [monitoring] device to chuck in a [rain] gutter. With minimal effort you
could tell when someone leaves the house … and establish habits. I think
there’s some value there and some privacy concerns.”
Logan LambCesare found that some systems used a remote that
let homeowner to arm and disarm their alarms without entering a password on a
control panel. This data is transmitted in the clear, also via radio frequency,
and can be monitored. He found that most of the systems he examined used only a
single code. “I captured the codes that were being sent and replayed them and
defeated the security of these systems,” he says. Cesare notes that the systems
could be made more secure by using rolling codes that change, instead of fixed
ones, but the manufacturers chose the easier method to implement with their
hardware, at the expense of security.
Cesare was also able to physically capture stored passwords
a system made by Swann. All he had to do was attach a microcontroller
programmer to read data off the EEPROM. Although he says the firmware was protected,
preventing him from reading it, the password was exposed, offering another
attack vector to disable the alarm.
Cesare points out that commercial-grade systems are likely
more secure than the home systems they examined. “In the home-alarm product, there
is an expectation that you’re not going to have as strong security as a
commercial-grade system,” he says. But customers still expect at least basic
security. As Lamb and Cesare show, that’s debatable.
=======================================================https://www.youtube.com/watch?v=HTgYHHKs0Zwscoop_post=bcaa0440-2548-11e5-c1bd-90b11c3d2b20&__scoop_topic=2455618
===============================================
Good Netiquette And A Green Internet To All!
Special Bulletin - My just released book,
"You're Hired. Super Charge Your Email Skills in 60 Minutes! (And Get That Job...)
is now on sales at Amazon.com
Great Reasons for Purchasing Netiquette IQ
·
Get more
email opens. Improve 100% or more.
·
Receive
more responses, interviews, appointments, prospects and sales.
·
Be better
understood.
·
Eliminate
indecision.
·
Avoid
being spammed 100% or more.
·
Have
recipient finish reading your email content.
·
Save time
by reducing questions.
·
Increase
your level of clarity.
·
Improve
you time management with your email.
·
Have
quick access to a wealth of relevant email information.
Enjoy
most of what you need for email in a single book.
=================================
**Important note** - contact our company for very powerful solutions for IPmanagement (IPv4 and IPv6, security, firewall and APT solutions:
www.tabularosa.net
==================================================
Another Special Announcement - Tune in to my radio interview, on Rider University's station, www.1077thebronc.com I discuss my recent book, above on "Your Career Is Calling", hosted by Wanda Ellett.
In addition to this blog, Netiquette IQ has a website with great assets which are being added to on a regular basis. I have authored the premiere book on Netiquette, “Netiquette IQ - A Comprehensive Guide to Improve, Enhance and Add Power to Your Email". My new book, “You’re Hired! Super Charge Your Email Skills in 60 Minutes. . . And Get That Job!” has just been published and will be followed by a trilogy of books on Netiquette for young people. You can view my profile, reviews of the book and content excerpts at:www.amazon.com/author/paulbabicki
In addition to this blog, I maintain a radio show on BlogtalkRadio and an online newsletter via paper.li.I have established Netiquette discussion groups with Linkedin and Yahoo. I am also a member of the International Business Etiquette and Protocol Group and Minding Manners among others. I regularly consult for the Gerson Lehrman Group, a worldwide network of subject matter experts and I have been contributing to the blogs Everything Email and emailmonday . My work has appeared in numerous publications and I have presented to groups such as The Breakfast Club of NJ and PSG of Mercer County, NJ.
I am the president of Tabula Rosa Systems,
a “best of breed” reseller of products for communications, email,
network management software, security products and professional
services. Also, I am the president of Netiquette IQ. We are currently developing an email IQ rating system, Netiquette IQ, which promotes the fundamentals outlined in my book.
Over the past twenty-five years, I have enjoyed a dynamic and successful career and have attained an extensive background in IT and electronic communications by selling and marketing within the information technology marketplace.Anyone who would like to review the book and have it posted on my blog or website, please contact me paul@netiquetteiq.com.
=============================================================
Hi
ReplyDeletethis blog. I wanted reading it and that I assume individuals can get plenty of absolutely supported from this blog. Sam, I've got written this type of Blog. I've got you prefer this blog, because of reading for this blog.
Arlo Pro Camera
Taking about Alexa & Echo duo the Echo is the loudspeaker whereas Alexa is the speech software. They together work to perform a various task that we call as Alexa skills.
ReplyDeletefor more details 844 260 1666.