When it comes to the security of the Internet of Things, a lot of the attention has focused on the dangers of the connected toaster, fridge and thermostat. But a more insidious security threat lies with devices that aren’t even on the internet: wireless home alarms.
Two researchers say that top-selling home alarm setups can be easily subverted to either suppress the alarms or create multiple false alarms that would render them unreliable. False alarms could be set off using a simple tool from up to 250 yards away, though disabling the alarm would require closer proximity of about 10 feet from the home.
“An attacker can walk up to a front door and suppress the alarm as they open the door, do whatever they want within the home and then exfiltrate, and it’s like they were never there,” says Logan Lamb, a security researcher at the Oak Ridge National Lab, who conducted his work independent of the government.
Lamb looked at three top brands of home alarm systems made by ADT, Vivint and athird company that asked that their name not be identified. The Vivint system uses equipment manufactured by 2Gig, which supplies its equipment to more than 4,000 distributors.
Separately, Silvio Cesare, who works for Qualys, also looked, independent of his job, at more than half a dozen popular systems used in Australia, where he lives, including ones made by Swann, an Australian firm that also sells its systems in the U.S.
No matter what the brand or where they’re sold, the two researchers found identical problems: All the wireless alarm systems they examined rely on radio frequency signals sent between door and window sensors to a control system that triggers an alarm when any of these entryways are breached. The signals deploy any time a tagged window or door is opened, whether or not the alarm is enabled. But when enabled, the system will trip the alarm and also send a silent alert to the monitoring company, which contacts the occupants and/or the police. But the researchers found that the systems fail to encrypt or authenticate the signals being sent from sensors to control panels, making it easy for someone to intercept the data, decipher the commands, and play them back to control panels at will.
“All of the systems use different hardware but they are effectively the same,” Lamb says. “[They’re] still using these wireless communications from the mid-90s for the actual security.”
The signals can also be jammed to prevent them from tipping an alarm by sending radio noise to prevent the signal from getting through from sensors to the control panel.
“Jamming the intra-home communications suppresses alarms to both the occupants and the monitoring company,” Lamb says.
Although some alarms use anti-jamming counter measures to prevent someone from blocking signals from sensors to control panels—if they detect a jamming technique, they issue an audible alarm to the occupant and send an automatic transmission to the monitoring company—but Lamb says there are techniques to beat the countermeasures as well, which he’ll discuss at his talk.
One of the Australian products that Cesare examined had an additional vulnerability: Not only was he able to intercept unencrypted signals, he could also discover the stored password on the devices—the password a homeowner would use to arm and disarm the whole setup.
The two researchers plan to present their findings separately next month at the Black Hat security conference in Las Vegas. Lamb will also present his research at the Def Con hacker conference. The researchers both focused on home-alarm systems, rather than commercial-grade models used to secure businesses.
The two researchers each used a software-defined radio to intercept and replay communications. Lamb used a USRP N210, which costs about $1,700. For a serious home-burglary ring, this would be a small investment. Lamb says he was able to do a replay attack—copying signals and sending them back to the system to trigger false alarms—from 250 yards away using this device without a direct line of sight to the sensors. Software-defined radios are controlled with software and can be tweaked to monitor different frequencies. With minimal changes to the code in his SDR, Lamb was able to “have my way in all the systems.”
But he could also use an RTL-SDR—a device that costs about $10 from Amazon to monitor signals. These devices don’t transmit signals, so an attacker wouldn’t be able to disable the alarm system. But he could monitor the signals from up to 65 feet away. Because the transmissions contain a unique identifier for each monitored device and event, an attacker could identify when a window or door in a house was opened by an occupant and possibly use it to identify where victims are in the house—for example, when occupants close a bedroom door for the night, indicating they’ve gone to bed.
“So as people go about their days in their homes, these packets are being broadcast everywhere,” he says. “And since they’re unencrypted, adversaries can just sit around and listen in. Suppose you have a small [monitoring] device to chuck in a [rain] gutter. With minimal effort you could tell when someone leaves the house … and establish habits. I think there’s some value there and some privacy concerns.”
Cesare found that some systems used a remote that let homeowner to arm and disarm their alarms without entering a password on a control panel. This data is transmitted in the clear, also via radio frequency, and can be monitored. He found that most of the systems he examined used only a single code. “I captured the codes that were being sent and replayed them and defeated the security of these systems,” he says. Cesare notes that the systems could be made more secure by using rolling codes that change, instead of fixed ones, but the manufacturers chose the easier method to implement with their hardware, at the expense of security.
Cesare was also able to physically capture stored passwords a system made by Swann. All he had to do was attach a microcontroller programmer to read data off the EEPROM. Although he says the firmware was protected, preventing him from reading it, the password was exposed, offering another attack vector to disable the alarm.
Cesare points out that commercial-grade systems are likely more secure than the home systems they examined. “In the home-alarm product, there is an expectation that you’re not going to have as strong security as a commercial-grade system,” he says. But customers still expect at least basic security. As Lamb and Cesare show, that’s debatable.