Alarm insecurity - jamming, replaying and brute-forcing on the Yale HSA6400

[cybergibbons]

I've alluded to these issues before, but after doing a seminar at IFSEC last week that was fairly well received, we've published a blog about the issues with wireless alarms, and their Internet connected brothers:

https://www.pentestpartners.com/blog/alarm-systems-alarmingly-insecure-oh-the-irony/

I hope you find it interesting.

 

[secureiam]

Whilst I found it interesting, those with Yale systems may feel worried if burglars started to look at disabling the system with a pin obtained over the airwaves.

Most pros wouldn't fit Yale, the time taken to obtain the information required may put the burglars off some homes as to make it viable, cost of time and equipment versus return.

 

[PaulUszak]

cost of time and equipment versus return

Mr Am makes a very good point. Building upon what he says; unless we’re talking about breaking into a bullion depository, the risk reward calculation works totally against the burglar in your scenario.

The Strasser, Danev and Capkun paper is interesting, but is very much a theoretical research edge case. They artificially reduced the transmission rate to 2.4 kBaud for budgetary pragmatism, and were able to carefully direct the transmission signals to their advantage. Your post also seems to contradict "Nearly every alarm panel will lock you out if you get the PIN wrong more than a few times – and the Yale panel does so" with a brute force run of 9999 incorrect PINs. Burglars are stupid creatures who break into houses by smashing windows with their foreheads. They do not bit flip CRCs using custom Python scripts on Ubuntu. Have you been watching Entrapment? Your £29 ARF is well priced indeed, but gets you a SMD development board like:

https://www.wirelessthings.net/medi...d6e5fb8d27136e95/r/0/r011_arf_front_new_1.jpg

I challenge you to find a house burglar that knows what to do with it. I guess they might eat it. Hands up all those who know what a software defined radio is, or how to use pyserial? In fact, I think that I would feel honoured to have been burgled by someone using your techniques.

So the principle weakness of your argument is: why would a technically sophisticated burglar risk going to prison (or coming across a homeowner possibly resulting in his death), for a £200 telly? He’d be better off getting a white hat job with a company like yours, or doing some simple Python work for a steady £50K/yr. They could also work in SIGINT.

Your blue spectrogram looks very pretty, but is somewhat let down by the vanilla Unity install. Some people actually understand your blog post and the paper it links to. IFSEC is a trade event for selling burglar alarms. Any chance this post is marketing FUD because you’re scaring the readers..?

 

[cybergibbons]

cost of time and equipment versus return

Mr Am makes a very good point. Building upon what he says; unless we’re talking about breaking into a bullion depository, the risk reward calculation works totally against the burglar in your scenario.

The Strasser, Danev and Capkun paper is interesting, but is very much a theoretical research edge case. They artificially reduced the transmission rate to 2.4 kBaud for budgetary pragmatism, and were able to carefully direct the transmission signals to their advantage.

I'm not sure of the relevance of the paper here?

Your post also seems to contradict "Nearly every alarm panel will lock you out if you get the PIN wrong more than a few times – and the Yale panel does so" with a brute force run of 9999 incorrect PINs.

The physical keypad locks you out, the RF doesn't.

Burglars are stupid creatures who break into houses by smashing windows with their foreheads. They do not bit flip CRCs using custom Python scripts on Ubuntu. Have you been watching Entrapment? Your £29 ARF is well priced indeed, but gets you a SMD development board like:

https://www.wirelessthings.net/medi...d6e5fb8d27136e95/r/0/r011_arf_front_new_1.jpg

I challenge you to find a house burglar that knows what to do with it. I guess they might eat it. Hands up all those who know what a software defined radio is, or how to use pyserial? In fact, I think that I would feel honoured to have been burgled by someone using your techniques.

So the principle weakness of your argument is: why would a technically sophisticated burglar risk going to prison (or coming across a homeowner possibly resulting in his death), for a £200 telly? He’d be better off getting a white hat job with a company like yours, or doing some simple Python work for a steady £50K/yr. They could also work in SIGINT.

I'm puzzled. Why wouldn't a burglar spend £50 on a jammer that means that the alarm won't go off? They don't need to make or program anything.

http://www.jammerall.com/products/434-MHz-Car-Remote-Control-Signal-Blocker-&-RF-Jammer.html

The same devices are used by car thieves. Why not burglars?

TVs are rarely stolen in burglaries. Cash, mobile phones, small gadgets, jewellery. Average value of a break-in is higher than £200 as well.

Your blue spectrogram looks very pretty, but is somewhat let down by the vanilla Unity install.

Eh? What?

Some people actually understand your blog post and the paper it links to. IFSEC is a trade event for selling burglar alarms. Any chance this post is marketing FUD because you’re scaring the readers..?

Marketing FUD? Who is marketing to who?

The point is:
1. Many wireless alarms - including graded ones - can be jammed with unsophisticated equipment.
2. The standards state this shouldn't be possible, yet it is.
3. Manufacturers claim alarms have jamming protections, and they don't work.
4. Manufacturers are Internet connecting alarms with similar levels of thought to security.

 

[bernardgreen]

So the principle weakness of your argument is: why would a technically sophisticated burglar risk going to prison

It isn't necessary to be "technically sophisticated" to defeat the majority of DIY installed one way wireless alarms..

Many get the equipment and the necessary instructions from criminals who do not put themselves at risk. This is often the fence who buys the stolen goods

The risk is that they target a sting house. They defeat the obvious alarm and break in and trigger the covert alarm. . Minutes later they are either arrested or so well photographed they can be identified. In some cases the monitoring of the wireless channel alerts the authorities / police / security to the attack.

 

[JohnD]

Many

Nonsense.

We are talking about the average Joe in a small house who can only afford £150 for a DIY kit. He has a plastic front door and no locks on the windows. There are a thousand similar homes within five minutes walk.

He is going to be approached by a 14 year old smack head with an old screwdriver who has trouble reading the Sun.

"Sophisticated" is a bent coathanger with a hook on the end through the letterbox to grab car keys off the hall table.

He dreams of using a simple tool to defeat Eurocylinders.

His victims will get a crime number for the insurance and be lucky if a PC calls in within a week.

 

[cybergibbons]

Wouldn't average joe be better securing his house before spending money on an alarm?

 

[JohnD]

Doubtless.

And he is not at all likely to buy an expensive alarm system

It is often said that the main deterrence effect of an alarm, on Average Joe's house, is achieved by putting a bell box on the wall, no matter what it's connected to (if anything).

 

[JohnD]

I'm puzzled. Why wouldn't a burglar spend £50 on a jammer that means that the alarm won't go off?

Because if he had £50 in his pocket, he'd put it up his nose.

 

[cybergibbons]

I'm puzzled. Why wouldn't a burglar spend £50 on a jammer that means that the alarm won't go off?

Because if he had £50 in his pocket, he'd put it up his nose.

Why the difference between car thieves and burglars then?

 

[JohnD]

Could it be that anyone bright enough to know the penalties and risks of house burglary has the sense to do an easier job?

I don't know what it's like where you live, but in my area the Neighbourhood Watch and local paper crime reports are:

youths climb over fence and steal bike from unlocked shed... tools taken from garage... handbag taken from car... whiskey snatched from off licence.... mobile phone taken from schoolgirl... door kicked in and car keys taken... bay tree stolen from garden... fake meter-reader rifles kitchen drawers....

Very little high-tech skilled criminal activity.

I think the fact that few residents are known to have collections of diamonds and gold bars may affect the class of criminal we get.

 

[cybergibbons]

I'm just wondering why jamming is being seen in car theft, but not burglary. Both aren't exactly risk free, and the reward to the guy actually doing the crime is about the same.

 

[JohnD]

How many minutes does it take to steal a £50,000 merc? How many can you do in a year?

How many Average Joe houses would you have to burgle to accumulate £50,000?

How long do you go to prison for (if you ever get caught)?

 

[cybergibbons]

Stealing high-end cars requires a lot of time and effort to get them sold on, unlike cash, jewellery, and phones. The person doing the crime doesn't see a fraction of the value.

Prison terms for non-aggravated first offence are similar for both.

 

[JohnD]

How many????????

Stealing high-end cars requires a lot of time and effort to get them sold on, unlike cash, jewellery, and phones.

Hence a different class of criminal. I bet most of them can read, write and tie their own shoelaces.

Not like my 14-year old crackhead burglar.

BTW, how much cash and jewellery do you think you would find in my house? Will there be a phone there, when I'm out?