Alarm insecurity - jamming, replaying and brute-forcing on the Yale HSA6400

[bernardgreen]

I think that we should defend against JohnD’s 14 year old smack head with an old screwdriver rather than some James Bond character with a laptop

If I'm wrong, show us police statistics..

More technically informative are the statistics that include the probing of alarm installations but where no crime occured. These statistics give a far better indication of the technical ability and knowledge of the criminals. These technically informative documents are for obvious reasons not in the public domain

No alarm system will protect against the smash, grab and run criminal. The best that an alarm can do is notify people that a burglary is in progress. The alarm sounding may reduce the time the criminal is prepared to spend in the house looking for easy takings. To catch burglars in the act a silent alarm with ensured and rapid response is the best option. Response is not limited to arrival of police or other security personnel.

As has been said here many times all that is needed to defeat the majority of DIY wireless alarms is a jammer. I believe the police statistics may include records of people arrested for going equiped when found with a jammer in their possession.

 

[bernardgreen]

3. Manufacturers claim alarms have jamming protections, and they don't work.

They cannot work

Operating on a licence exempt wireless frequency it is impossible to protect against jamming. If a jamming signal is there then the system modules ( sensors, panel, siren ) cannot communicate with each other. Some systems operating on licenced wireless channels may be able to change frequency and hope the jammer does not also change frequency. The cost of channel hopping make it totally out of the question for domestic burglar alarms.

All the domestic alarm can do is raise an alarm when the system is unable to operate due to jamming ( intentional and possibly criminal ) or blocking ( transmissions from other legally operating equipment on the same licence exempt frequency

 

[cybergibbons]

It can be made significantly harder though, to the extent that it's not possible with reasonably priced equipment.

Two-way RF makes a huge difference. Instead of an absence of signal, you look for an absence of response. You can poll the detectors much more frequently when the system is armed. Naive jamming won't work with these.

Frequency hopping also makes it much harder. Hop over 64 frequencies at a decent rate, and I'll need 64 times the power to jam the signal. That said, there are some systems, notably Visonic's, which only use 4 frequencies and can still easily be jammed.

 

[Twenty Four]

All the domestic alarm can do is raise an alarm when the system is unable to operate due to jamming ( intentional and possibly criminal ) or blocking ( transmissions from other legally operating equipment on the same licence exempt frequency

Which potentially means lots of alarms sounding due to all manner of 'tamper' signals present on an unlicensed, free for all frequency.

 

[bernardgreen]

A manufacturer of wireless DIY alarms include this in the installation manual for some of its products :-

Tamper alarm
If the siren detects a tamper condition it will
activate the siren for the programmed period. If
the tamper condition persists the siren will sound
a series of five pips either every time the system
is armed or when the tamper is enabled, to
indicate a fault.

Radio jamming
This unit is equipped with the latest type of
radio receiver using AM radio technology. If the
system is armed, any criminal attempt to prevent
(or jam) the detector transmissions will be picked
up as interference and will trigger an alarm.
If the alarm is frequently triggered by
interference there may be high levels of unusual
radio signals in your area. Some kinds of
electronic equipment can generate this kind of
radio interference.
In the unlikely event of you experiencing
problems with interference, it is recommended
that you switch jamming detection off.
Please telephone our helpline if you require any
further assistance.

The "high level of unusual radio signals" may be legally operating licence exempt equipment on the same wireless frequency as the alarm. Or it could be an illegal jammer.

 

[cybergibbons]

I don't disagree with that, I've seen enough issues with various devices unintentionally jamming 434MHz and 868MHz.

What I don't understand - and I have tested with two alarms bought 4 years apart, and one installed alarm - is that I cannot set the Yale jamming detection off. Even 0.5W of power, 30cm away in a Faraday cage does nothing.

Yet there are many reports of it being triggered! Examination of the board shows that it is just a RSSI signal passed through an RC filter. I guess whatever I am sending doesn't cause the RSSI to rise enough.

 

[Twenty Four]

Assuming consumers are aware, they buy this rubbish knowing the alarms will potentially tamper from all and sundry around them over the air. Oh, but they can turn off jamming detection for a quieter life but potentially render their alarm useless.

 

[JohnD]

potentially

And yet, in an ordinary domestic house in an ordinary residential street, it is just about unknown.

Remember that on this forum we get a fair sprinkling of DIYers with cheap alarms and we see the typical problems (bad batteries, tamper going off due to loose screws), just as we hear about leaking taps and cracked tiles.

But we hear only about hypothetical jamming, or jamming if you happen to live under a BBC transmitter mast.

 

[cybergibbons]

potentially

And yet, in an ordinary domestic house in an ordinary residential street, it is just about unknown.

Remember that on this forum we get a fair sprinkling of DIYers with cheap alarms and we see the typical problems (bad batteries, tamper going off due to loose screws), just as we hear about leaking taps and cracked tiles.

But we hear only about hypothetical jamming, or jamming if you happen to live under a BBC transmitter mast.

Really? I've looked into several cases of unintentional jamming caused by malfunctioning devices.

 

[JohnD]

we sometimes get the signal being blocked by e.g. a router being placed next to the panel, which is easily cured by repositioning, and I once had it from scaffolding being erected inside a house.

Not sure that "jamming" is the right word, which has generally been used throughout this thread to mean deliberate interference by a burglar using a device constructed and sold for that purpose.

 

[Twenty Four]

It is unknown as far as a lack of research before purchasing goes. What we are reading more of now will hopefully become the norm and will spread through the masses to educate them.

Most consumers wouldn't have a clue why their alarm tampered either and probably don't care. They've done what they consider is as much as they can physically do by having an alarm installed however potentially useless it is, apart from being a visual deterrent by way of a bell box being on show. Unfortunately some bell boxes inform the undesirables that Mr and Mrs Clueless lives here.

 

[Twenty Four]

John, however you look at it, blocked and jammed give the same result. It is laughable that security can be compromised by a router placed in the wrong position or scaffolding in the way.

 

[cybergibbons]

The point being that an alarm or other RF device ceases to work. I've seen it caused by baby monitors from China that don't obey the duty cycle rules, a malfunctioning weather station, horrific spurs from a wireless video transmitter.

 

[bernardgreen]

Not sure that "jamming" is the right word, which has been used throughout this thread to mean deliberate interference by a burglar.

"jamming" is intentional blocking of the signal. "Blocking" is when the system cannot be fully functional due to lost or corrupted messages passed over the wireless link(s). It is a condition of the Licence Exempt use of the channel that normal operation of the system must tolerate blocking of the wireless channel.

 

[JohnD]

This is a DIY site. We get people whose paint has fallen off the wall because they applied it over glue. Or connect 12v lamps to mains power. Or have taps that allow cold water to flow up the hot pipes. Or hang heavy cabinets on plasterboard walls. Plenty for you to laugh at.