Alarm insecurity - jamming, replaying and brute-forcing on the Yale HSA6400

[Twenty Four]

We also get flippant users eh, John. You know full well what I'm referring to, DIY site or not. This section includes 'Alarms' in the title, not all the other gubbins you mention.

Security is security regardless of whether or not it is DIY or professional. Of course there are different levels but suggesting a DIY level means you buy an alarm, fit it and find it potentially doesn't work is just plain daft and belittles those talented DIYers out there.

 

[bernardgreen]

Examination of the board shows that it is just a RSSI signal passed through an RC filter. I guess whatever I am sending doesn't cause the RSSI to rise enough.

Was that an AM or FM receiver ? From memory ( and maybe incorrect ) on AM reception signal strength was assessed by the amount of modulation within the passband of the signal being carried. A strong but un-modulated signal assessed that way would return a zero value. I wonder if the alarm receivers assess the signal that way. If they do then signals with modulation outside the passband might be ignored. Hence a strong signal with the "wrong" modulation would block the channel but be assessed as being close to zero by the jamming detection circuit and hence no jamming alert would be generated.

 

[bernardgreen]

This is a DIY site. We get people whose paint has fallen off the wall because they applied it over glue. Or connect 12v lamps to mains power.

And the results of that are obvious to see and immediate. Totally different from a DIY install alarm where its inability to function will not be known until it is too late.

 

[cybergibbons]

Yes, these are AM. The type of receiver it is has a fairly wide reception band. I'm not really sure what stage the RSSI is generated on them. Some just detect a carrier, some only when there is a signal that is modulated approximately at the frequency that would be sent normally.

 

[bernardgreen]

The type of receiver it is has a fairly wide reception band.

Super regen, no IF ? Hope not. They can even go unstable, radiate low power RF which then blocks themselves and nearby receivers.

 

[JohnD]

its inability to function will not be known until it is too late.

You mean apart from the chime not working, the confidence flash and bleep not working, any remote keypad and fob not working.

 

[cybergibbons]

The type of receiver it is has a fairly wide reception band.

Super regen, no IF ? Hope not. They can even go unstable, radiate low power RF which then blocks themselves and nearby receivers.

Not sure. The module doesn't have a specific part number and I can't find datasheets. It's likely superregen rather than superhet.

 

[bernardgreen]

You mean apart from the chime not working, the confidence flash and bleep not working, any remote keypad and fob not working.

No those are auxillary functions. It is the assured operation of the siren when there is an intruder that is the function that is critical. There are several things that will prevent the siren sounding when needed. Blocking of the "siren on" signal is one of them. Flat battery is another.

Why should the user have to check for confidence flash when setting the alarm. If it doesn't flash what does the user do ? A sensible alarm system will have detected the fault and alerted the user before the time when the user has to set the alarm.

The chime only indicates that the door sensor messages are reching the panel. It gives no indication of the quality of the link between panel and siren.

The alarm can be set with a protected door open or a door whose sensor or magnet has fallen off.

 

[cybergibbons]

its inability to function will not be known until it is too late.

You mean apart from the chime not working, the confidence flash and bleep not working, any remote keypad and fob not working.

Except the standard Yale package doesn't chime, doesn't have a remote keypad, and doesn't have fobs.

 

[JohnD]

its inability to function will not be known until it is too late.

Blocking of the "siren on" signal is one of them. Flat battery is another.

So let me check. You're now saying there's a flat battery, because he doesn't change them, the user has ignored the "low battery" signals, and that he never checks the confidence flash and bleep, you're also postulating that Average Joe has something blocking the signal, which he's never noticed because that he never checks the confidence flash and bleep on either entry or exit, which the siren's jamming detect has not noticed.

And does this Average Joe also have a highly skilled team of jewel thieves targetting his alarm with a jamming device?

 

[JohnD]

Except the standard Yale package doesn't chime, doesn't have a remote keypad, and doesn't have fobs.

I'd be interested to see you using a "Standard" alarm without either keypad or fob.

 

[Twenty Four]

Pssst, he mentioned 'remote' keypad.

 

[cybergibbons]

http://www.yale.co.uk/en/yale/couk/productsdb/alarms/hsa-6000-series/HSA6400/

No remote keypad, no fobs. Many only have this for their install, and barring the arming beep from the siren (which is pretty quiet and hard to notice if you are inside), jamming doesn't show up in day to day operation.

 

[JohnD]

the 6400 has chime facility. Also audible countdown on exit, and triggered by entry

The arming beep and flash is much more likely to occur when you are on your doorstep or garden path than when you are indoors.

BTW the "Standard" is not the 6400

 

[cybergibbons]

the 6400 has chime facility.

Yes, if your program it to. It's off by default:

"Chime off is the factory default"