How To Hack Into An ADT Alarm System
Brian Rhodes, writing on the January 26, 2015 website, IMPV, reports that the “a class-action lawsuit has been filed against the homes-security/alarm company – ADT – claiming the system is too easily hacked.” The most straight forward way to breach the system, the publication notes is to: “find out the frequency the alarm system transmitter uses from publicly available FCC documentation; get a software defined radio, set it to that frequency, and jam it; periodically, for short periods of time, stop jamming to overcome/trick anti-jamming functionality in the system. Mr. Rhodes cites a paper presented by Logan Lamb at the DEFCON 22 conference.
According to Mr. Rhodes, “the hack relies on knowing which unencrypted wireless frequencies are used by the intrusion alarm. Specifically, the frequency band used by individual types of sensors and devices. In the U.S., commercially sold wireless devices are issued licenses by the FCC; and, the specific frequency they use for communication is available through the public record. For example, he says, “Honeywell’s license catalog includes over 300 license applications since late 2011. The record includes frequency information for devices like: Ademco Panel; Tuxedo Touch Panel, Various Motion Sensors, Keypads, Door and Window Sensors. “Indeed,” Mr. Rhodes wrote, “even ‘proprietary’ systems sold to major alarm companies carry public FCC filings like this ADT keypad and the entire wireless 2GIG catalog: UTC (GE, TYCO, ADT), Vivint, Napco, and Sensormatic. Mr. Lamb’s paper has a full list of the companies with application with the FCC.
“To exploit this weakness, the main challenge is knowing which system/transceiver the site being targeted uses,” Mr. Rhodes wrote. “This would be easiest for inside jobs; but, possibly quite hard going after a facility one has never been in. In any case, prominently displaying window stickers, or yard signs, could actually assist a hacker into zoning in on a specific range of frequencies:
Software Defined Radio
“The equipment needed to search out, monitor, and jam these frequencies are commonly classified as ‘SDRs,’ or Software Defined Radios, and are widely available. The primary function of these devices is to scan the range of radio bandwidth activity on known frequencies. Using USB connected scanner cards and laptops, an entire spectrum of wireless traffic is visible:
Overcoming Anti-Jam Protection
“Some alarm systems are equipped with anti-jamming features that monitor for this tactic,” Mr. Rhodes wrote. “The cyber researchers found that if the jamming is turned off for a fraction of a second, and right back on — that it would still stop the system from triggering its anti-jam alert, while blocking real alerts from being sent when an intrusion occurs. In general, panel RF jamming features must be enabled by the installer.”
For example, Mr. Rhodes said, “researchers defeated Honeywell’ protection by running a jam for 20 seconds, turning it off for one second, then returning the jamming routine. This process effectively defeated the panel’s anti-jamming protection. Another exploit for 2GIG/Vivint panels modified the process by turning the jam on for 50 seconds; but, turning it off for 0.2 seconds.”
“The specific parameters of an anti-jam process vary according to the panel type, but researchers found the protection could be defeated with trial and error in test systems.”
Not A Cheap Hack
“The equipment the hackers used to pull off the exploits — are quite expensive,” Mr. Rhodes wrote. “The pricing for the SDR, with ample power — ranges from between $1,000 – $4,000; and, require a high-level of technical expertise to deploy effectively. The DEFCON researcher reported his set-up cost more than $2,000 — a cost that will certainly be out of reach or tolerance for many ‘smash and grab,’ criminals,” thank goodness.
“While SDRs are easy to get, and inexpensively available online, — like a $15 example from Amazon — their effectiveness has not been evaluated. The white paper only reflects the results achieved by using moderately expensive, professional gear.”
Other Advanced — But, More Complex Exploits
“The equipment and basic process of this exploit can be modified into other methods for tricking alarm systems,” Mr. Rhodes warns. “For example,” he concludes, “the basic jamming attack might also be used to spoof the (non-alarming) presence of supervised alarm sensors, if exact details are known. However, such an attack would likely require significant time, and money — which is something to be thankful for — for now. But, as with everything else, the price is likely to go down – unless alarm technology can stay one step ahead of the cyber hacking criminal community.
Just be aware, that there isn’t anything out there that is foolproof — that I know of. Just making it more difficult on the bad guys to get inside your home — is probably good enough — most of the time. And these systems serve a valuable purpose and are a deterrent, the overwhelming majority of the time — and, are for the most part, worth the time and effort and the sense of security and privacy they protect. But, if there is a determined adversary — stalker, dedicated cyber thief/hacker, etc. — if they have the time, resources, dedication and technical expertise — these kind of systems are no panacea. V/R, RCP