Jump to content
Security Installer Community

Hello From A Security Researcher


cybergibbons

Recommended Posts

Posted

There's any number of scenarios.

* One system is vulnerable to a replay attack from a pin from a wireless keypad. I don't know if the wireless keypads are commonly installed, if they are, that is an issue.

* Simulating a detector and causing it to show in fault/tamper can prevent system from being armed.

* I can actively jam one or more detectors without triggering the alarm on some systems.

I don't think discussing the details around specific alarms is a good idea in a public forum though.

 

No no that's fine. But what i'm going to get at next applies to wired systems.

 

* Simulating a detector and causing it to show in fault/tamper can prevent system from being armed. - Ripping off the magnet from the D/C on the final door also achieves the same. Your hoping to cause enough frustration to the user that they leave it unset rather than wait for the engineer.

 

* I can actively jam one or more detectors without triggering the alarm on some systems. - While set or unset? With any wired system it can be done too. Substitution isn't covered until grade 4 if i'm correct. 

 

I'm just interested in the process of disabling a system while armed without causing any alarm. Is this basically what you can achieve? 

 

For the level of grading however the thief is more likely to use a knife to obtain the keys and fob or smash and grab. However the basis for your research is warranted. 

Posted

I know of grade 1 panels, not sure of any grade 1 wireless but I'm not a wireless boffin. Don't use it.

Does your interest extend to signalling devices?

www.securitywarehouse.co.uk/catalog/

Posted

It is worth pointing out the bit where CG mentioned Responsible disclosure

 

The link will explain to anyone unfamiliar with the term and it is worth highlighting that nobody wants us to end up with systems that are more vulnerable in any way - we all want the same end goal.  More secure and effective systems

Thanks Joe. What you say is true - I unequivocally do not want to sell a device to stop alarms working on ebay. I am saying that this is possible, and I am surprised it has not been done before.

I don't just think this applies to grade 2 wireless panels. What if issues exist in wired grade 4 panels? What would happen if you could easily disarm any redcare system? There really isn't a mechanism to report issues, and there isn't a culture where investigating them is encouraged.

I have a blog, some of which is about alarm security and reverse engineering:
http://cybergibbons.com/

 

 

 

Posted

Redcare encryption is pathetic by modern standards.

Grade 4 panels? Doubt many here have ever touched one.

www.securitywarehouse.co.uk/catalog/

Posted

There is a mechanism. Here at tsi. Redcare is one of the better system ie gsm not secure. But there are better from a security point of view. Signalling the issue is seperate to detection. By the sounds of things i thought your concentration was detection and defeating at the lower grades?

securitywarehouse Security Supplies from Security Warehouse

Trade Members please contact us for your TSI vetted trade discount.

Posted

If you asked an insurer for a grade 4 spec you'd be on hold while they rang Adrian and asked him if he made grade 4 kit.

Posted

If you asked an insurer for a grade 4 spec you'd be on hold while they rang Adrian and asked him if he made grade 4 kit.

And when he stopped laughing, then who would we call?

www.securitywarehouse.co.uk/catalog/

Posted

* Simulating a detector and causing it to show in fault/tamper can prevent system from being armed. - Ripping off the magnet from the D/C on the final door also achieves the same. Your hoping to cause enough frustration to the user that they leave it unset rather than wait for the engineer.

Requires prior access to the property. A properly installed DC should not have an external magnet. I suspect a user would inspect the sensor with the issue and see physical tampering. A key problem with wireless is you can spend a long time outside the property playing with the system. You don't even need to be present - I have a proof of concept device which can be left for days gathering arm/disarm commands for later replay.

* I can actively jam one or more detectors without triggering the alarm on some systems. - While set or unset? With any wired system it can be done too. Substitution isn't covered until grade 4 if i'm correct. 

Again, you need access to the property and time for a wired system. I can do this from outside the property, enter, mask the detector, and get on with my business.

 

I'm just interested in the process of disabling a system while armed without causing any alarm. Is this basically what you can achieve? 

On some alarm systems yes. One alarm system can be crashed using malformed packets. The system is split into two - one microprocessor dealing with wireless comms and another for the normal alarm features. The wireless microprocessor hangs. The other one doesn't know what to do and just sits there, armed, but not doing anything. Manufacturer has not responded to this.

For the level of grading however the thief is more likely to use a knife to obtain the keys and fob or smash and grab. However the basis for your research is warranted. 

Again, I agree that the typical burglary doesn't involve alarm bypass. But look back 10 years, and the typical BMW theft didn't use some pretty advanced techniques to bypass the immobiliser. The playing field and players change all of the time.

I have a blog, some of which is about alarm security and reverse engineering:
http://cybergibbons.com/

 

 

 

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.