Vulnerabilities In A Honeywell Ademco System

[cybergibbons]

Once again, not me.

 

This video is by a guy from the US, who spent quite a lot of time with a Honeywell Ademco system. It has a number of issues:

• Ability to brute-force codes on an armed system from the panel
• Ability to brute-force by using a small device connected to the ECP bus on the system
• RF has no encryption and can be replayed

I'd imagine that there is quite a lot of stuff in this talk that will wind some people up, he doesn't like the terminology used in alarm systems, and a number of the issues he raises are only a problem with sloppily installed systems.

 

It's only in video form:

 

[GalaxyGuy]

Not to be confused with the Galaxy range used widely here in Europe. Although worryingly, the RF range are compatible, so the same vulnerabilities may exist...

 

Although it's possible to snoop the RS485 bus on the Galaxy, it's not as easy (although not impossible) to add an emulated device or start entering codes repeatedly without causing a panel tamper condition and lockouts on the keypads.

 

Apart from the RF, things are quite different between the American panels and their European cousins.

[cybergibbons]

I wonder why there is such a difference in the panels? Standards? 

[james.wilson]

Not standards. the only honeywell panels in the uk were maybe the accord but certainly the galant and the early galaxy 42's or 44's

 

We did have panels here with an ecp bus but it was a while ago.

[GalaxyGuy]

The Galaxy G2-44+ supports both RS485 and ECP, but I don't think many connect to the ECP bus.