cybergibbons Posted May 22, 2013 Author Posted May 22, 2013 lol! anti-code means to me (due to make used) having triped the alarm, the user gets a code from keypad, gives that code to the ARC, they insert that into some software, produce and give this one time reset code to the user, who inserts it and resets alarm. how knowing that reduces anyones security beats me The way I see it, there are several stages this system has gone through: 1. Customers were allowed to reset alarms themselves. ARCs didn't want them to do this - what's the reasoning here? 2. A simple 00-99 quote and reset code system was developed and used by several panels. Someone must have deemed this inadequate because a more complex system was developed. Why was this required? 3. Technistore was developed which claims "military grade encryption" is used, and looks like it is licensed out to alarm manufacturers. So, the complexity of it has moved forwards incrementally over time. What was the reasoning for moving forwards? Were people finding that the 00-99 codes were being bypassed by customers? Or, in reality, was it just Technistore looking to make some money by artificially creating a need for security round this process? Quote I have a blog, some of which is about alarm security and reverse engineering:http://cybergibbons.com/
matthew.brough Posted May 22, 2013 Posted May 22, 2013 The way I see it, there are several stages this system has gone through: 1. Customers were allowed to reset alarms themselves. ARCs didn't want them to do this - what's the reasoning here? ARC's don't like doing anything. Most want to sit and have blank screens and no phones to answer. This then becomes a profitable business. 2. A simple 00-99 quote and reset code system was developed and used by several panels. Someone must have deemed this inadequate because a more complex system was developed. Why was this required? If you get enough resets and write them down you would get a full house of reset codes so you wouldn't have to call the ARC again? 3. Technistore was developed which claims "military grade encryption" is used, and looks like it is licensed out to alarm manufacturers. Today yes but in the past they sold a standalone unit that they sold to fit to panels that didn't have remote reset in those days. So, the complexity of it has moved forwards incrementally over time. What was the reasoning for moving forwards? Were people finding that the 00-99 codes were being bypassed by customers? Or, in reality, was it just Technistore looking to make some money by artificially creating a need for security round this process? Quote www.securitywarehouse.co.uk/catalog/
cybergibbons Posted May 22, 2013 Author Posted May 22, 2013 I think the point was if the remote reset algorithm could be figured out, there is no need to call the arc as in effect, the system would be on customer reset. My point is that someone, for some reason, decided a simple scheme of mapping 00-99 wasn't adequate. A much more involved scheme was developed, Technistore. This has the illusion of being more complex/secure, but once the algorithm is known, it is equivalent to a 000-255 mapping. The key is easy to derive from a single quote/reset code, and once the key is known, that's it. It is easy to develop a 00000-99999 mapping that uses a decent key length (128 bit is ideal, even 16 bit is much better) that would get rid of these problems. It wouldn't have required any more effort. It would have looked complex/secure, but also been secure, unlike with Technistore. Installers and ARCs don't seem to like the idea of customers resetting anti-codes themselves, so there has to be a security aspect here. Is it really a problem how bad Technistore is? No, not really. But what does it show? 1. Things can give an impression of being better, but they aren't really. 2. End users don't really have any way of knowing if things are better or not as they don't have the tools, knowledge or skill. 3. Some people developing alarms seem happy with this being the status quo. If I can write "AES-128" on my box, that's all they care about. Quote I have a blog, some of which is about alarm security and reverse engineering:http://cybergibbons.com/
cybergibbons Posted May 22, 2013 Author Posted May 22, 2013 The way I see it, there are several stages this system has gone through: 1. Customers were allowed to reset alarms themselves. ARCs didn't want them to do this - what's the reasoning here? ARC's don't like doing anything. Most want to sit and have blank screens and no phones to answer. This then becomes a profitable business. 2. A simple 00-99 quote and reset code system was developed and used by several panels. Someone must have deemed this inadequate because a more complex system was developed. Why was this required? If you get enough resets and write them down you would get a full house of reset codes so you wouldn't have to call the ARC again? 3. Technistore was developed which claims "military grade encryption" is used, and looks like it is licensed out to alarm manufacturers. Today yes but in the past they sold a standalone unit that they sold to fit to panels that didn't have remote reset in those days. So, the complexity of it has moved forwards incrementally over time. What was the reasoning for moving forwards? Were people finding that the 00-99 codes were being bypassed by customers? Or, in reality, was it just Technistore looking to make some money by artificially creating a need for security round this process? Thanks Matt. You've raised something interesting there. With the 00-99 mapping system, you'd need to get all 100 pairs to be sure of the mapping. With Technistore, you need one pair to know the mapping. Quote I have a blog, some of which is about alarm security and reverse engineering:http://cybergibbons.com/
sixwheeledbeast Posted May 22, 2013 Posted May 22, 2013 The way I see it, there are several stages this system has gone through: 1. Customers were allowed to reset alarms themselves. ARCs didn't want them to do this - what's the reasoning here? 2. A simple 00-99 quote and reset code system was developed and used by several panels. Someone must have deemed this inadequate because a more complex system was developed. Why was this required? 3. Technistore was developed which claims "military grade encryption" is used, and looks like it is licensed out to alarm manufacturers. So, the complexity of it has moved forwards incrementally over time. What was the reasoning for moving forwards? Were people finding that the 00-99 codes were being bypassed by customers? Or, in reality, was it just Technistore looking to make some money by artificially creating a need for security round this process? New rules made the requirement of the anti-code's reply the same as the codes to unset IIRC. So a 4 digit is required for Grade 2 and a 6 digit is used for Grade 3 However 4 digit anti-codes are used long before 2004. Thanks Matt. You've raised something interesting there. With the 00-99 mapping system, you'd need to get all 100 pairs to be sure of the mapping. With Technistore, you need one pair to know the mapping. I still don't see how you can get the mapping from only one complete pair. Have you looked into any other popular ones? Tunstall or Texe for example. Quote
cybergibbons Posted May 22, 2013 Author Posted May 22, 2013 New rules made the requirement of the anti-code's reply the same as the codes to unset IIRC. So a 4 digit is required for Grade 2 and a 6 digit is used for Grade 3 However 4 digit anti-codes are used long before 2004. So I wonder what drove the standard to require that and where the 5-digit Technistore code fits in to this? There must have been some reason behind it being 5-digit - it's rarely seen as a code length. I still don't see how you can get the mapping from only one complete pair. It's a combination of the long code and short key. The key allows 256 distinct mappings between the quote code and reset code. That means that 12345 quote can only map to at most 256 of the 100,000 possible output values. 999,744 of the outputs are not possible - our keyspace has been reduced hugely. Notice I say "at most 256". It is possible for 12345 to map to 98765 using one or more keys. In fact, 12345 could map to 98765 using all 256 keys, but then we wouldn't need to find out they key at all. So if you tell me the reset code and I know the quote code, it is highly likely that I can just guess the key. For a very limited number of quote/reset pairs, I get 2 possible keys (in fact, there are two combinations with 4). So more than 99% of the time, I just need a single quote/reset pair to work out the key. So normally I get something like: 12345/74643 - only possible key is 123 (99.25% of the time) Sometimes I get this: 23654/34234 - two possible keys 232 and 154 (about .75% of the time) 98747/37265 - one possible key 232 (about 99.25% of the time) It would be really unlikely to get this: 23654/34234 - two possible keys 232 and 154 (about .75% of the time) 91737/72764 - two possible keys 078 and 154 (about .75% of the time) (we know the key is 154 as it is the only common one) Vanishly small chance of this happening: 23654/34234 - two possible keys 232 and 154 (about .75% of the time) 73748/38377 - two possible keys 232 and 154 (about .75% of the time) 98747/37265 - one possible key 232 (about 99.25% of the time) I've just tested these by running every single possible combination of key and input code against the algorithm. Have you looked into any other popular ones? Tunstall or Texe for example. Not in any detail - have started looking at Texecom. Not aware of Tunstall. 1 Quote I have a blog, some of which is about alarm security and reverse engineering:http://cybergibbons.com/
norman Posted May 22, 2013 Posted May 22, 2013 Lot of effort for little gain imo, anti codes are to manage resets, no one benefits in the long run by circumnavigating this. Quote Nothing is foolproof to a sufficiently talented fool.
james.wilson Posted May 22, 2013 Posted May 22, 2013 Lot of effort for little gain imo, anti codes are to manage resets, no one benefits in the long run by circumnavigating this. agreed, all it prevents is resetting. Granted its not perfect but id say your work on rf integrity and ats etc is far more valuable. But I guess this is what interested you? Quote securitywarehouse Security Supplies from Security Warehouse Trade Members please contact us for your TSI vetted trade discount.
cybergibbons Posted May 22, 2013 Author Posted May 22, 2013 (edited) It's all part of learning. Nothing lost for a few hours work. Edited May 22, 2013 by cybergibbons Quote I have a blog, some of which is about alarm security and reverse engineering:http://cybergibbons.com/
Joe Harris Posted May 22, 2013 Posted May 22, 2013 I appreciate the insight still. It just highlights the unquestioning way industry accepts statements and that we ought to be questioning them where established third party certification has not been carried out. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.