Jump to content
Security Installer Community

Security Of Anti-Codes

cybergibbons
 Share

Recommended Posts

cybergibbons Newbie

cybergibbons

Posted
  • Author
Posted (edited)

Hence the rhetorical question.

Technically it's not encryption either. So, on a marketing and technical level, it's pretty bad.

Where's the line? "This alarm uses rolling code" and the rolling code is 1,2,3,4. Is that dodgy?

Indeed it does. All return anticode 18003

So if I am allowed chosen plaintext (i.e. I can call up the ARC and tell them whatever quote code I chose, and get a response), then it wouldn't require many pairs to get the keys. I don't know how possible this would be, as I think they would have to see an alarm activation, which means I would need a real quote/code pair.

If it's only known plaintext (i.e. I am using valid quote codes generated by the alarm), it would be quite a lot more pairs required. Still a tiny number compared to the security a 2048-bit key affords.

All of this would have been caught by an undergraduate doing a cryptography coursework "Is this homebrewed MAC secure?".

It wouldn't have been hard to make this secure at all. Actually, I think it would be less effort just using something ready made.

Edited by cybergibbons

I have a blog, some of which is about alarm security and reverse engineering:
http://cybergibbons.com/

 

 

 

Cubit Newbie

Cubit

Posted
Posted

How do I change that though? I've looked at a good few systems, enough that I can form an opinion of where they lie in terms of security. I've posted information on why I think the bad products are bad, some of which has been in quite a lot of depth. I can go into more depth, but as many have said, it would be beyond them.

I can argue that installers aren't in possession of all the facts - there are alarm systems that fall far short of the marketing.

The problem is that, and it is entirely your call, you only release some information whilst alluding to other products (unnamed) either having problems or inferring that they do.

This is very misleading to the public in general and to those amongst us who are quick to castigate a product (or company) but then do a 360 degree turn based on something they read on the web without being able to validate the new 'facts'.

Technically it's not encryption either. So, on a marketing and technical level, it's pretty bad.

 

But is it illegal? No.

Is it factually incorrect? i'd say no because no specifics mentioned.

 

In effect, no different to the bull put out by any other company or business.

matthew.brough Newbie

matthew.brough

Posted
Posted

You can't choose the code you quote to the arc, the remote reset unit decides that but most seasoned end users are clued up on the things to say to get a remote reset so you could generate some alarms, call the arc and get the resets for 'valid' reasons and you would have enough code and anticodes to do your maths.

www.securitywarehouse.co.uk/catalog/

cybergibbons Newbie

cybergibbons

Posted
  • Author
Posted

The problem is that, and it is entirely your call, you only release some information whilst alluding to other products (unnamed) either having problems or inferring that they do.

This is very misleading to the public in general and to those amongst us who are quick to castigate a product (or company) but then do a 360 degree turn based on something they read on the web without being able to validate the new 'facts'.

I don't recall any point where I haven't given enough evidence to back up a claim about a specific product. If I haven't named the product, it is because the manufacturer has made it clear they would be interested in legal action, so I need to be careful.

The system that I didn't name that I don't think is good, I provided a document describing a similar system, and asked you to make your own conclusions. Open up a Scantronic wireless panel, look at that document, compare the radio modules, make your own judgement.

But is it illegal? No.

Is it factually incorrect? i'd say no because no specifics mentioned.

 

In effect, no different to the bull put out by any other company or business.

I don't know. I'd question the use of the word "encryption" under trading standards.

If your signalling system claimed it was encrypted and it turned out to be as weak as this, would that not be of concern?

I have a blog, some of which is about alarm security and reverse engineering:
http://cybergibbons.com/

 

 

 

Cubit Newbie

Cubit

Posted
Posted

I don't recall any point where I haven't given enough evidence to back up a claim about a specific product. If I haven't named the product, it is because the manufacturer has made it clear they would be interested in legal action, so I need to be careful.

The system that I didn't name that I don't think is good, I provided a document describing a similar system, and asked you to make your own conclusions. Open up a Scantronic wireless panel, look at that document, compare the radio modules, make your own judgement.

I don't know. I'd question the use of the word "encryption" under trading standards.

If your signalling system claimed it was encrypted and it turned out to be as weak as this, would that not be of concern?

Your constant play on words, inferences, claims suggesting you are the 'good guy' etc etc are misleading. The easily led fall for it, not i.

I'm out!!

matthew.brough Newbie

matthew.brough

Posted
Posted

If your signalling system claimed it was encrypted and it turned out to be as weak as this, would that not be of concern?

Absolutely

www.securitywarehouse.co.uk/catalog/

cybergibbons Newbie

cybergibbons

Posted
  • Author
Posted

Your constant play on words, inferences, claims suggesting you are the 'good guy' etc etc are misleading. The easily led fall for it, not i.

I'm out!!

One of the big reasons I am here is to make sure anything I infer isn't false.

I have a blog, some of which is about alarm security and reverse engineering:
http://cybergibbons.com/

 

 

 

matthew.brough Newbie

matthew.brough

Posted
Posted

One of the big reasons I am here is to make sure anything I infer isn't false.

He gets moody occasionally. :realmad:

www.securitywarehouse.co.uk/catalog/

Cubit Newbie

Cubit

Posted
Posted

He gets moody occasionally. :realmad:

not at all.

But if you'd pay more attention you'd notice the issues...and who I was referring to.

Joe Harris Newbie

Joe Harris

Posted
Posted

It wouldn't have been hard to make this secure at all. Actually, I think it would be less effort just using something ready made.

 

One of my many arguments for standardised protocols.  Why reinvent the wheel?  Especially when you make a round wheel square in the process.....

btn_myprofile_160x33.png


 

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.


×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.

  I accept