Research and Development into Commercial and Domestic Alarm Systems
As part of my Radio Frequency research, I wanted to not only look at vehicles but also household name burglar alarm systems. To that end I decided to look at three main manufacturer types that seemed to take a large portion of the market share.
My findings concerned me, especially how some of them were trivial to bypass and disarm. One of the alarms did come out on top, however, I did manage to defeat its ‘rolling-code’!
I will go through the results of all three systems, but will begin with the one I found most interesting due to its claims of security assurance via the rolling code system and ‘Anti-Jamming’. The other alarms were fun and shocking, as I was able to defeat them with much more ease. Not utilising rolling-code technology, simply capturing the static RF TX and then replaying, I was able to dis-arm the alarms at my leisure. My research also indicated that System B seemed to be well placed in commercial environments, office and businesses while both B and C had the added feature of RFID (Radio Frequency Identification) tags to dis-arm the systems by presenting enrolled tags to the panels. This also added another attack vector which was easily compromised.
The RF key fob was already paired with the first system I tested, so I pressed the arm button on the key fob. Sure enough the box ‘bipped’ and flashed lights indicating the armed status was all good.
I fired up my trusty RTL-SDR and HackRF and started scanning whilst repeatedly arming and dis-arming the alarm system. Clear as day, I could identify the chirps sat around the 868.275000 MHz frequency. I set up the contact sensor and PIR unit provided with the box and confirmed that, when triggered and the alarm armed, it did indeed sound the high pitch squawks.
I then started looking at the dis-arm RF sequence. Using the HackRF, I carefully inputted the frequency and began to record the OTA noise. I pressed the dis-arm button once on the key fob, which dis-armed the box with a ‘blipp’. I rearmed the system and replayed the RF chirp back to the box from the HackRF and nothing happened. I expected this because it had rolling-code. I repeated the process, arming and disarming the system via the key fob, but recording the second attempt with the HackRF. I then rearmed and attempted to replay the second sequence. Again, nothing! I expected this! In fact, I did not expect anything to change here, rolling-code, right? I retried the whole thing again for the third time; armed and dis-armed via the key fob and then rearmed and replayed the third captured ‘chirp’ from the HackRF with the expectation of nothing and wondering how many times I was going to do this all before getting bored and moving on to the next alarm system.
Then I heard this ‘blipp’ and the lights flashed on the box. I was shocked, wondering if there really just three possible rolling-codes before repeating them?
I set about redoing the whole experiment only to arrive at the same conclusion. I decided to hang-on to the three chirps I had caught and set about arming and disarming, triggering, and disabling the alarm in order to hopefully expend as many codes as I could. I re-armed the system from the key fob and started to replay my captured chirps one-by-one. I first replayed the third chirp from the HackRF, which worked before. Nothing happened. I replayed the first chirp again, and, nothing. I replayed the second captured from the HackRF; the box ‘blipped’ and flashed its lights. The code had rolled, but only to one of the three that I had caught. I tried this several times, being able to dis-arm the alarm box with 100% success by toggling through and replaying each of the three captured chirps! I then examined the sequences from all three captures via Audacity, shown below. I hope to provide some more information on this when I have spoken to the manufacturer.
Okay, so you ask, ‘this all good, but you need to capture all of the believed three unique rolling-codes!’ Yes I know, but that was very easy! I started to analyse the wireless RF transmissions coming from the contact sensor and the PIR unit. What I noticed was that the RF TX sequence was static; the same every time. By capturing this TX with the HackRF, I would be able to send a RF TX trigger to the alarm box indicating an activation of the sensor, thus triggering the alarm.
I armed the alarm box, made sure that the sensors were not activating or sending any intruder signals to the box. I replayed the door sensor RF sequence from the HackRF and the alarm wailed away. I repeated this several times with 100% success.
The attack vector here is simple; by having a door sensor on the front door of a building, it would be trivial to capture the RF TX that could be replayed another time. By triggering the alarm in the dead of night, the occupant / user of the system would elect to press the dis-arm button. Triggering the alarm three times, the owner would have dis-armed the alarm three times and if an appropriately position attacker was able to capture those dis-arm chirps, the rolling-code sequences would all be caught ready for a replay another day.
In conclusion, rolling-codes are the way to go to help prevent replay attacks, however, we normally like to see thousands if not millions of rolling-codes in any systems inventory, making the attack method I used not viable. Having just three rolling-codes, if that is the case, just does not cut it in my opinion. We are reaching out to the manufacturer to get to the bottom of what is going on. Just for confirmation that our alarm box was not faulty, we went out and purchased another and confirmed that our initial findings where indeed true.
This is a nice looking alarm system and I had some big expectations in regard to security, however, I was quite simply, very disappointed. I assembled the system and got straight to work in identifying the TX frequency for the dis-arm TX from the key fob. I utilised that RTL-SDR and roughly focused my efforts around the 868 MHz centre frequency. I quickly identified the frequency and commenced capturing the chirp from the key fob via the HackRF.
I wanted to confirm if the alarm system was using rolling-code, however, once I had replayed the captured dis-arm TX sequence over ten times with 100% success, it was very apparent that rolling-codes were not in use.
This system was particularly vulnerable to replay attacks, an appropriately positioned attacker would only have to capture one dis-arm TX to be able to dis-arm continually to their hearts content.
Another device that could be utilised to clone the TX sequence is one of the 433 & 868 MHz key fob cloners that are out on the market (shown to the right). The only downside isthat you have to be within 10 cm of the original key fob TX to successfully capture the chirp. Successful cloning of the alarm’s TX dis-arm chirp was 100% successful.
The second drawback with this alarm system was the vulnerable RFID tag dis-arming ability. The control panel has in it an RFID reader, which reads RFID tags when they are presented to the control panel. If the tag is enrolled on the system, it will dis-arm an armed system.
My next bit of research was to ascertain what protocols the tags were using. I unpacked my Proxmark 3 and presented the tag to the low frequency antenna to see if I could identify the tag. Sure enough, I was able to identify the tag as utilising the EM4100 protocol, which stores data on the tags in a read-only format with seemingly no encryption. The attack vector here was to simply clone it. I was able to clone the tag onto a writeable T5577-ISO RFID card. I confirmed that the clone was good and then proceeded to test my theory against the control panel.
I armed the panel, which ‘blipped’ and went into armed mode. I then presented the cloned card to the panel and the panel ‘blipped’ again and it was dis-armed.
The attack vector here would require the attacker to be in close vicinity to the owner of the tag. Now, these tags are designed to fit nicely onto your bunch of keys, an obvious place to put them, but without any shielding, the tag is vulnerable to cloning. The down side is that you have to be within 5-7 cm of the tag to energise it enough to get a clean read, but, that was a design problem I set out to fix. I managed to source some handheld RFID cloner components and set out to build a non-conspicuous cloner. In this case, a book. The last thing you want is someone belting you about the head because you are having to rub yourself up to them in order to get close enough to the original tag. I have included an image below of the design and camouflage I used. It looks like a diary and doesn’t look out of place whilst bumping into people on tubes, trains and a busy pedestrian areas where your target may be. I have also considered and built a concept that fits into a standard cigarette packet, but smoking is ever becoming socially unacceptable.
In conclusion, Alarm B is a nice looking alarm system which is functional and will provide intruder detection capabilities, but it does lack security features, meaning a targeted attacker would be able to dis-arm the system in a couple ways. Some would say it is rather useless as it is so vulnerable to this sort of attack.
Alarm C was also a great looking system and seemed to be well made with robust construction and was easy and straight forward to set up and configure.
I experienced very similar issues with Alarm C as I did with the Alarm B, in that I could capture a single dis-arm TX and replay it over and over again to dis-arm the system; no rolling-codes. I identified the chirp at around 868.191000 MHz and was able to obtain a solid capture with the HackRF.
The RFID element for dis-arming and entry into the configuration mode was also easily bypassed. It utilised the same EM4100 EM4100 and was cloned in seconds to my writable T5577-ISO RFID card.
The only thing that concerned me was that I see a lot more of these systems protecting commercial buildings while the other two seemed to be more domestically placed. Given the vulnerabilities I identified with this alarm, I would be cautious as to what and where I would deploy them and what to protect.
In conclusion, Alarm C is a strong looking alarm system which is functional and will provide intruder detection capabilities, but again, it does lack security features, meaning a targeted attacker would be able to dis-arm the system in a couple ways, rendering it useless!
From the research conducted on the three alarm systems we conclude that there is an issue with the easy capture of the radio frequencies to disarm an alarm. We will be exploring more models, especially more like Alarm A, as the rolling-code implementation really interests us.
We are currently conducting wider research on rolling codes and how manufacturers are using this as a method to make their products more secure. Watch this space.