Seekintoo cybersecurity researcher Dayton Pidhirney has been investigating security flaws in wireless IoT (Internet of Things) based alarm systems, and has identified six issues that can be used to bypass or disable an alarm. Five attack the RF portion of the IoT device, and one through the traditional IP network.
In his post he specifically attacks the iSmartAlarm (ISM). This is an IoT home alarm system that comes with several sensors, and can be controlled via an app on your smartphone. The unit uses the Texas Instruments CC1110 RF SoC, which implements the SimpliciTI low-power radio network protocol. Dayton notes that the majority of attacks not specific to a single manufacturer, and could be applied to other IoT devices as well.
Using a variety of hardware including a logic analyzer, Yardstick One, GoodFET, RFCat, USRP B210 software defined radio and several pieces of software including GNU Radio, GQRX, Baudline, Audacity, Dayton was able attack the alarm in the following ways:
- Brute-force attack on the alarm system device source addresses.
- Remotely clone authenticated devices used to interact with the alarm system security features.
- Decryption of authenticated devices radio communications, allowing remote attackers to craft packets used to send arbitrary commands to the alarm system.
- RF Jamming.
- Assisted replay attack.
The post goes into deep detail on the methods he used to reverse engineer the device and is a great tutorial for anyone wanting to get into wireless IoT security research.