Tagged: burglar alarms

Hacking Alarm Systems with an RTL-SDR and RFcat

Back in 2014 the author of boredhackerblog.blogspot.com did a final year project for his wireless security class on hacking home alarm systems. His presentation was titled “How we broke into your house”. In his research the author used both an RTL-SDR and a simple RFcat wireless transmitter and performs a simple replay attack on a cheap $50 alarm system. His process for reverse engineering the alarm was essentially:

  1. Look up the device frequency and listen to it with an RTL-SDR and SDR#.
  2. Record the signal and visually study the waveform in Audacity.
  3. Look up system part info and determine encoding type (e.g. ASK/OOK)
  4. Determine the bit string and baud rate.
  5. Program the RFcat to send the same disarm binary string.

Once again research like this shows that cheap home alarm systems have literally zero protections against wireless attacks. In a previous post we also showed how the popular Simplisafe wireless alarm system could be disarmed in a somewhat similar way.

$50 home alarm system broken by an RTL-SDR and RFcat.
$50 home alarm system broken by an RTL-SDR and RFcat.

Reverse Engineering the SimpliSafe Wireless Burglar Alarm

SimpliSafe is a home security system that relies on wireless radio communications between its various sensors and control panels. They claim that their system is installed in over 300,000 homes in North America. Unfortunately for SimpliSafe, earlier this week Dr. Andrew Zonenberg of IOActive Labs published an article showing how easy it is for an attacker to remotely disable their system. By using a logic analyser he was able to fairly easily reverse engineer enough of the protocol to discover which packets were the “PIN entered” packets. He then created a small electronic device out of a microcontroller that would passively listen for the PIN entered packet, save the packet into RAM, and then replay it on demand, disarming the alarm.

A few days later Micheal Ossmann (wireless security researcher and creator of the HackRF SDR and YardStick One) decided to have a go at this himself, using a YARD Stick One and a HackRF SDR. First he used the HackRF to record some packets to analyze the transmission. From the analysis he determined that the protocol was an Amplitude Shift Keying (ASK) encoded signal. With this and some other information he got from the recorded signal, he could then use his Yardstick One to instantly decode the raw symbols transmitted by the keypad and perform a replay attack if he wanted to.

Next, instead of doing a capture and replay attack like Andrew did, Micheal decided to take it further and actually decode the packets. This took him a few hours but it turned out to not be too difficult. Now he is able to recover the actual PIN number entered by a home owner from a distance without having to do any transmitting. With the right antenna someone could be gathering 100’s of PINs over a distance of many miles. Also, an expensive radio is not required, Micheal notes that the gathering of PIN numbers could just as easily be done on a cheap $10-$20 RTL-SDR dongle.

Micheal notes that the SimpliSafe alarm seems to lack even the most basic cryptographic protection, and that this is a problem that is seen all too often in wireless alarm systems. Rightly so, Micheal and Andrew are not publishing their code, although it seems that anyone with some basic knowledge could repeat their results.

The SimpliSafe Alarm Keypad and a Yardstick One.
The SimpliSafe Alarm Keypad and a Yardstick One.