Avoid this Wireless Alarm Hack

March 13, 2015
What dealers need to know about the widely publicized vulnerability, and what to do about it

The value of your subscriber contracts may be vanishing before your eyes if you have been installing wireless burglar alarms. In fact, hackers have already figured a way to break into and jam a wireless burglar-alarm system —enabling the perpetrator to easily create false alarms, monitor the activities of the homeowners and disarm the system.

The hack was featured on a recent episode of ABC’s Good Morning America, exposing the unsecure nature of radio messages between wireless sensors and the alarm panel. As a result, subscriber contracts for systems with vulnerable hardware are worth much less than before, as any buyer would then need to install new hardware or be legally liable for their decision not to do so.

Inside the Vulnerability

A decade or so ago, the equipment needed to hack an alarm system as shown on the Good Morning America segment would have cost tens of thousands of dollars — and it would have needed to be loaded on a large rack installed in close proximity to the wireless burglar-alarm system it was targeting. Today, with the explosion in technological advancements a burglar’s “tool kit” now includes electronics —including Software Defined Radios (SDRs), which now come free with the purchase of a $20 antenna to connect to a laptop computer. Now, any video gamer can go online to purchase an SDR, which comes with alarm-hacking instructions to mimic the tricks seen on Good Morning America.

But GMA is not the only one talking about this issue. In July 2014, Forbes Magazine ran a feature story that covered the topic in detail — even listing specific brands of vulnerable hardware, including some of the most commonly used devices available today. Additionally, the topic was featured at the 2014 Black Hat Briefings, a computer security conference that brings together a variety of people interested in information security.

At Black Hat, two researchers — Logan Lamb, a security researcher at the Oak Ridge National Lab and Silvio Cesare of Qualys — separately looked at top-selling wireless home alarm systems. Lamb looked at three top brands of home alarm systems from ADT, Vivint and a third unidentified company; Cesare looked at several popular systems used in his home of Australia.

Using simple tools, they proved the alarms can be disarmed, suppressed or even create multiple false alarms that would then make the system seem unreliable. The alarm-hacking presentations were given to representatives of government agencies and corporations, as well as expert hackers who attend the conference. Lamb was the one featured in the GMA segment — where he demonstrated to the world how to exploit two different weaknesses in a typical sensor radio: single-frequency transmission and unencrypted messages. These weaknesses allow both jamming and spoofing (hacking), which is mimicking of a signal from the system.

Jamming occurs when a radio is used to broadcast a stronger signal than the targeted sensor using the same frequency. The result is that no communication from that sensor to the alarm panel is possible. Lamb used an SDR antenna to jam the front-door sensor. He then “spoofed” the unencrypted system by eavesdropping and recording a sensor radio-transmission message sent to the control panel and then retransmitted the same messages at a later time.

Lamb explained that he recorded a signal that indicated an alarm event was taking place then later sent that recorded signal to the system’s control panel, which went into alarm because it had received an alarm signal — not from the sensor, but from Lamb’s laptop. In effect, he could create false alarms on demand, which can result in many manners of havoc.

Keep in mind that spoofing is not jamming. Jam detection does nothing to prevent a hacker creating false alarms or remotely monitoring the movements of the alarm owner.

There is a Solution

Solutions to jamming and eavesdropping on radio messages have been around for a long time and already exist in some alarm systems. Jamming can be eliminated by using spread-spectrum technology (S-ST), which was developed by the military to prevent their radios from being jammed on the battlefield. The first radios were easy to jam once the enemy discovered the frequency/channel; after finding the frequency, all that was necessary was to broadcast a powerful “noise” signal on the same channel to blot out the message.

Spread spectrum prevents jamming because the message hops around on many different frequencies/channels to dodge the interference. An easy way to understand this is to imagine driving a one-lane road. All someone needs to do to jam traffic is to put a large van on the road in front of you. In contrast, spread spectrum is like driving on a 25-lane highway. If that same van attempts to block one lane, you simply change lanes to pass.

Like the driver on the 25-lane expressway, a device with spread-spectrum technology sends a message capable of switching channels to avoid traffic and interference. Although there are many variations of spread spectrum and methods of how the message chooses different lanes, the concept is the same.

Lamb explained also that encryption may be a successful tool to stop these attacks. For encryption to be effective in an alarm system, a sensor is programmed with a mathematical equation and a hidden numerical “key.” To protect the integrity of the “key,” it is never sent across the network, thus it cannot be intercepted. For every communication, the sensor sends a scrambled message to the control panel, which then reverses the complex equation to verify the identity of the sensor/sender and puts the message back in order. Each sensor also has a calculator that generates a one-time scrambled message for each radio transmission to the panel to further complicate things for hackers.

Suppose a hacker uses an SDR to eavesdrop on encrypted wireless communications and send a message from the door contact to the panel. When the hacker attempts to rebroadcast the recorded message, the panel knows to ignore the message because the one-time scrambled message has already been used and the time stamp is invalid. This is the same technology used to secure the data and the networks of the world’s IP infrastructure.

While there are many types and levels of encryption, the Advanced Encryption Standard (AES) is probably most widely used. AES encryption protects both military and enterprise networks from hackers and eavesdropping. Keep in mind that nearly all encryption can be broken with enough time and computer horsepower, but this is the realm of the National Security Agency and beyond the reach of this level of alarm-system hacker.

The Message to Dealers

There are two options for security dealers: passively deny responsibility and accept the liability or proactively take action. Doing nothing equals losing the customer and the future contract renewals on which you are banking; being proactive and replacing the equipment or deploying mitigation technologies will allow you to remediate the situation and retain your customers far into the future.

To protect their customers, their reputation and the value of their companies, here are three things alarm dealers need to understand and do:

1. Understand that the world has evolved and new inexpensive hacking tools with accompanying “educational websites” are being promoted online. Single-frequency radios that are not encrypted can and will be hacked, spoofed and jammed — creating false alarms, fines and much worse.

2. Stop investing in a vulnerable technology that decreases consumer confidence in what you sell, increases your liability and loses value every day. Alarm dealers should install only wireless systems that use spread-spectrum radios and encrypt all communications.

3. Develop a strategy to replace the vulnerable equipment with state-of-the-art equipment that will retain value for years to come and regain the value your contracts have lost. If you do not replace the vulnerable equipment, be assured that there are companies and lenders out there that will take advantage of this opportunity to gain market share by taking away yours.

Patrick Devereaux is Vice President of EMERgency 24, an alarm monitoring provider. To request more info about the company, please visit www.securityinfowatch.com/10490451