Stupid Security In A Security System

alarm

[Yaehob]‘s parents have a security system in their house, and when they wanted to make a few changes to their alarm rules – not arming the bathroom at night – an installer would come out, plug a box into the main panel, press a few buttons, and charge 150 €. Horrified at the aspect of spending that much money to flip a few bits, [yaehob] set out to get around the homeowner lockout on the alarm system, and found security where he wasn’t expecting.

Opening the main panel for the alarm system, [yaehob] was greeted with a screeching noise. This was the obvious in retrospect tamper-evident seal on the alarm box, easily silenced by entering a code on the keypad. The alarm, however, would not arm anymore, making the task of getting ‘installer-level’ access on the alarm system a top priority.

After finding a DE-9 serial port on the main board, [yaehob] went to the manufacturer’s website thinking he could download some software. The website does have the software available, but only for authorized distributors, installers, and resellers. You can register as one, though, and no, there is no verification the person filling out a web form is actually a distributor, installer, or reseller.dist

Looking at the installer and accompanying documentation, [yaehob] could see everything, but could not modify anything. To do that would require the installer password, which, according to the documentation was between four and six characters. The system also responded quickly, so brute force was obviously the answer here.

After writing up a quick script to go through all the possible passwords, [yaehob] started plugging numbers into the controller board. Coming back a bit later, he noticed something familiar about what was returned when the system finally let him in. A quick peek at where his brute force app confirmed his suspicions; the installer’s code was his postal code.

From the installer’s point of view, this somewhat makes sense. Any tech driving out to punch a few numbers into a computer and charge $200 will always know the postal code of where he’s driving to. From a security standpoint, holy crap this is bad.

Now that [yaehob]‘s parents are out from under the thumb of the alarm installer, he’s also tacked on a little bit of security of his own; the installer’s code won’t work anymore. It’s now changed to the house number.

Comments

  1. Mithrandir says:

    “changed to the house number” – this is brilliant.

  2. Bogdan says:

    So the whole Hollywood thing where you plug a cable, run some stuff and find the code is real. wow, I never thought alarms did not have any anti brute force measures.

    • Nick says:

      There’s a difference between brute-forcing a disarm and brute-forcing the installation code (presumably when the system is disarmed).

    • Ben says:

      you are right, imho it’s both sad and funny Hollywood kind of got it right in their movies. However, it’s not 100% accurate. In Movies, the control panel is most times mounted outsides on a wall. And [yaehob] had to enter a code after he opened the box, so a real attack on the system would involve a) getting to the box without tripping the alarm and b) opening the box without tripping the tamper protection (propably by cutting a hole in the cover).
      Nevertheless, finding security flaws in security systems really is a fun thing in general, and [yaehob] went all the way to use that attack vector and succeeded, so props to him. I like that, a real hack.

    • WastingTime says:

      Ehh. It isn’t too surprising. The alarm panel itself is supposed to be protected by the tamper switch which is to alert you to somebody fiddling with the panel when the system is not armed. As noted by yaehob, if somebody can get into your building and open the panel whilst everybody ignores the tamper alarm going off then you’ve lost the game already. Once you’ve got the panel open then you could just yank the entire PCB and swap it for your own one if you were malicious.

      If the manufacturer has done it right then the remote dial in option would use the same system as the keypads which trigger sign in fail alarms if somebody attempts to guess the password. If they’ve just been crap then it’ll be like the internal programming interface.

      The installer password is there to provide installer lock in pretty much. A minor side benefit is that it makes it harder (not for yaehob obviously!) for the home owner to alter it and possibly break something.

      I do agree that the alarm installer should have used a less obvious code! You just need to look around for the little window stickers to determine which houses are most likely to have a similar system + code scheme.

    • George says:

      Maybe because there is no need for more security when you have successfully tricked all the sensors and reached the alarm main control box without anyone finding out. Apart from that, maybe the technicians need the brute force capability in case the password is changed by another technician or by [yaehob] in this case :-)

      • Bogdan says:

        That is true, it makes sense to think that if everything else fails there is no point for this, but then again… it seems to easy.

        • Gyuri Szing says:

          You don’t have to trick the sensors, you just need to do some social engineering.
          One could easily get into any house as an agent selling something, or checking something, or just be invited to a party. Then while the owner is distracted, he could crack the security system. Then he could can back a week/month later and rob the house.

    • Figureitout says:

      There’s some moments like that yes lol. For instance, I was very surprised you could get any dorm room open w/ just a credit card…just like the stupid scenes in the movies lol. One time a friend tried to get in my room when I had a girl over and I just stood there and held the lock lol, good times…

  3. TinkThank says:

    Consumer grade alarm systems are generally pretty pathetic and are easily thwarted. I’ve always wanted to build my own that actually was secure, but I would need to find a monitoring company that would let me interface to them

    • nsayer says:

      Look up “Alarm Relay” in San Diego. They’re an alarm monitoring company that offers service to homeowner-installed systems.

      I am a customer of theirs.

    • Mike Lu says:

      Make your own “service” with Gmail or similar.

    • littledaz says:

      Yeah that reminds of when I was 11, came home from school and had a brain-fart over the disarm code. Alarm started ringing so I opened the control box and pulled out every push-fit contact in there, still ringing so I put them back, accidentally wired the backup battery in reverse – fizzle, pop and the alarm stopped. My folks were hugely annoyed that a kid could crack their new ‘secure’ burglar alarm so the alarm company got the bollocking I probably deserved :) Point of interest – not a single neighbor came to check on the disturbance; goes to show that an unmonitored security system is useless

  4. I thought all alarms were always this bad.

  5. Patrick says:

    “[...][yaehob] was greeted with a screeching noise. This was the obvious in retrospect tamper-evident seal on the alarm box,[...] ”
    It doesn’t matter, how bad the security of this system’s design or configuration is, no insurance will ever pay anything in case of a burglary damage, if this security system was part of the contract terms and the seal is broken. ;)

  6. Glenn Gass says:

    you ever had service company hook up wifi? initials of Clients first and last name zip/postal code and number 1. bg405711 would be for bill green, bob gass, bryan gray and anyone else with those type names.

  7. My favorite bit is the fact that the alarm sends the code to the software upon connecting. So brute force wasn’t even necessary. “Hey, what’s-a matter, you no understand English? You can’t come in here unless you say, ‘Swordfish.’ Now I’ll give you one more guess.”

  8. Reg says:

    Actually it seems pretty reasonable security to me. They let him have the information he wanted and serial port access is protected by an alarm and password. Enough to keep the incompetent from meddling where they shouldn’t.

    No thief is going to hang around to brute force an alarm service port. A small video camera pointed at the keypad will do a much better job of getting them in. You know, those things the Chinese sell for $20 in what looks like a lighter, flower or other innocuous package. Yeah, like that thing in the top corner of the window next to the front door….

    • Genki says:

      If a thief knows the alarm only needed zip code for the serial port, all he’d need is a code to disable alarm after breaking in, he could reprogram it to not go off, then come back later. Yeah good idea….

      A fake repair person could exploit this to quietly disable settings, then come back later when no one’s home and not worry about alarm going off.

      Still it’d seem more trouble than it’s worth, most thieves would just break in, grab stuff, and run. The only real loser in this article is a company won’t get to make $150 for a 5 minutes job.

  9. Genki says:

    Quick someone make a full copy of this and the downloaded software and post it in many places before the security company tries to sue to have the secret information removed. Like this one a month ago: http://hackaday.com/2014/07/28/cloning-tektronix-application-modules/

  10. Vino says:

    Often forgotten is that home security systems are not theft ‘inhibitors’, rather theft ‘deterrents’. i.e. not designed to stop, but rather to make it difficult. Home alarm systems are often installed with ‘default’ settings – this case where the zip code was used actually showed some initiative from the supplier. It’s certainly not a ‘lock in’ as any other alarm co can easily override the installer code.

    Nice hack though – the spirit of this site should be education after all.

    • true says:

      This isn’t true.

      With many brands, if you don’t have the installer code or a way to log into the panel, you are screwed unless you 1) send the panel back or 2) brute force the panel. One in particular won’t allow bruteforcing over a serial connection, but will allow it from the keypad bus…go figure.

      • Bogdan says:

        “only from keypad bus” that is interesting…does it have time restrictions against brute forcing?

        • true says:

          On the serial bus, yes – 3 codes per hour. Over the keypad bus, I haven’t tried it seriously, but 20 codes in a minute it had no problem with. I’ve never heard of a lockout via keypad either. (Obviously you can see where I am going with this, and what an upcoming project will be…)

    • Bogdan says:

      Maybe that could be the intent? If anyone switches providers/service the HW can be reused even if the old installer refuses to give the code?

  11. mike says:

    This isn’t necessarily a problem _as long as_ any access is disabled while the system is armed.

  12. MikeWP says:

    BTW, I think he brute-forced the Delphi configuration software that he downloaded and NOT the alarm panel itself. How does the software know the correct access code? As he found out the alarm panel is sending it to the access software on initial connect (in clear text). So there might still be som anti-brute-force measures in the alarm panel itself, but it’s useless in this particular scenario….

  13. Sedzy says:

    I used to work installation tech support for a security company. While this hack may be prudent for cheap systems, in quality alarm panels the installer code is only valid while the system is disarmed. So even if you know it, if it’s armed… Access denied!

    ^ Mike is correct

  14. Miff says:

    If you have physical access to the alarm controller, you can just cut the communication line (typically phone or Internet).

    • true says:

      New panels are tending to use cell primaries with battery backup rather than line siezure, as people don’t have landlines anymore and cell primary is faster (cheaper) to install and service. Many have the cell system built-in to the panel or keypad. It has the secondary benefit that if any tamper goes off, the tamper code is sent pretty quickly. One would have to know the panel in use to shut it off in time.

    • danieljlouw says:

      Cutting the land-line will notify the security company immediately that something is up. Same goes for the cables going to passive IR sensors and so on. They are typically wired NC, so cutting the line will activate the alarm.

      • WastingTime says:

        Yup. You can only cut the line for the very basic alarm systems that aren’t monitored by an alarm monitoring station. You can use things like https://en.wikipedia.org/wiki/RedCARE that will know immediately if somebody is messing with the telephone line.

        You can’t just short the sensor wiring either as the more fancy alarm systems now incorporate EOL resistors. It will trigger the alarm if it detects that the resistance in the wiring has changed. A side benefit is that you only need 2 pairs of wires as the tamper signal is now on the same pair as the sensor itself.

  15. danieljlouw says:

    Don’t be so quick to criticize the crappy security on the software side of the alarm. Note, the control panel has a tamper switch. I’m not sure how the systems work where this guy is at, but here the alarm system actually notify the security company whenever something is triggered. Once the alarm is deactivated they will phone and you must provide a verbal passphrase to prevent a burly guy with guns from charging into your driveway.

    Anyway, So when this tamper channel is activated, the alarm will actually send a tamper signal to the security company. They will know someone is tampering with their things. Also, this control box is hopefully inside the house, hid somewhere in a closet hopefully in the master bedroom or close by.

    So for a criminally minded individual to thwart your security system and steal your TV, he must break in thus activating the (armed) alarm, he must then deactivate it using the keypad code (one wrong code attempt sends security immediately regardless of telephone passphrase), answer the phone, provide the passphrase to prevent security from showing up. Then go through the same process when opening the control box and triggering the alarm again. After this he must then brute the system and change whatever he wants to change.

    Remember, Your security must never be more worth than what you are trying to protect, and in this case, even with the semi-accessible serial port and the area code as the password, everything still sounds pretty secure to me. No robber is going to bother with all this trouble, and no sane person is going to use this to secure the Crown Jewels or something.

    • BillBrasskey says:

      They should just move your comment to the top so no one else has to read all of the insipid armchair coaching above it. Wow. Never going to a home security system convention unless I want to see a bunch of neckbeards in a slap fight lol.
      cough beigebox cough HaD users, is usually still got its cheese sitting in the wind for whatever mitm and testcodery one could want to try. Its amazing paperclip lock keeping all ne’erdowells at bay.

  16. Lwatcdr says:

    Why would you put a sensor on your bathroom door? Are you afraid that they will sneak in through the toilet?
    Usually you alarm the access points leading outside like doors and windows.

    • WastingTime says:

      It may be a ground floor bathroom that wasn’t used very much at night back when the alarm system was initially installed. If it has a big window that is accessible then it wouldn’t be too strange to have that protected when in night mode.

    • Steve says:

      I’ve had someone break into the house through the toilet window before. Now theres a lock on the window and on both sides of the toilet door (plus a sensor on the window).

  17. cybergibbons says:

    The alarm is a Bentel/Tyco one if I’m not mistaken.

  18. z says:

    Kodak photo kiosk passwords are always the store number. look on your receipt to find it. store number too short? add 0’s to the beginning.

  19. Rick says:

    when security to keep the owner from modifying his own alarm system is better than the security the alarm system provides, or the alarm system works harder to protect itself than it does the home, it’s time to find a new alarm :(

  20. Chris T says:

    So, he makes fun of the code being set to his postal code. To “fix” this, he sets it to his address? LOL

  21. littledaz says:

    Before brute-forcing methodically like the Op I’d recommend putting some significant numbers/dates at the top of your script – of the five houses with alarm systems which I lived in at university, three of the (user) codes were 1402 (valentine’s day), one was 2512 (Christmas) and the other was 4444 – I only remember these because they were ‘meaningful’ rather than random numbers, the installer code on my latest alarm was the company’s phone number, my old office had mechanical combination locks and you could open most of them with the first five primes or first five numbers in the Fibonacci sequence (technically from the second ‘1’ onwards for the pedants) The most secure areas in that building were the same numbers but backwards! Secure passwords aren’t dead but they may be having a nap :)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 94,037 other followers