Stupid Security In A Security System

alarm

[Yaehob]’s parents have a security system in their house, and when they wanted to make a few changes to their alarm rules – not arming the bathroom at night – an installer would come out, plug a box into the main panel, press a few buttons, and charge 150 €. Horrified at the aspect of spending that much money to flip a few bits, [yaehob] set out to get around the homeowner lockout on the alarm system, and found security where he wasn’t expecting.

Opening the main panel for the alarm system, [yaehob] was greeted with a screeching noise. This was the obvious in retrospect tamper-evident seal on the alarm box, easily silenced by entering a code on the keypad. The alarm, however, would not arm anymore, making the task of getting ‘installer-level’ access on the alarm system a top priority.

After finding a DE-9 serial port on the main board, [yaehob] went to the manufacturer’s website thinking he could download some software. The website does have the software available, but only for authorized distributors, installers, and resellers. You can register as one, though, and no, there is no verification the person filling out a web form is actually a distributor, installer, or reseller.dist

Looking at the installer and accompanying documentation, [yaehob] could see everything, but could not modify anything. To do that would require the installer password, which, according to the documentation was between four and six characters. The system also responded quickly, so brute force was obviously the answer here.

After writing up a quick script to go through all the possible passwords, [yaehob] started plugging numbers into the controller board. Coming back a bit later, he noticed something familiar about what was returned when the system finally let him in. A quick peek at where his brute force app confirmed his suspicions; the installer’s code was his postal code.

From the installer’s point of view, this somewhat makes sense. Any tech driving out to punch a few numbers into a computer and charge $200 will always know the postal code of where he’s driving to. From a security standpoint, holy crap this is bad.

Now that [yaehob]’s parents are out from under the thumb of the alarm installer, he’s also tacked on a little bit of security of his own; the installer’s code won’t work anymore. It’s now changed to the house number.

66 thoughts on “Stupid Security In A Security System

      1. Same thing. My hobby has been physical security for 20 years. It pairs well with infosec. From what I understand, the house number is the most common after default codes.

        As you have to get into the house, punch a code, open the box, then use it. It is assumed that it is not at all important, and that is mostly true, but don’t make it easy.

    1. you are right, imho it’s both sad and funny Hollywood kind of got it right in their movies. However, it’s not 100% accurate. In Movies, the control panel is most times mounted outsides on a wall. And [yaehob] had to enter a code after he opened the box, so a real attack on the system would involve a) getting to the box without tripping the alarm and b) opening the box without tripping the tamper protection (propably by cutting a hole in the cover).
      Nevertheless, finding security flaws in security systems really is a fun thing in general, and [yaehob] went all the way to use that attack vector and succeeded, so props to him. I like that, a real hack.

    2. Ehh. It isn’t too surprising. The alarm panel itself is supposed to be protected by the tamper switch which is to alert you to somebody fiddling with the panel when the system is not armed. As noted by yaehob, if somebody can get into your building and open the panel whilst everybody ignores the tamper alarm going off then you’ve lost the game already. Once you’ve got the panel open then you could just yank the entire PCB and swap it for your own one if you were malicious.

      If the manufacturer has done it right then the remote dial in option would use the same system as the keypads which trigger sign in fail alarms if somebody attempts to guess the password. If they’ve just been crap then it’ll be like the internal programming interface.

      The installer password is there to provide installer lock in pretty much. A minor side benefit is that it makes it harder (not for yaehob obviously!) for the home owner to alter it and possibly break something.

      I do agree that the alarm installer should have used a less obvious code! You just need to look around for the little window stickers to determine which houses are most likely to have a similar system + code scheme.

    3. Maybe because there is no need for more security when you have successfully tricked all the sensors and reached the alarm main control box without anyone finding out. Apart from that, maybe the technicians need the brute force capability in case the password is changed by another technician or by [yaehob] in this case :-)

        1. You don’t have to trick the sensors, you just need to do some social engineering.
          One could easily get into any house as an agent selling something, or checking something, or just be invited to a party. Then while the owner is distracted, he could crack the security system. Then he could can back a week/month later and rob the house.

    4. There’s some moments like that yes lol. For instance, I was very surprised you could get any dorm room open w/ just a credit card…just like the stupid scenes in the movies lol. One time a friend tried to get in my room when I had a girl over and I just stood there and held the lock lol, good times…

  1. Consumer grade alarm systems are generally pretty pathetic and are easily thwarted. I’ve always wanted to build my own that actually was secure, but I would need to find a monitoring company that would let me interface to them

    1. Yeah that reminds of when I was 11, came home from school and had a brain-fart over the disarm code. Alarm started ringing so I opened the control box and pulled out every push-fit contact in there, still ringing so I put them back, accidentally wired the backup battery in reverse – fizzle, pop and the alarm stopped. My folks were hugely annoyed that a kid could crack their new ‘secure’ burglar alarm so the alarm company got the bollocking I probably deserved :) Point of interest – not a single neighbor came to check on the disturbance; goes to show that an unmonitored security system is useless

  2. “[…][yaehob] was greeted with a screeching noise. This was the obvious in retrospect tamper-evident seal on the alarm box,[…] ”
    It doesn’t matter, how bad the security of this system’s design or configuration is, no insurance will ever pay anything in case of a burglary damage, if this security system was part of the contract terms and the seal is broken. ;)

  3. My favorite bit is the fact that the alarm sends the code to the software upon connecting. So brute force wasn’t even necessary. “Hey, what’s-a matter, you no understand English? You can’t come in here unless you say, ‘Swordfish.’ Now I’ll give you one more guess.”

  4. Actually it seems pretty reasonable security to me. They let him have the information he wanted and serial port access is protected by an alarm and password. Enough to keep the incompetent from meddling where they shouldn’t.

    No thief is going to hang around to brute force an alarm service port. A small video camera pointed at the keypad will do a much better job of getting them in. You know, those things the Chinese sell for $20 in what looks like a lighter, flower or other innocuous package. Yeah, like that thing in the top corner of the window next to the front door….

    1. If a thief knows the alarm only needed zip code for the serial port, all he’d need is a code to disable alarm after breaking in, he could reprogram it to not go off, then come back later. Yeah good idea….

      A fake repair person could exploit this to quietly disable settings, then come back later when no one’s home and not worry about alarm going off.

      Still it’d seem more trouble than it’s worth, most thieves would just break in, grab stuff, and run. The only real loser in this article is a company won’t get to make $150 for a 5 minutes job.

          1. “what type of security professional would you” gives two results too, one if which has the correct the proper color scheme. The other one might be a reseller?

  5. Often forgotten is that home security systems are not theft ‘inhibitors’, rather theft ‘deterrents’. i.e. not designed to stop, but rather to make it difficult. Home alarm systems are often installed with ‘default’ settings – this case where the zip code was used actually showed some initiative from the supplier. It’s certainly not a ‘lock in’ as any other alarm co can easily override the installer code.

    Nice hack though – the spirit of this site should be education after all.

    1. This isn’t true.

      With many brands, if you don’t have the installer code or a way to log into the panel, you are screwed unless you 1) send the panel back or 2) brute force the panel. One in particular won’t allow bruteforcing over a serial connection, but will allow it from the keypad bus…go figure.

        1. On the serial bus, yes – 3 codes per hour. Over the keypad bus, I haven’t tried it seriously, but 20 codes in a minute it had no problem with. I’ve never heard of a lockout via keypad either. (Obviously you can see where I am going with this, and what an upcoming project will be…)

  6. BTW, I think he brute-forced the Delphi configuration software that he downloaded and NOT the alarm panel itself. How does the software know the correct access code? As he found out the alarm panel is sending it to the access software on initial connect (in clear text). So there might still be som anti-brute-force measures in the alarm panel itself, but it’s useless in this particular scenario….

  7. I used to work installation tech support for a security company. While this hack may be prudent for cheap systems, in quality alarm panels the installer code is only valid while the system is disarmed. So even if you know it, if it’s armed… Access denied!

    ^ Mike is correct

    1. New panels are tending to use cell primaries with battery backup rather than line siezure, as people don’t have landlines anymore and cell primary is faster (cheaper) to install and service. Many have the cell system built-in to the panel or keypad. It has the secondary benefit that if any tamper goes off, the tamper code is sent pretty quickly. One would have to know the panel in use to shut it off in time.

    2. Cutting the land-line will notify the security company immediately that something is up. Same goes for the cables going to passive IR sensors and so on. They are typically wired NC, so cutting the line will activate the alarm.

      1. Yup. You can only cut the line for the very basic alarm systems that aren’t monitored by an alarm monitoring station. You can use things like https://en.wikipedia.org/wiki/RedCARE that will know immediately if somebody is messing with the telephone line.

        You can’t just short the sensor wiring either as the more fancy alarm systems now incorporate EOL resistors. It will trigger the alarm if it detects that the resistance in the wiring has changed. A side benefit is that you only need 2 pairs of wires as the tamper signal is now on the same pair as the sensor itself.

  8. Don’t be so quick to criticize the crappy security on the software side of the alarm. Note, the control panel has a tamper switch. I’m not sure how the systems work where this guy is at, but here the alarm system actually notify the security company whenever something is triggered. Once the alarm is deactivated they will phone and you must provide a verbal passphrase to prevent a burly guy with guns from charging into your driveway.

    Anyway, So when this tamper channel is activated, the alarm will actually send a tamper signal to the security company. They will know someone is tampering with their things. Also, this control box is hopefully inside the house, hid somewhere in a closet hopefully in the master bedroom or close by.

    So for a criminally minded individual to thwart your security system and steal your TV, he must break in thus activating the (armed) alarm, he must then deactivate it using the keypad code (one wrong code attempt sends security immediately regardless of telephone passphrase), answer the phone, provide the passphrase to prevent security from showing up. Then go through the same process when opening the control box and triggering the alarm again. After this he must then brute the system and change whatever he wants to change.

    Remember, Your security must never be more worth than what you are trying to protect, and in this case, even with the semi-accessible serial port and the area code as the password, everything still sounds pretty secure to me. No robber is going to bother with all this trouble, and no sane person is going to use this to secure the Crown Jewels or something.

    1. They should just move your comment to the top so no one else has to read all of the insipid armchair coaching above it. Wow. Never going to a home security system convention unless I want to see a bunch of neckbeards in a slap fight lol.
      cough beigebox cough HaD users, is usually still got its cheese sitting in the wind for whatever mitm and testcodery one could want to try. Its amazing paperclip lock keeping all ne’erdowells at bay.

  9. Why would you put a sensor on your bathroom door? Are you afraid that they will sneak in through the toilet?
    Usually you alarm the access points leading outside like doors and windows.

    1. It may be a ground floor bathroom that wasn’t used very much at night back when the alarm system was initially installed. If it has a big window that is accessible then it wouldn’t be too strange to have that protected when in night mode.

    2. I’ve had someone break into the house through the toilet window before. Now theres a lock on the window and on both sides of the toilet door (plus a sensor on the window).

  10. when security to keep the owner from modifying his own alarm system is better than the security the alarm system provides, or the alarm system works harder to protect itself than it does the home, it’s time to find a new alarm :(

  11. Before brute-forcing methodically like the Op I’d recommend putting some significant numbers/dates at the top of your script – of the five houses with alarm systems which I lived in at university, three of the (user) codes were 1402 (valentine’s day), one was 2512 (Christmas) and the other was 4444 – I only remember these because they were ‘meaningful’ rather than random numbers, the installer code on my latest alarm was the company’s phone number, my old office had mechanical combination locks and you could open most of them with the first five primes or first five numbers in the Fibonacci sequence (technically from the second ‘1’ onwards for the pedants) The most secure areas in that building were the same numbers but backwards! Secure passwords aren’t dead but they may be having a nap :)

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.