Intro: Alarm System Security Put to the Test
In this tutorial we'll try to analyze how secure are comercial alarm systems. I will not compare brands or advertise alarm systems, i will just explain weaknesses and ways to overcome them.
In the first video i've shown how a cheap alarm can be unlocked by sniffing and cloning it's open signal.
In the second video i am showing a way to trick a door opening sensor by using a magnet
I've created this instructable so that people will better understand how alarm systems operate how they can be defeated and ways of preventing that.
Alarm sellers will always try to put their systems in a favorable light but you should know a different side of the story!
In the first step we'll explore a major problem in all alarm system, that's jamming
Second step it's about cloning alarm communication signals
Third is about magnetic door sensors
Forth about other methods of possible atacks
And finally conclusions
Step 1: The Biggest Weakness: GSM and Wireless Jamming
All alarm systems work like this: first they detect a breach, and they sound the alarm / call or message a security company.
An attacker can try to block the detection (we'll be covering that next) or he can try block the transmission of the message to the security company.
Unfortunately you don't have to be a scientist or a mad engineer to build a device that jams wireless or GSM signals, you can buy them! These devices are legal and are used to protect VIPs or to stop students from cheating at an exam using their cell phone. There are some companies that sell this stuff and the prices are affordable 300 - 1500 $, if you're curious just google "gsm jammer".
So the main thing that an alarm system relies on can be blocked, hmm what can you do?
Ways to protect:
1. the best way would be to avoid this is to use an alarm that supports an ethernet cable and sends email or other alerts via the internet. But for this to be secure the internet cable must not be in reach (should be buried or concealed)
2. install the alarm central unit in the middle of the house, so that the jamming device is less effective due to distance. These devices work up to a distance, the cheapest about 15 meters, the most expensive up to 150 m, at least that's how they are advertised
3. don't keep high value goods in the house, or if you need to ensure them. Thieves that know you have a lot of valuables in the house might go to the trouble of purchasing this kind of equipment
Step 2: Cloning Wireless Signals
Usually alarms and other RF electronics have 2 main frequencies 315 Mhz and 433 Mhz, the signalis usually modulated FSK or ASK.
FSK (frequency shift keying) modulation means that the signal is encoded by rapid changes in frequency (0 has a frequency, and 1 has some other close frequency)
ASK (amplitude shift keying) modulation means that the signal is encoded by changes in amplitude (no amplitude for 0, max amplitude for 1)
In my test the alarm system is using 433 Mhz ASK modulation (the most common), and i'll try to copy and clone the signal with an Arduino Uno and two modules, one for receiving 433 Mhz signals and one for transmitting them. The modules can be found on eBay for under a dollars per pair.
So, for the experiment we'll need:
1. Arduino UNO
2. USB cable
3. 6 male-female breadboard cables
4. a pair of 433 Mhz ASK RF module
5. a pair of 433 Mhz antennas
6. a computer with Arduino IDE installed
7. the RemoteSwitch library, it can be downloaded here
1. the transmitter (the square one) goes to ground and vin and digital pin 11 of the arduino uno
2. the receiver (the rectagle) goes to ground, 5V and digital pin 2
3. plug the usb
Note: check the pictures attached to see how the pins can be identified
Uploading the code:
1. download and install RemoteSwitch library from the location above
2. select the "Retransmitter" sketch and upload it
After the sketch is finished uploading, it will sniff 433 signals and replay them after 5 seconds. And that's it with very cheap components and little work the signals from the remote control or sensors can be cloned.
Some attacker can place a small device near your home to record the signals and he can play them back to disarm the alarm.
How can we protect ourselves against this kind of attack?
* look for an alarm system that offer encryption and rolling codes for the remote control and sensors
* some systems have an alternative arm by SMS or voice call. It's safer
Step 3: Fooling Door / Window Sensors
These sensors are made of two parts a fixed part and a mobile part. The fix part contains a circuit, and battery and something called "reed switch". This switch is very small and it lets electricity pass when a magnetic field is near, that's why the mobile part of the switch is in fact a magnet.
The main weakness of this device is it's dependence of a magnetic field. You can use a stronger magnet to keep the switch "on" even the mobile part (containing the smaller magnet) is removed. Of course the attacker must know the exact position of the sensor in order to open the door or window without triggering the alarm.
Ways to protect:
* install the switch on a metal surface, if the door it's not made of metal, mount it on a small iron plate. The metal will absorb most of the magnetic field coming from the side
* hide the sensor when people can not see it's location
Step 4: Other Methods
Movement sensors hack
Usually PIR (passive infrared sensors) are used for alarm systems, and they work by detecting changes in the infrared background radiation. The changes can be made by your body, an animal or sun rays. So they are not really detecting movement. The problem with these sensors is that they can be fooled by reducing radiation footprint (wearing heat protective clothing) or moving very slowly.
The ideal alarm would have dopler radar motion senors, these sensors are not fooled by heat or slow movement.
Cloning and replaying random sensor signals
The cloning mechanism is identical to the cloning of the remote control signals i've shown before, but replaying random sensor signals by an attacker will effectively trigger false alarms, and you will render the entire system useless (you will not be able to distinguish when a real alarm comes)
Ways to overcome:
1. look for an alarm system that uses encryption and rolling codes
2. sensors with wires will work best (they don't suffer from jamming either)
Misconfiguration can mean anything but i have a specific scenario in my mind. My alarm model has configurable "delay" from the time of the detection from the time it sounds the alarms. The delay would enable the attacker to locate the alarm and switch it off, so it's a bad idea to enable that.
Loosing the element of surprise
If an attacker knows your sensors precise location it can avoid them or develop a strategy to block them somehow.
So don't expose sensors too obvious in the house, don't tell people you have an alarm system and don't let people inside unless you know them well.
Step 5: Conclusions
If you made it through here you had realized that alarm systems are far from perfect, but for the exploits to be made the burglar must be well informed and most robberies are conducted by not so clever villains :)
But there are some rules that will make you safer, let's review them:
1. use an alarm that supports an ethernet cable and sends email or other alerts via the internet. But for this to be secure the internet cable must not be in reach (should be buried or concealed)
2. install the alarm central unit in the middle of the house, so that the jamming device is less effective due to distance.
3. don't keep high value goods in the house, or if you need to ensure them.
4. look for an alarm system that offer encryption and rolling codes for the remote control and sensors
5. some systems have an alternative arm by SMS or voice call. It's safer
6. install the magnetic door switch on a metal surface, if the door it's not made of metal, mount it on a small iron plat
7. conceal the sensors and the alarm system
8. look for an alarm with microwave motion sensors
9. if possible prefer sensors with wires they are the safest option
10. don't install the alarm system your selves you might miss some important detailis about configuration