HackDig : Dig high-quality web security articles for hackers

Remotely Disabling a Wireless Burglar Alarm

2016-11-19 20:15

By Andrew Zonenberg @azonenberg

Countless movies feature hackers remotely turning offsecurity systems in order to infiltrate buildings without being noticed. Buthow realistic are these depictions? Time to find out.

Today we’re releasing information on a critical securityvulnerability in a wireless home security system from SimpliSafe. This system consists of two corecomponents, a keypad and a base station. These may be combined with a widearray of sensors ranging from smoke detectors to magnet switches to motiondetectors to create a complete home security system. The system is marketed asa cost-effective and DIY-friendly alternative to wired systems that requireexpensive professional installation and long term monitoring service contracts.
     



Looking at the FCC documentation for the system provides afew hints. It appears the keypad and sensors transmit data to the base stationusing on-off keying in the 433 MHz ISM band. The base station replies using thesame modulation at 315 MHz.

After dismantling a few devices and looking at whichradio(s) were installed on the boards, I confirmed the system is built around astar topology: sensors report to the base station, which maintains all systemstate data. The keypad receives notifications of events from the base stationand drives the LCD and buzzer as needed; it then sends commands back to thebase station. Sensors only have transmitters and therefore cannot receivemessages.

Rather than waste time setting up an SDR or building customhardware to mess with the radio protocol, I decided to “cheat” and use theconveniently placed test points found on all of the boards. Among other things,the test points provided easy access to the raw baseband data between the MCUand RF upconverter circuit.

I then worked to reverse engineer the protocol using a logicanalyzer. Although I still haven’t figured out a few bits at the applicationlayer, the link-layer framing was pretty straightforward. This revealedsomething very interesting: when messages were sent multiple times, thecontents (except for a few bits that seem to be some kind of sequence number) werethe same! This means the messages are either sent in cleartext or using somesort of cipher without nonces or salts.

After a bit more reversing, I was able to find a few bitsthat reliably distinguished a “PIN entered” packet from any other kind ofpacket.




I spent quite a while trying to figure out how to convertthe captured data bytes back to the actual PIN (in this case 0x55 0x57 ->2-2-2-2) but was not successful. Luckily for me, I didn’t need that for areplay attack.

To implement the actual attack I simply disconnected theMCUs from the base station and keypad, and soldered wires from the TX and RXbasebands to a random microcontroller board I had sitting around the lab. A fewhundred lines of C later, I had a device that would passively listen toincoming 433 MHz radio traffic until it saw a SimpliSafe “PIN entered” packet,which it recorded in RAM. It then lit up an LED to indicate that a PIN had beenrecorded and was ready to play back. I could then press a button at any point andplay back the same packet to disarm the targeted alarm system.




This attack is very inexpensive to implement – it requires aone-time investment of about $250 for a commodity microcontroller board,SimpliSafe keypad, and SimpliSafe base station to build the attack device. Theattacker can hide the device anywhere within about a hundred feet of thetarget’s keypad until the alarm is disarmed once and the code recorded. Thenthe attacker retrieves the device. The code can then be played back at any timeto disable the alarm and enable an undetected burglary, or worse.

While I have not tested this, I expect that other SimpliSafesensors (such as entry sensors) can be spoofed in the same fashion. This could allowan attacker to trigger false/nuisance alarms on demand.

Unfortunately, there is no easy workaround for the issuesince the keypad happily sends unencrypted PINs out to anyone listening. Normally,the vendor would fix the vulnerability in a new firmware version by addingcryptography to the protocol. However, this is not an option for the affectedSimpliSafe products because the microcontrollers in currently shipped hardwareare one-time programmable. This means that field upgrades of existing systemsare not possible; all existing keypads and base stations will need to bereplaced.

IOActive made attempts through multiple channels to contactSimpliSafe upon finding this critical vulnerability, but received no responsefrom the vendor. IOActive also notified CERT of the vulnerability in the normalcourse of responsible disclosure. The timeline can be found here within the releaseadvisory. 

SimpliSafe claims to have its units installed in over 300,000 homes in North America. Consumers of this product need to know theproduct is inherently insecure and vulnerable to even a low-level attacker.This simple vulnerability is particularly alarming because; 1) it exists withina “security product” that is trusted to secure over a million homes; 2) itenables an attacker to completely own the system (i.e., disable it, change PINcodes, etc.), and; 3) many unsuspecting consumers prominently display windowand yards signs promoting their use of this system…essentially self-identifyingtheir home as a viable target for an attacker. 


Source: lmth.ralgrub-sseleriw-gnilbasid-yletomer/20/6102/moc.evitcaoi.golb

Read:7556 | Comments:0 | Tags:0-day 0day alarm Andrew Zonenberg burglar cyber attack hacki

“Remotely Disabling a Wireless Burglar Alarm”0 Comments

Submit A Comment

Name:

Email:

Blog :

Verification Code:

Tools

Tag Cloud