December 2013 – Alexandre TRIFFAULT Alarm system Inspired by Babak Javadi presentation

December 2013 – Alexandre TRIFFAULT

http://www.frenchkey.fr

Alarm system

Inspired by Babak Javadi presentation



Honeywell ADEMCO



Uses both wired and wireless communication (345 MHz – non encrypted)

Honeywell ADEMCO



Wireless zone – Device state ID sent by the device

• 3 key pieces of Data• Serial Number• Loop• Status (Wake – Check-in – Low Battery

• Same is used by every RF Device• Sensors (door opening, glass break…)• Keypad and Keyfob

• S/N Unique per device• Non changeable• Enrolled during programming



Wireless zone – RF Data acquisition



Wireless zone – RF Data structure

• RF Loop

• Devices have up to 4 loops• Loops operate independently



• Four Status Bits

• B : Low Battery• S : Supervisory• W : Wake-up /power-up (new battery)

Wireless zone – RF Data structure



Hardwired zone – wiring structure



System weaknesses – Hardwired zone

• EOL Resistor Placement• The location is IMPORTANT !• EOL means « End Of Line » for a good reason

• Tamper detection is very difficult



System weaknesses – Installer code



System weaknesses – Shortsighted Architecture

• Weak PIN Authentification• Fixed length : 4 Characters• Tiny character length : 0 to 9 only

• Special funtion• User access level inquiry

• Minimal attack resistance• Crude RF jamming detection• No attack resistance on wired ECP Bus



System weaknesses – ECP Bus shortcomings

• Unencrypted

• Shared copper• Allows eavedropping• Interception of keystrokes

• Minimal attack resistance• No brute force detection / no command lockout• Allows automated / scripted attacks



System weaknesses – Attacking via ECP Bus – Brute Force



System weaknesses – Attacking via ECP Bus – Brute Force



System weaknesses – Hardwired zone

• Wire Management

• Exposed wires : bad• Visible wiring• Sloppy wiring• Lazy wiring



System weaknesses – RF zone

• 1/ Supervised RF transmitters (door opening, motion sensor, glass breaking…)• Unencrypted low power one way devices• Transmit only while the state changes• Transmit « check-in » signal every 4 hours

• 2/ Unsupervised RF transmitters (keyfobs)• Mostly unencrypted low power one way devices

• Attack vectors• Eavedropping• Jamming

• No detection in old receivers, Off by default in new (45 seconds interval and a lot of false positive)

• Replaying / Spoofing



System weaknesses – RF zone bidirectionnal

• Bidirectionnal RF transmitters (keypads)• Keypads

• Unencrypted keypads use « House ID », 00 to 31 (checking from the panel)

• New Encrypted keypads likely use Kelloq

• Keeloq• Rolling code encryption by Microchip• Used by cars, garage door openers…• Broken in 2007



System weaknesses – Panel to central office

• Honeywell systems : two part authentification• Suscriber account number

• HEX• 4 bytes• Unique per customer

• Central Station Identification• HEX• 8 bytes• Uniqueness unknown

• ADT systems• Subscriber Account Number• Special release of compass software



• Careful and proper installation• Hide your wires• Protect your wires

• Don’t use RF devices

• Know your weak points

• Protect power source

• Avoid physical access to key devices



Motion and Opening detector

• Radiowave motion detection• Infrared motion detection

• Function : AND

• Detected with a compass or a Gaussmeter• NO/NF

• Shortwired with a remote switch

Documents

December 2013 – Alexandre TRIFFAULT Alarm system Inspired by Babak Javadi presentation