Hello From A Security Researcher

[cybergibbons]

Ok - I didn't realise that was a rule. The site is not commercial and contains relevant content.

 

So, to elaborate, I have been buying wireless systems off the shelf, and one by one, finding vulnerabilities and methods to disarm them. I haven't yet found one that isn't possible to jam, including those with "advanced" anti-jamming or jamming detection. There's also other common issues such as susceptibility to replay attacks, sending PINs in the clear, and the possibility of crashing panels with malformed packets. I have a £30 device which can stop most alarms working as a result.

 

My main concern is around the standards that dictate the features found in these alarms - specifically EN 50131-5-3 - which doesn't allow differentiation between a poor grade 2 alarm, and a much better one. I know the standards are being rewritten, but it doesn't seem like much progress has been made.

 

I've started branching out into internet/modem connected alarms and analysing firmware to find bugs and backdoors as well.

[matthew.brough]

As you have discovered the standards we work with are not perfect and often some cheap rubbish can have the same grade as a high end product and the customer has no way of knowing the difference. I would be very intested in your findings as I'm sure other members will.

[Joe Harris]

Hi CG - Welcome to the forum.  You will find many others here who are also close followers of potential vulnerabilities in equipment as alluded to in some of the blog entries here on TSI.

 

The electronic security industry has traditionally had some good practise implementations which have helped improve security protocols in the past, however with some irony these same non-standard, non-proprietorial code sets now become a point of weakness as other industries improve their approach and ours remains somewhat stagnant.

 

There are some clued up suppliers but also some who seem to ignore the risks highlighted to them.

 

I think far too few people are looking at these devices from the pen testing perspective (Physical and comms based) and I welcome more eyes on this issue.  There is much to be done.

[james.wilson]

Ok - I didn't realise that was a rule. The site is not commercial and contains relevant content.

 

 

 

You can copy the content to a tsi blog and link to that but as im sure you can understand maintaining links to external blogs can be a nightmare.

 

So, to elaborate, I have been buying wireless systems off the shelf, and one by one, finding vulnerabilities and methods to disarm them. I haven't yet found one that isn't possible to jam, including those with "advanced" anti-jamming or jamming detection. There's also other common issues such as susceptibility to replay attacks, sending PINs in the clear, and the possibility of crashing panels with malformed packets. I have a £30 device which can stop most alarms working as a result.

 

 

 

 

 

Unfortunately all equipment is not equal. There is various quality and performance from the manufacturers. Self certification makes this worse imo as the kit is not independently tested to check it actually meets any grade. But there is equipment that does meet or exceed the minimum requirements. However i would be interested in you posting your findings so far. Plus if you have the equipment i could send certain stuff for you to test.

 

My main concern is around the standards that dictate the features found in these alarms - specifically EN 50131-5-3 - which doesn't allow differentiation between a poor grade 2 alarm, and a much better one. I know the standards are being rewritten, but it doesn't seem like much progress has been made.

 

 

 

They are minimum requirements, but grade 2 is a low to medium risk for a low skilled intruder. Grade 3 and grade 4 specifically grade 4 equipment is designed for high risk sites with a likelihood of a high skill level intruder.

 

I've started branching out into internet/modem connected alarms and analysing firmware to find bugs and backdoors as well.

 

 

Again id be interested in your findings but there is a standard that tightens up the requirements of coimmunication and IS 3rd party tested. That is LPS1277

[arfur mo]

some UDL software is so skittish, by the time you can get any advantage from a bug its often crashed.

choice of kit by any installer of any grade is not always chosen from, quality, price or availability. some stick with what they know as reliable, others like all the bells and whistles even on a back shed. user and engineer friendly is also a consideration, no point fitting a kit the user or engineers can't understand, no matter how bad or good it is.

[AdrianMealing]

Ok - I didn't realise that was a rule. The site is not commercial and contains relevant content.

 

So, to elaborate, I have been buying wireless systems off the shelf, and one by one, finding vulnerabilities and methods to disarm them. I haven't yet found one that isn't possible to jam, including those with "advanced" anti-jamming or jamming detection. There's also other common issues such as susceptibility to replay attacks, sending PINs in the clear, and the possibility of crashing panels with malformed packets. I have a £30 device which can stop most alarms working as a result.

 

My main concern is around the standards that dictate the features found in these alarms - specifically EN 50131-5-3 - which doesn't allow differentiation between a poor grade 2 alarm, and a much better one. I know the standards are being rewritten, but it doesn't seem like much progress has been made.

 

I've started branching out into internet/modem connected alarms and analysing firmware to find bugs and backdoors as well.

Don't know where you got your information about EN50131-5-3 but you are wrong. I am a UK expert on the WG11 working group and we have finished rewriting the standard, it is being edited at BSI and will be published for comment in due course.

 

There are many other factors when dealing with RF perfgor5mance requirements, and most of these are dealt with by ETSI standards, the -5-3 only contains specific security requirements, whereas ETSI standards deal with RF performance. These will be called up in the new standard, they are not in the current published version.

[matthew.brough]

I am a UK expert

 

That I agree with entirely.

[cybergibbons]

Don't know where you got your information about EN50131-5-3 but you are wrong. I am a UK expert on the WG11 working group and we have finished rewriting the standard, it is being edited at BSI and will be published for comment in due course.

 

There are many other factors when dealing with RF perfgor5mance requirements, and most of these are dealt with by ETSI standards, the -5-3 only contains specific security requirements, whereas ETSI standards deal with RF performance. These will be called up in the new standard, they are not in the current published version.

 

I've been in communication with a member of the group. Grade 2 still doesn't require any encryption or protection against replay, both of which incur little to no hardware cost - the only reason I can see for maintaining this is product differentiation.

 

Are draft versions of this standard available for us to look at?

Adrian - I sent a mail to Texecom 10 days or so ago about an open directory of alarm firmware on your site and didn't get a response. Is it meant to be there?

[james.wilson]

Draft versions are only available to committee members afaik

[cybergibbons]

I think a lack of openness is a big reason that many of the flaws I find exist.