Hello From A Security Researcher

[matthew.brough]

Sure. Our panels are Aritech ATS and UTC have always been quite strict on 3rd party testing. Signalling is Webway one or Chiron and both are 3rd party tested. Without looking at the docs I forget who by.

never heard of them...

Who?

[cybergibbons]

never heard of them...

They provide systems to installers in the Netherlands. A significant proportion of home alarms and small business alarms use their systems.

[MrHappy]

They provide systems to installers in the Netherlands...

 

,

[AdrianMealing]

I dont think there is a grade 3 wireless system

 

There is, just not sold in the UK, I am still struggling with this whole thread, so a couple of blunt questions, because that is how I role:-

 

Who do you represent?

 

Why are you so hung up on wireless alarms?

 

When will you start selling your wireless alarm jamming device?

 

When will you start selling your wireless alarm system that is immune to point 3?

[cybergibbons]

First of welcome. You'll certainly get alot of 2p's chucked in with your time here. This place is full of experience. Secondly kudos for tinkering with the wireless side of things.

Thanks! It's good to get some discussion going on this.

 

However I do have some questions. What manufacturers have you purchased so far and what are the scenarios you are simulating? What are your parameters that your measuring your results by?

The alarms I have are:

* Yale Wireless (the older 434MHz OOK system)

* Friedland SL

* Texecom Ricochet

* Visonic Powermax Pro

* Scantronic i-on16

* Pyronix Enforcer

* Yale easyfit (newer 868MHz 2-FSK system)

I'm generally testing each alarm one by one. Normally involves:

* Reverse engineering the protocol (most have issues with the protocol itself - some send the PIN in the open for example)

* Dumping EEPROM contents of panels (one of the above has a non-changeable, undocumeted code that doesn't vary from panel to panel)

* Getting hold of firmware upgrades and decompiling (looking for any backdoors, opportunity for buffer overflow

* Fuzzing any inputs available (a lot of panels don't use watchdog timers and can be crashed...)

 

On the subject of grading and the standards you'll find that the documents are very loose and open for interpretation. While this cuts back on their strictness it does give people much needed leeway in terms of compliance and installation. Vital in my opinion.

I agree they can't be too strict, but the variation in grade 2 panel security is so large that I think they need improvement.

 

Also is the product grading relevant for the attacks you are trying to simulate? I don't think it is but i'm interested to know if you think it is?

No, not really. Some grade 2 panels have much bigger issues than ungraded panels.

[matthew.brough]

I suppose the question I wonder is why are you so interested in what we do? Hobby, professional interest, planning on a bank robbery?

[cybergibbons]

There is, just not sold in the UK, I am still struggling with this whole thread, so a couple of blunt questions, because that is how I role:-

 

Who do you represent?

Myself, though I am working with some other parties who are interested in the alarm sector.

Why are you so hung up on wireless alarms?

Sorry - why do you think I am hung up on them? There are gaping holes in most of the available systems and the manufacturers are unwilling to improve. I want to challenge this.

When will you start selling your wireless alarm jamming device?

The flaws aren't just related to jamming. I am not planning on selling such a device, the legality of it would be seriously questionable.

When will you start selling your wireless alarm system that is immune to point 3?

Sorry - I'm not an alarm manufacturer. When will Texecom start selling one?

[AdrianMealing]

If you have managed to reverse engineer our protocol i would be:-

1. Suprised
2. Glad to see you in court

Just read your last post, I am out of here life is too short, i thought you were serious

[datadiffusion]

Myself, though I am working with some other parties who are interested in the alarm sector.

 

Do they have black eye masks and bags marked swag?

[Joe Harris]

I think the thread is coming across as parties arguing but I think it is fair to everyone to point out that the only thing showing here is passion.

 

CG is obviously passionate about the research he is carrying out and I can understand and applaud that as it is long overdue in our industry.

 

Adrian is obviously passionate about his trade and rightfully so - Not just as a conscientious manufacturer (which he is) but as someone very actively involved in trying to improve our industries lot by volunteering his time for the standards I know how committed he is to improving things.

 

I wanted to just clear that up before anyone misinterpreted things.... we are all on the same side....

 

 

The alarms I have are:
* Yale Wireless (the older 434MHz OOK system)
* Friedland SL
* Texecom Ricochet
* Visonic Powermax Pro
* Scantronic i-on16
* Pyronix Enforcer
* Yale easyfit (newer 868MHz 2-FSK system)

I'm generally testing each alarm one by one. Normally involves:
* Reverse engineering the protocol (most have issues with the protocol itself - some send the PIN in the open for example)
* Dumping EEPROM contents of panels (one of the above has a non-changeable, undocumeted code that doesn't vary from panel to panel)
* Getting hold of firmware upgrades and decompiling (looking for any backdoors, opportunity for buffer overflow
* Fuzzing any inputs available (a lot of panels don't use watchdog timers and can be crashed...)

 

Lot's more panels still to try and I am glad to hear of your approach.  I've tinkered with embedded SoC devices in and out of security previously and as mentioned they are often not polished code.  Also consider contact points on boards (I've seen JTAG interlinks left open which give low and high level access openly)  this is on the public section though so I will not go into great detail..