Hello From A Security Researcher

[james.wilson]

Op from your list most is diy tat, apart from texecom. In that list its texecom as the best with scanny behind Imo. The rest will be weak by their diy nature.

[matthew.brough]

Agreed. I find it interesting and shouldn't the kit we use come under scrutiny. Without trying to liable anyone Adrian's panels I suspect are built much better than other manufacturers kit with the same grade and I don't see any issue in someone challenging the kit we use.

I don't think I've ever seen anyone with a passion to try and hack it but I think its a legitimate line of enquiry.

[cybergibbons]

If you have managed to reverse engineer our protocol i would be:-

• Suprised
• Glad to see you in court

Just read your last post, I am out of here life is too short, i thought you were serious

I honestly can't understand your aggressive and dismissive attitude.

Can you point out what it would end up in court under?

I suppose the question I wonder is why are you so interested in what we do? Hobby, professional interest, planning on a bank robbery?

I'm a freelance security research and reverse engineer. My interest was piqued when I found one alarm system was little more than a wireless doorbell.

[PeterJames]

My cats breath smells of cat food

[cybergibbons]

Op from your list most is diy tat, apart from texecom. In that list its texecom as the best with scanny behind Imo. The rest will be weak by their diy nature.

The two Yale alarms and Friedland are, but the others are all grade 2. Granted there are massive differences in the security afforded by them, but there should really be a way of this being expressed in a standard, rather than a general perception of how secure they are.

My cats breath smells of cat food

Sorry?

[matthew.brough]

Ok. To be fair Adrian's a boffin in what he does and understandably protective of his products. If someone started wanting to reverse engineer our software I'd get quite upset too.

Out of interest, what did you think of the Texecom ricochet?

The two Yale alarms and Friedland are, but the others are all grade 2. Granted there are massive differences in the security afforded by them, but there should really be a way of this being expressed in a standard, rather than a general perception of how secure they are.Sorry?

His cats had its evening meal.

[PeterJames]

His cats had its evening meal.

I dont have a cat?

[cybergibbons]

Lot's more panels still to try and I am glad to hear of your approach.  I've tinkered with embedded SoC devices in and out of security previously and as mentioned they are often not polished code.  Also consider contact points on boards (I've seen JTAG interlinks left open which give low and high level access openly)  this is on the public section though so I will not go into great detail..

Yes - some panels leave the microcontroller flash unprotected, so code can be read out. A lot of them don't use dedicated SoCs like the CC1110 though, they have a microcontroller and a RF frontend. The comms between the two are open, which makes working out what the system does far easier. A lot of them use pretty curious microcontrollers though, which makes decompiling the code pretty arduous.

[norman]

If you have managed to reverse engineer our protocol i would be:-

• Glad to see you in court

under what charge

[Scotmod]

The alarms I have are:

* Yale Wireless (the older 434MHz OOK system)

* Friedland SL

* Texecom Ricochet

* Visonic Powermax Pro

* Scantronic i-on16

* Pyronix Enforcer

* Yale easyfit (newer 868MHz 2-FSK system)

I'm generally testing each alarm one by one. Normally involves:

* Reverse engineering the protocol (most have issues with the protocol itself - some send the PIN in the open for example)

* Dumping EEPROM contents of panels (one of the above has a non-changeable, undocumeted code that doesn't vary from panel to panel)

* Getting hold of firmware upgrades and decompiling (looking for any backdoors, opportunity for buffer overflow

* Fuzzing any inputs available (a lot of panels don't use watchdog timers and can be crashed...)

 

Excellent. However I think we can all agree that the Yales and Friedlands are no more than glorified door chimes and don't really count for anything since you'll most likely find them on sheds and bungalows. 

 

What i'm more interested in is your attack simulation. I've attached a layout with some devices and a panel on it. Choose any wireless system you've done and talk me through how your findings will allow you to break in to the premises and get to the panel room to access the safe that has my days takings etc in it.