

How to Hack an ADT Alarm System - rhodesbe
http://ipvm.com/report/hack-adt-alarm-system

======
SEJeff
So just like with computer security, I'm a fan of both passive _and_ active
security for my home.

Their website is straight out of 1990, but Burglargard is a bullet resistant
effectively smash-proof invisible coating that can be applied to all windows
in your home: [http://www.burglargard.com](http://www.burglargard.com)

The nice thing about it is that if you have them install it, it comes with a
lifetime no yellow, no peel, full replacement warranty. If you opt to install
it yourself, it is much cheaper (Approximately $1 per sq foot), but no
warranty, so not as useful.

Also, make sure to get 6" or longer screws to put into external door frames.
It ensures the frame is anchored to studs and makes ripping it out via a
typical kick the door in attack much more difficult. Stuff like the haven lock
([http://www.havenlock.com](http://www.havenlock.com)) also really helps make
it more difficult to kick in the door.

Note that these things make a break-in demonstrably more difficult, but they
won't prevent it. I see an alarm system as a more passive security device,
much like an intrusion detection system. "Hey someone broke in" means someone
still broke in. I'm more of a fan of trying to make the act of breaking in in
addition to ensuring I have a decent idea if someone does.

Defense in depth doesn't just apply to computers, it is a way of thinking :)

~~~
Someone1234
Burglargard looks pretty cool. But I'd definitely have to re-evaluate fire
exits before I installed, the last thing I'd want is for the entire family to
burn to death because I was trying to save a few thousand dollars in property
which is insured and replaceable.

Door frames and window frames are a common source of intrusion, but if your
frames are made out of wood then I don't know if the 6" screws are going to
save you, the wood is often a source of failure rather than coming unscrewed.
It just splinters away.

As to Havenlock: many back doors are slide, and can be bounced out of their
runs. It might help on the few which are swing doors rather than slide (at
least around here). I think the whole app thing is kind of dumb, it is just a
wedge, and still requires drilling into the floor.

~~~
djrogers
<quote>Burglargard looks pretty cool. But I'd definitely have to re-evaluate
fire exits before I installed, the last thing I'd want is for the entire
family to burn to death because I was trying to save a few thousand dollars in
property which is insured and replaceable.</quote>

If your fire exit strategy currently relies on the ability to break a window,
you've already failed at fire safety. You need to be able to OPEN a fire exit
in an emergency, not MAKE one...

~~~
mturmon
"If your fire exit strategy currently relies on the ability to break a window,
you've already failed at fire safety."

This is quite false. The ability to use a bedroom window as an emergency exit
is _required_ by typical US building codes (e.g.,
[http://www.bobvila.com/articles/406-what-makes-a-room-a-
bedr...](http://www.bobvila.com/articles/406-what-makes-a-room-a-bedroom/)).

The basic rule is that, besides the entry door, there has to be one other exit
_that opens to the outside_ , which can be another door, but is usually a
window. There are size rules for the window.

The window is intended not just for entry of firefighters, but also for
unassisted exit.

~~~
EliRivers
_This is quite false._

That's not my reading of the page you linked to. The window has to be
_openable_ , not breakable.

~~~
mturmon
You have a fair point.

------
Someone1234
What isn't clear from the article is if the wireless channels were encrypted
or not. Right now they're just using brute force to flood the channel which is
going to cut off the panel from the sensor(s) regardless.

I cannot see an easy way to mitigate this. Even if it has anti-jam it is going
to just shift the frequencies which you could also likely jam. I guess the
panel could increase its output power to try and compensate, but all that does
is increase the equipment cost of an attacker, not really stop it completely.

So I guess the main take-away from this is to go wired, not wireless for
security system installs. However it is unclear if security systems really do
much of anything anyway (as police often ignore home alarm calls as they're
more often than not false alarms).

You're better off just spending the money on higher fencing with trellis
skirting, motion flood lighting, and fake signs that say "protected by FakeCo
Security." It won't cost you $30/month for the rest of your natural life and
offers the same deterrent.

Most smash & grabs are 10 minute affairs. Some robbers will happily continue
to rob with an alarm going off, since they know the response time won't be
close to 10 minutes.

~~~
useful
On the first page of the class action, "ADT's wireless signals are unencrypted
and unauthenticated, and can easily be intercepted and interfered with by
unauthorized third parties"

I think rolling your own ZigBee security system is more safe (and cheaper).

~~~
SEJeff
I prefer Insteon, which is wireless like Zigbee, but more jam resistant as it
also operates over the power lines in your home to form a mesh. Even if the
wireless access is blocked, much of the devices can be directly plugged in,
and as a result, would still send critical security events to the controller.

~~~
joezydeco
I've always been curious if powerline protocols like Insteon and X10 were
jammable by injecting noise into the neutral leg of the circuit.

In most neighborhoods with above-ground power lines, it's incredibly easy to
access the neutral wire.

~~~
adanto6840
Or just cut the power to the home, arguably just as easy no? I think if your
being targeted like that then you probably have bigger issues to deal with
though...

~~~
donutz
Is it the case that if the power is out, that such devices can't communicate
over the powerlines, even if they have their own backup power?

~~~
SEJeff
No, because they send modulated signals over the copper power cables.
Therefor, if they had their own backup power and were operating over the
powerlines, they would work.

------
tptacek
Is it worth trying to foil this attack? My understanding from talking to alarm
installers is that wired alarms, which are more common, are trivially defeated
by burglars, and that really the point of having an alarm is simply to avoid
being the only person on your block that doesn't have one.

~~~
fabulist
I think if the alarm isn't able to communicate (through wired means or
otherwise) with its sensors or its back end for a suitable period of time, it
should be functionally equivalent to detecting a break in. That is; the alarm
should sound, and the alarm company should call the cops (it'd have to be
pretty difficult to accidentally lose contact, however.)

The entire point of an alarm is it goes off if something bad happens; not
being able to go off is a bad thing.

~~~
fabulist
I was thinking about this, and I realized there is a bigger problem. The
sensors detected a break in, failed to report it, and apparently just forgot
about it; it successfully engaged in the protocol designed to detect jamming,
but didn't use that window of opportunity to report the break in.

------
S_A_P
While I think this sort of research is useful- I dont think this is anything
that will affect people in real life. This is more the makings of a plot from
the movie "Taken". If someone wants to rob your house, they will break in and
probably be in and out before police can respond. A thief isnt going to jam
your alarm systems radio and pull some elaborate hack to steal your laptop or
flat screen tv.

~~~
SEJeff
People said the exact same thing about RF car fobs years ago. It is only a
matter of time before the technology comes down in price and the software for
doing this type of thing becomes more common. Never say never.

~~~
Someone1234
And they were largely right.

Cars are laughably insecure by computing standards, but yet stolen cars are at
a low (when you adjust for total cars). They're also targeting pre-digital
cars still on the road, if you look at the DMV's "top stolen cars" list,
they're almost all 1990s cars or older.

You read a few stories about the "Russian maffia" having key fobs which can
unlock modern cars, but these are few and far between. Even the more common
ODB-II port key reset method is fairly rare, but gets heavily reported when it
does occur.

So I'm going to use the same example, but use that example as evidence that
this won't become common: just like cars, and garage door openers.

~~~
cones688
This is becoming a massive issue in London with the met actively conceding
that gangs have the codes for JLR cars such as Range Rovers.

[http://www.standard.co.uk/news/london/pull-over-all-range-
ro...](http://www.standard.co.uk/news/london/pull-over-all-range-rovers-in-
kensington-police-are-told-in-crackdown-on-spate-of-thefts-9979074.html)

~~~
sk5t
Interesting... a 25% year-over-year spike in thefts is huge and certainly
suggests new theft tools are greasing the rails.

------
IgorPartola
Or, you know, just cut the landline to the house. Phone lines go down often
enough that security monitoring centers cannot respond to every incident. If
your system stops sending the keep-alive, they assume it's just that the
line's been cut. There are of course cell based backups now, but those can be
blocked with a pretty standard cellphone jammer too.

Or, just run in and smash the panel. If you do it quickly enough, it won't
send the signal.

Or, get a ladder. Most systems do nothing to protect the upstairs of a two
story house.

Residential security systems are for show and to get discounts on homeowner's
insurance. I'm pretty sure the sign up front deters more people than the
actual system.

~~~
hga
Almost none of these are true for where I currently live, the only thing
lacking, which it pretty much has to given the reality of invoking the police
on wild goose chases, is action beyond the building when the phone line goes
down. But in that case the local alarm most certainly goes off ... but not
very often at all! AT&T at least here is near rock solid.

Do you think insurance companies would give discounts unless the benefits were
per their actuaries real?

I'm sure the sign does a lot of good, but it's just part of a system of
defense in depth which starts there (or perhaps not living in a bad
neighborhood).

~~~
IgorPartola
My theory is that the discount is precisely because of the sign. I am
convinced that that part does 99% of the work at actually deterring crime. The
local alarm won't do anything once you are in the building: just go and turn
it off. In fact, get a shirt with the ADT logo, then go rob a house. Nobody
will question it.

------
carlmcqueen
To this article's credit, ADT when counter-advertising people thinking about
leaving (source: me everytime they raise their price on my aged featureless
system) is that alarms made on a cellular signal instead of a land line can be
jammed with 75 dollar cell phone signal jammers.

They stand on the bedrock that their existing systems can't be manipulated
like that. While this article makes it clear that this is not a cheap or
unsophisticated hack, depending on the value of what you have in your home
this kind of hack can very much be worth the price of admission especially
when free and explained on the internet.

~~~
blueskin_
That's why relying on a single link for anything is a bad idea - if a system
is known to use a landline, it's trivial, especially as in most parts of the
US phone lines are aboveground, to cut the phone line before breaking in.

------
rachelbythebay
Important detail: that $15 rtlsdr stick cannot transmit.

~~~
quadrature
Another important detail, If you're just flooding a certain frequency you do
not need an SDR to transmit, you can easily build a cheap $5 transmitter for
that frequency.

------
vonmoltke
Is this article trying to say that jamming can be used to temporarily blank
sensors without the controller realizing they have dropped off the system? If
so, actually using this for practical nefarious purposes would still be fairly
complicated, because you would need to have the system in a pristine state for
x seconds every y seconds.

~~~
pflats
For houses with lots of windows and bigger pets, one of the more ubiquitous
sensors is the acoustic glass break sensor. You only need to jam that one for
a few seconds to get in.

~~~
vonmoltke
I have two of those; in fact, my house has all "perimeter" sensors and no
motion. What you describe only works if the sensor is non-latching. A latching
sensor will trigger the alarm as soon as it reconnects. AFAIK, most glass
breaks are capable of latching, though most are not set up to do so. Changing
the setting is trivial.

Alarm companies have put quite a bit of thought over the decades into anti-
tamper measures. I suspect the reason the "hole" described in the article
exists is because someone felt the other AT measures would cover it adequately
enough for typical usage.

------
userbinator
Why does an alarm system, installed presumably permanently on an immovable
house, even need to be wireless? A wired system would basically be immune to
this (and if the wires are physically cut by an attacker, it will alarm.)

~~~
StillBored
While everyone is saying ease of install, and its true, its not really that
hard to hardwire a system in most houses. In fact, my previous house was
hardwired by a central security group contractor in about 3 hours for nothing
more than a 3 year monitoring contract (@~$20 a month, 6 years ago). Sure I
didn't get sensors in all my windows, but I did get them in the doors, along
with motion sensors that covered 90% of the square footage of the house,
monitored smoke detectors, garage door controllers, and a bunch of other crap.

Probably close to $500 worth of DSC hardware.

Alarm monitoring is like printing money. The fact that ADT charges as much as
they do, and installs such a craptasic system has always amazed me.

