december 2013 – alexandre triffault alarm system inspired by babak javadi presentation
TRANSCRIPT
December 2013 – Alexandre TRIFFAULT
http://www.frenchkey.fr
Alarm system
Inspired by Babak Javadi presentation
December 2013 – Alexandre TRIFFAULT
http://www.frenchkey.fr
Honeywell ADEMCO
December 2013 – Alexandre TRIFFAULT
http://www.frenchkey.fr
Uses both wired and wireless communication (345 MHz – non encrypted)
Honeywell ADEMCO
December 2013 – Alexandre TRIFFAULT
http://www.frenchkey.fr
Wireless zone – Device state ID sent by the device
• 3 key pieces of Data• Serial Number• Loop• Status (Wake – Check-in – Low Battery
• Same is used by every RF Device• Sensors (door opening, glass break…)• Keypad and Keyfob
• S/N Unique per device• Non changeable• Enrolled during programming
December 2013 – Alexandre TRIFFAULT
http://www.frenchkey.fr
Wireless zone – RF Data acquisition
December 2013 – Alexandre TRIFFAULT
http://www.frenchkey.fr
Wireless zone – RF Data structure
• RF Loop
• Devices have up to 4 loops• Loops operate independently
December 2013 – Alexandre TRIFFAULT
http://www.frenchkey.fr
• Four Status Bits
• B : Low Battery• S : Supervisory• W : Wake-up /power-up (new battery)
Wireless zone – RF Data structure
December 2013 – Alexandre TRIFFAULT
http://www.frenchkey.fr
Hardwired zone – wiring structure
December 2013 – Alexandre TRIFFAULT
http://www.frenchkey.fr
System weaknesses – Hardwired zone
• EOL Resistor Placement• The location is IMPORTANT !• EOL means « End Of Line » for a good reason
• Tamper detection is very difficult
December 2013 – Alexandre TRIFFAULT
http://www.frenchkey.fr
System weaknesses – Installer code
December 2013 – Alexandre TRIFFAULT
http://www.frenchkey.fr
System weaknesses – Shortsighted Architecture
• Weak PIN Authentification• Fixed length : 4 Characters• Tiny character length : 0 to 9 only
• Special funtion• User access level inquiry
• Minimal attack resistance• Crude RF jamming detection• No attack resistance on wired ECP Bus
December 2013 – Alexandre TRIFFAULT
http://www.frenchkey.fr
System weaknesses – ECP Bus shortcomings
• Unencrypted
• Shared copper• Allows eavedropping• Interception of keystrokes
• Minimal attack resistance• No brute force detection / no command lockout• Allows automated / scripted attacks
December 2013 – Alexandre TRIFFAULT
http://www.frenchkey.fr
System weaknesses – Attacking via ECP Bus – Brute Force
December 2013 – Alexandre TRIFFAULT
http://www.frenchkey.fr
System weaknesses – Attacking via ECP Bus – Brute Force
December 2013 – Alexandre TRIFFAULT
http://www.frenchkey.fr
System weaknesses – Hardwired zone
• Wire Management
• Exposed wires : bad• Visible wiring• Sloppy wiring• Lazy wiring
December 2013 – Alexandre TRIFFAULT
http://www.frenchkey.fr
System weaknesses – RF zone
• 1/ Supervised RF transmitters (door opening, motion sensor, glass breaking…)• Unencrypted low power one way devices• Transmit only while the state changes• Transmit « check-in » signal every 4 hours
• 2/ Unsupervised RF transmitters (keyfobs)• Mostly unencrypted low power one way devices
• Attack vectors• Eavedropping• Jamming
• No detection in old receivers, Off by default in new (45 seconds interval and a lot of false positive)
• Replaying / Spoofing
December 2013 – Alexandre TRIFFAULT
http://www.frenchkey.fr
System weaknesses – RF zone bidirectionnal
• Bidirectionnal RF transmitters (keypads)• Keypads
• Unencrypted keypads use « House ID », 00 to 31 (checking from the panel)
• New Encrypted keypads likely use Kelloq
• Keeloq• Rolling code encryption by Microchip• Used by cars, garage door openers…• Broken in 2007
December 2013 – Alexandre TRIFFAULT
http://www.frenchkey.fr
System weaknesses – Panel to central office
• Honeywell systems : two part authentification• Suscriber account number
• HEX• 4 bytes• Unique per customer
• Central Station Identification• HEX• 8 bytes• Uniqueness unknown
• ADT systems• Subscriber Account Number• Special release of compass software
December 2013 – Alexandre TRIFFAULT
http://www.frenchkey.fr
• Careful and proper installation• Hide your wires• Protect your wires
• Don’t use RF devices
• Know your weak points
• Protect power source
• Avoid physical access to key devices
December 2013 – Alexandre TRIFFAULT
http://www.frenchkey.fr
Motion and Opening detector
• Radiowave motion detection• Infrared motion detection
• Function : AND
• Detected with a compass or a Gaussmeter• NO/NF
• Shortwired with a remote switch