I’m not sure I can ‘disclose’ the alarm system manufacturer’s name but they sell their products all over the world (according to their website), by the way I can see them everywhere I go :-)
A few months ago I decided to open the burglar alarm control panel at my parents’ house.
I then see that, once again, security is not where I would expect :-)
My parents wanted to make some minor modification regarding the arming rule (e.g. arming garage and kitchen but not bathroom anymore during the night).
They told me that the installer guy asks each time 150 € (~200 $), even for minor (and quick) modifications. I’m quite sure the guy doesn’t know he’s just changing a few bytes when he uses the user interface software from the alarm manufacturer. Anyway, he knows that the operation takes only a few minutes at most, and me too :-)
Please note that I don’t discuss the fact that the guy has to earn his life but maybe I’m going to think of selling/installing burglar alarms…
So I opened the control panel to look for a model reference inside.
Ouch… the first bad surprise was that removing the cover fired the alarm instantly…
Fortunately we could stop the alarm bell by entering the (known) user code at the keypad.
The second surprise, pretty much worse, was that it was not possible to arm the alarm anymore :-(
Well, the installer code is needed to clear the fault… It seems that this anti-tamper system is also another way for the installer to get 150 bucks more.
From that moment it was even more important to get access to the system, I was urged to make it working again, hum. The good news was that there was a connector which looks familiar (it’s always better than proprietary interfaces…).
So I went on the manufacturer website, thinking of downloading some software…
As you can see, access to this part of the website is for authorized ressellers and installers only…
Too bad but… hey, guess what, you can register… :-)
I first thought that I would have to wait a few days in order to let them verify my identity and so on. Working in electronic & IT, I was really thinking I could convince them to let my access the software download but… surprise, they trust you straight away, just fill the boring form and you’re done.
I thought of injecting some html to get “Other”, “End user” or even “Hacker” choice in the above listbox but no time for that :-)
I then installed and ran the freshly downloaded
user-friendly awful ancient-delphi-style software, connected computer to the electronic board through classic RS-232.
I could read a lot of things out of the alarm memory/configuration but surprise surprise I cannot modify anything without providing some ‘installer code’. My parents asked the guy but no way to get it… I’m not sure he can legally keep it from us but I then understood there was (?) another reason…
The ‘exciting’ part began and I noticed a few interesting things:
- The input password box is max 6 characters length.
- It seems that I can try as many times as I want (as I need).
- The software reacts very very quickly (for its age :)) when I try passwords, it let me think that the lock was software only and not embedded in the alarm electronic, I could have been wrong but I had this feeling :-).
- Given the fact that the code can also entered using the physical keypad it’s numeric only (confirmed in the manual).
- Regarding the alarm manual (also downloaded from the website) the installer code must be at least 4 characters long.
- The software seems to continue working after I disconnected the computer from the RS-232 electronic board.
Given all these observations, I thought of a “brute-force” attack. Nowadays it’s rarely useful (because of the usually large key space used) but here, it could take less than one day. Anyway, there were other more elegant possibilities:
- Sniffing communication between computer and electronic unit.
- Sniffing data on the PCB side.
- Playing with OllyDbg to either grab the code from memory, or inverting some conditional tests to make the software accept any code.
- Being an electronic guy, I also thought of reading the eeprom/micro-controller.
I had a quick look with OlyDbg (and some other delphi dedicated diasemblers) but too painful for me (I did some crackmes a long time ago but I don’t know much about “cracking”).
So I went for the brute-force attack and the sniffing at the same time :-) I quickly wrote a piece of code sending incremented numeric codes, clicking the validate button while reacting to the invalid code messagebox.
I let the brute-forcer app running and, after lunch, picked another computer to sniff data, I didn’t know that software sniffer for RS-232 would exists so I first went on using two RS-232 ports but while googling I found “free device monitoring studio”, never thought that this kind of software would exist but it makes sense!
I confirmed the fact that the software does not exchange data with electronic unit when checking entered codes… So the software would exchange the code when it “connects” to the board the first time.
There were only a few bytes and some of them immediately caught my eyes… wait… these numbers sounds familiar…maybe this is a coincidence but they are the same that my postal code! Would the installer guy use the area postal code as it’s installer code…? And would the box exchange the code with the software in plain text? It seems so, at least for my parents’ alarm :-)
In the meantime, the brute-forcer app, stopped counting at my postal code, too.
Surprise surprise no more invalid password messagebox when trying to unlock with the local area postal code anymore :-) I have now full access to modify whatever I want!
I do not blame the alarm manufacturer, because if the thief is able to remove the cover to connect some PC, this thief is certainly already inside your house (and either the alarm bell is already ringing, or he already took care of that).
What scares me is the installer guy who supposedly uses the same (logic) code everywhere (I guess it’s another one for the other local areas but I should be able do guess it :-))
Knowing that there is a logic behind the installer code, bad people could break any surrounding house and gently disarming the alarm system…
Windows are labeled with “protected by [the guy_company_name]”, I think the purpose is to ‘scare’ stupid thieves (or maybe to appeal the other ones :-)).
There is also a communication module (in option) which allows the end user to remotely (modem over phone line) arm/disarm the system, the problem is that this module also allows installer guy to make some changes remotely (still costing 150 bucks :-)?). A ‘more malicious’ attacker might try to remotely connect to random houses (the ones wearing the ‘protected stickers) using the phone book…
At least the installer guy won’t be able to do anything locally/remotely as I changed the installer code (hi thieves, I’m now using the house number haha :-)).