In response to Bernard Green

[mdf290]

I don't really have issue with wireless systems, or that they can be jammed. The Yale system however has a number of flaws that are unforgivable, mainly that the code is sent in the clear when using a remote keypad.

But the alarms would stop an opportunist thief.

if someone is going to the bother of using a grabber then its hardly an opportunist.

Even if the code is grabbed it's unusable except in certain conditions.
If you transmit that code to emulate the keyfob will it be accepted or will the sender have to also send the devices individual serial number that has been learnt into the system.
In any case the entry door would need to be opened to start the timer countdown before the code would work.
Or are you saying that the code could be read from the scanner in a readable form so you can manually input the code?
What then?
If the entry door is not used then you will have to go through a protected zone to get to the panel so you would have already set off the alarm.
If the entry door is used to start the countdown then if it's a front door you will have to pick the lock or smash the door. Not something that I've ever come accross in four years of working in burgled homes.

 

[bernardgreen]

There is also nothing stopping Yale and Friedland designing alarms that don't suffer from these flaws.

Unfortunately there is something stopping Yale and Friedland designing alarms that don't suffer from these flaws. It is the use of a licence exempt frequency and the regulations applicable to the use of that frequency that restricts the design to one that has these flaws.

The other reason is the design is restricted by the commercial need to keep the price low enough to make it marketable. Hence two way communication is not used to save the cost of a receiver in every sensor.

Battery economy to provide a long period between battery changes also compromises the amount of system integrity checks that are made.

 

[cybergibbons]

I'm not saying the alarm isn't a deterrent.

I am saying that the Yale 434MHz alarm and Friedland SL series are very dated and nowhere near as secure as alarms that are not much more expensive. I think they need to raise their game.

I could build and sell a small device, today, that could be used to jam (without setting off jamming protection alarms) and disarm both systems. It would require no knowledge to use. It would cost me about £20 to make.

If I have grabbed the code, I can grab the serial number. A flaw in the protocol of the alarm means you don't even need to know the serial number of the keypad, you can just know any serial number of any device.

You don't have to open anything to trigger an entry zone - you just replay the signal from the entry zone detector.

The Yale 434MHz alarm has all detectors default to entry zone anyway.

 

[bernardgreen]

Even if the code is grabbed it's unusable except in certain conditions.
If you transmit that code to emulate the keyfob will it be accepted.

Yes it will be accepted. The panel or siren cannot distinguish between the signals from the clone and signal from the real key fob.
.

If the entry door is used to start the countdown then if it's a front door you will have to pick the lock or smash the door.

Door sensors can be tricked into thinking the door has been opened without any damage to the door.

 

[mdf290]

The Yale 434MHz alarm has all detectors default to entry zone anyway.

In the 6200 yes but in the 6400 it is the opposite all sensors are instant or burglar by default.
The new 868 system however is entry by default - That I cannot understand what were Yale thinking of??

 

[mdf290]

You don't have to open anything to trigger an entry zone - you just replay the signal from the entry zone detector.

How can you grab the of the entry sensor without actually getting the sensor to send first?

To grab the alarm code and the entry sensor you would need to be grabbing this information when the homeowner came home. If he has the 6400 alarm and the panel is in the hallway then you cannot grab the entry code only the entry sensor.

This all looks like far too much effort which is probably why attacks of this kind are so rare.

 

[mdf290]

If the entry door is used to start the countdown then if it's a front door you will have to pick the lock or smash the door.

Door sensors can be tricked into thinking the door has been opened without any damage to the door.

As above we are getting into Mission Impossible territory here - much easier to burgle the house on the street without an alarm and guess what?
Ask the police THAT is exactly what happens in real life and not from the pages of some radio manual.

 

[cybergibbons]

Unfortunately there is something stopping Yale and Friedland designing alarms that don't suffer from these flaws. It is the use of a licence exempt frequency and the regulations applicable to the use of that frequency that restricts the design to one that has these flaws.

Texecom Ricochet, Pyronix Enforcer, Visonic PowerG all use licence exempt frequencies and are much more secure. What aspect of the 434/868/915MHz ISM bands stops a secure system being built? There are limitations, but it's perfectly possible to work within them.

The other reason is the design is restricted by the commercial need to keep the price low enough to make it marketable. Hence two way communication is not used to save the cost of a receiver in every sensor.

The Friedland SL series use CC1150 transmitters in the detectors. The CC1101 transceiver is only marginally more expensive in bulk (about $.50 more). Or they could move onto a CC1110 SoC and not require another microcontroller.

Also, if Friedland can make a detector using a decent integrated RF transmitter for about the same cost that Yale is using a simple resonator based AM OOK transmitter, there is room for improvement.

Battery economy to provide a long period between battery changes also compromises the amount of system integrity checks that are made.

If they redesigned their RF protocol, they could make ten times as many supervisory transmissions with little impact on battery life.

 

[dpt]

You don't have to open anything to trigger an entry zone - you just replay the signal from the entry zone detector.

How can you grab the of the entry sensor without actually getting the sensor to send first?

To grab the alarm code and the entry sensor you would need to be grabbing this information when the homeowner came home. If he has the 6400 alarm and the panel is in the hallway then you cannot grab the entry code only the entry sensor.

This all looks like far too much effort which is probably why attacks of this kind are so rare.

Asking questions for secret answers again mdf? tut tut

 

[cybergibbons]

If the entry door is used to start the countdown then if it's a front door you will have to pick the lock or smash the door.

Door sensors can be tricked into thinking the door has been opened without any damage to the door.

As above we are getting into Mission Impossible territory here - much easier to burgle the house on the street without an alarm and guess what?
Ask the police THAT is exactly what happens in real life and not from the pages of some radio manual.

So at what point does an alarm become worthless because it is so insecure? What if you could completely crash one particular alarm from outside the property within seconds? What if another alarm had a backdoor that meant that anyone could disable it remotely?

 

[cybergibbons]

You don't have to open anything to trigger an entry zone - you just replay the signal from the entry zone detector.

How can you grab the of the entry sensor without actually getting the sensor to send first?

Why have you made the assumption that the sensor hasn't sent?

All you do is record the sensor activations immediately prior to the disarm signal being sent, and use them later.

 

[cybergibbons]

So are you saying you can Jam the system WITHOUT setting off the external siren?
I don't think so.

Yes - with the Yale system this is totally trivial. Buy a 434MHz AM OOK transmitter for £1. Buy a 555 timer and external components to build an oscillator. Modulate the transmitter with the 555 timer. You just need to pick a frequency that causes the basic RC AGC in the receiver to set the gain to a point where nothing useful will be picked up. It's actually really quite hard to make the jam protection alarm. For some reason the RSSI signal from the receive isn't connected inside the panel or siren, but there is a path for it to be read by the microcontroller.

Even really expensive systems don't always do jamming protection well.

 

[bernardgreen]

I would suggest it is not that easy to jam an AM receiver that has a carrier detect signal linked to a timing system to detect prolonged carrier as indication of the channel being active and thus blocked.

But on that I could be wrong.

 

[cybergibbons]

I suspect they had something more complex in mind, and it didn't really work. As long as the frequency is such that the detector signals are disrupted whilst not triggering the jamming protection, it is fine. It only take a few minutes of experimentation.

If you want it more advanced, a tiny burst of noise at the right moment after the transmission has started will cause the checksum to fail and the alarm won't trigger.

 

[cybergibbons]

I'll try and do a video of this tonight.