Slashdot Mirror
$20 'Toy' Deactivates Cheap Home Alarms, Opens Doors
mask.of.sanity writes "Cheap home alarms, door opening systems and wireless mains switches can be bypassed with low-cost and home-made devices that can replicate their infrared signals. Fixed-code radio frequency systems could be attacked using a $20 'toy', or using basic DIY componentry. Quoting: 'Criminals might be able to capture IR signals if they can get a line of sight to when the system is being armed or disarmed. If a criminal knows what type of alarm system you're using then they could do what we did here and reverse it for cloning a remote. A more likely scenario is just to buy a duplicate system and use that remote. Not all IR remotes can be switched from the same system. It depends on whether a code is being transmitted and how many variations of the code and remote exist. In the system described in this post, there is no code, just a carrier signal. If a code is being transmitted, then the Infrared toy can capture it and replay it. So that's your best bet for a criminal looking at a completely unknown remote.'"
So can many universal remotes, so can a computer, so can anything else.
This is almost as silly as the "access to an unencrypted disk is access to your data!!!!!" story from a few days ago.
Does anybody's garage door still use some fixed code remote? Come on. This is not 1960.
Say it isn't so!!! Someone made a copy of my keys from a wax mould. So I got an electronic lock. So now that is vulnerable too?! Say it isn't so!!
I'm sorry, but if you want to secure a transmitted signal, then SECURE IT. Signals which are one-way only are weak by definition. Instead, there should be work done on systems which require an encrypted signal started by the key device and received by the lock which returns with a reply to the key device which acknowledges the reply.
And yes, even THAT can be replicated... it's just harder. But the rule is that which can be locked can be unlocked. It's a question of complication.
Holy crap! That is amazing! Who made this wonderful discovery, surely they must be nominated for some sort of prize. Oh, wait, everything with even the slightest bit of security uses rolling codes. Oh well.
So can many universal remotes, so can a computer, so can anything else....
Of course the very first thing the article covers is universal remotes and how they didn't work.
Perhaps, in the future, you should RTFA before commenting.
it is a big deal because unlike a universal remote, security systems are supposed to be, well, secure. you shouldnt be able to hack a security system with a 20$ toy.
Anyone who buys one of those cheap alarm systems probably doesn't have anything worth stealing anyway.
It's almost as if the security company is selling the appearance of security instead of actual security. Surely, they wouldn't be so mercenary.
pans attached to a string !
If your door comes with a hardcoded key that is the same for all doors from that company, some people will be able to unlock that door.
Alert the internets !
You can also deactivate them with a $5 hammer. Or by pulling them off the wall and dropping them on the floor below.
It seems to me that there is a finite number of signals any security manufacturer will use, just like there are a finite number of 4 or six digit codes. The difference is that while a human may only be able to try 10 codes a minute on a keypad, a scanner should be able to increase that rate by a factor of 5. Thus a criminal could sit in a car across the street for 20 minutes and check 1000 codes to see if they can disarm the alarm. Or pretend to be delivering a package, leave the device there, and come back when in an hour to see if the house have been left insecure.
As an aside, many years ago when automatic garage doors became popular, and IR or radio transmitters were not cheap, I am told that they worked off car horns. The story goes that teens would drive down the street at night, honking their horns, to watch the garage doors go up. Security is always a compromise between convenience and actual security. The former does tend to win out.
"She's a scientist and a lesbian. She's not going to let it slide." Orphan Black
But I am more worried about the garage door openers coming with cars. They have usually three buttons in the rear view mirror. You hold the regular garage door open close to it and operate the door two or three times. Somehow the car gets not only the code but also the "rolling codes" and becomes a new duplicate garage door opener. Wondering what kind of security has been implemented there. If I use a sophisticated and powerful radio receiver to capture the code transmitted by the garage door opener two or three times, would it be enough to get the rolling code algorithm?
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
It's almost as if the security society is selling the appearance of security instead of actual security. Surely, they wouldn't be so mercenary.
aaaaaaa
So my alarm which is activated by NFC should emit an IR and RF signal, then listen for those signals being sent by someone who is trying to turn it off.
20+ years of owning big dogs. I've lived in several "rough" neighborhoods and I have never had anyone try to break in. A German Shepard's bark is far more effective than any form of electronic protection.
How long before there's an "app for that"?
------ The best brain training is now totally free : )
Even easier: A cheap laser pointer will set off an infrared motion detector. Just repeatedly trigger the alarm until the homeowner shuts it off.
Sheldon: What if someone kidnaps me, forces me to record my voice, and then cuts off my thumb?
And the solution to this is, of course, to ban DIY electronics right? These are IEDs, Improvised Electronic Devices they are making! Terrorists! To Guantanamo with them!
But this is kind of like hacking a door lock with a crowbar.
Gamingmuseum.com: Give your 3D accelerator a rest.
I built a garage door opener that would cycle through every switch combination of the unit type he installed. This was so he could do maintenance and repair with out have to have them leave thier remote.
D
it is a big deal because unlike a universal remote, security systems are supposed to be, well, secure. you shouldnt be able to hack a security system with a 20$ toy.
If your "security" system cost $8 like the one they hacked, you probably got what you paid for. I doubt that anyone is using this kind of thing to secure anything of importance. Most are probably sold as a novelty or to keep roommates out of your stuff, sort of. They say there are also IR door keys that are also hacked similarly, but I don't see examples in TFAs. And I've never seen an IR door key in actual use, not that my experience is definitive.
I am not a crackpot.
That's not a "consumer grade home security system". It's a motion sensor alarm. A cheap, pitiful motion sensor alarm. That a $7.80 alarm doesn't use a sophisticated or even up-to-date remote shouldn't be a surprise to anyone
Sounds like a "weird" trick. Should it be banned?
I actually own one of these. Given the price I paid for it - I fully expected the IR to be more or less useless in terms of security. A few weeks after I replaced the whole thing with a custom solution, merely reusing the box.
But he completly ommited the WHY they didn't work.
bickerdyke
The big name players in the US install really crappy wireless security systems, so they can advertise "$99"s installed. Of course those systems suck primary because the batteries die in the sensors.
Of course those are the same companies charging $50 for "monitoring" over POTS and even more if you want a cell or IP based system.
Frankly, it doesn't take much shopping to find companies that will install hard wired systems with POTS and cell backup for the same amount of money and monitor it for under $25 a month.
Either way, these security systems are fairly easy bypassed by a motivated thief simply by cutting the phone and cable connections, then using a cell phone jammer to keep the system from calling home. Then as most places no long allow external sirens the thief can usually silence the alarm in a matter of a few tens of seconds.
Finally, the truth of the matter is that simply putting a sign in your yard with the name of a popular security system monitoring agency gives you basically the same security as actually paying for a security system.
Burn Notice? :)
If your insurance company asks if you have a security system and you say "yes" because you spent $8 on one, is that fraud?
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
I can't think of any security systems that are actually listed and labeled as security systems that use infrared technology to operate.
Their "security system" is an eBay purchase for $8 AU is hardly worth calling a "security system"
This is in the same level as if I said I picked a 20 cent "lock" that uses a single tumbler with a 2 cent paperclip. That lock provides no real security in the same manner as their eBay security system.
There is a reason independent labs test, list, and label security systems. And even then, everyone who understand security understand security comes in layers.
"If it ain't broke, it doesn't have enough features yet"
Indeed. I'm just waiting how long for a firmware for TV-B-GONE. :-) That should be reasonably trivial?
In related news, researchers show that cheap door can be kicked down.
It's not the fall that kills you. It's the sudden stop at the end. -Douglas Adams
My insurance company specifies that it must be a monitored alarm, and I have to sign an affidavit to that effect.
W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
I wouldn't doubt it one bit. Surely you know what people are like by now. Your regular idiot sees an $8 security system and instead of seeing a cheap, flawed piece of junk, they see an amazing bargain.
Some remote such as the All-in-one along with the "JP1" interface and 3rd party software allows you to get very low level access to the IR signals.
e.g. carrier frequency, duty cycle, actual timing of the '0' & '1' signals and actual bit encoding.
So generating just the carrier signal can be done by setting both '0' & '1' to just outputting the carrier.
I have programmed the IR signal from my Chinese clone xbox remote captured from logic analyzer. The IR learning doesn't work was the IR protocol was completely proprietary. I even changed the bit timing as there was a design flaw with the pulse being too short and now my remote works better than the original. I also found a mis-coded button in the process.
After reading the linked articles it becomes obvious this is a panic blog. The security systems mentioned are nothing more then cheap crap that anyone with half a brain would not buy.
Real security systems used remotes that are programmed into the system via individual serial numbers per device. These devices also have limited range. So not only do you have to actually find the frequency it works on but also the device ID code which is also encrypted.
Definitely not new. Back in the '90s, my mom was looking into (as in she had some samples and had me look at them) selling crap personal security devices by some company called "Quantum" (hooray multi-level marketing) built around a really loud noisemaker, such as a "grenade pin" alarm in case of a purse snatcher.
One was a "car alarm" which was basically a sonar motion detector that you put up on your dashboard when leaving the car. The idea was that you had an IR remote to control it, and could enable and disable it through the window. The only problem was that it only used one code to talk to the unit, selectable from a total of 16. Learning remotes are NOT new (we had one in the early '80s!), and all you would have to do is learn all 16 codes into one remote and try them all. (What, you actually thought they'd take the time to make it go off if it saw one of the other 15 codes?) Assuming, of course, that you could actually find someone using this POS as an alarm, and assuming you wouldn't just stomp it into the ground when it went off.
#naabhaprzrag, #sverubfr-000, #agi-fcbafberq, negvpyr[pynff*=' negvpyr-ary-'] { qvfcynl: abar !vzcbegnag; }
FWIW, TFA may have had problems learning the code because his learning remote was too modern and was attempting to decode a known frame format, and the alarm remote was just a cheap stupid transistor thingy, even cheaper than the Quantum piece of shit. The learning remote from the '80s just watched the blinkenlights and copied them directly.
#naabhaprzrag, #sverubfr-000, #agi-fcbafberq, negvpyr[pynff*=' negvpyr-ary-'] { qvfcynl: abar !vzcbegnag; }
Home "security systems" like those installed by ADT and Comcast are not actually meant to be secure, they're just meant to make home owners feel better. Actual security systems (which I work with) are fairly intrusive into one's day to day life and are VERY expensive to install, configure and maintain correctly. Think $5,000-$30,000 to do a basic install with decent quality hardware/software.
"Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
Can we add 3D printing and "maker" somehow to this story?
They could go through all this trouble to try and capture your code, defeat your security system.. Or, they could go to one of the other hundreds of thousands of houses in the country that have no security system whatsoever. You want to keep a burglar at bay? Get a dog with a mean sounding bark.
no real security system uses a frickin IR remote control.
There is a fancy new technology called "radio" that they use.
That can also be jammed, but not typically spoofed to allow disarm.
He used the wrong universal remote. Rather than saying "a learning remote doesn't seem to learn the signal" he should have said "the one cheap learning remote with limited capabilities that I tested doesn't seem to learn the signal."
If you use a capable, programmable remote that can capture very long strings of signals across very wide frequency bands (like my trusty old Pronto TSU-7000), it could work as well (or maybe even better) than that toy.
Of course, since the toy is a far, far cheaper solution, use that.
Cheap universal remotes have limited frequency bands and can only manage capture and send short signals (discrete keys, say, instead of macros).
Good (and expensive, of course) universal remotes do not have these limits and would work fine.
The writer erroneously made a definitive statement based on a single data point.
yea but think about all those systems that use apps to control them from anywhere. what happens when someone finds a way to make those unsecure?
it is a big deal because unlike a universal remote, security systems are supposed to be, well, secure. you shouldnt be able to hack a security system with a 20$ toy.
Yeah, a $5 wrench should be sufficient for most homes.
Even if it's limited: the article said the alarm systems frequence is identical to the one used by remote controls and only an empty carrier is sent. (so neither keys or macros)
bickerdyke
This is not new technology at all. LIRC and USB MCE compatible receiver with a blaster could do this for a long time. Someone is looking for click bait.
it is a big deal because unlike a universal remote, security systems are supposed to be, well, secure. you shouldnt be able to hack a security system with a 20$ toy.
Just like you shouldn't be able to purchase a child's walkie-talkie from Wal-Mart and use it to eavesdrop on cordless handsets. But you can.
Article is nothing but FUD.
But this is kind of like hacking a door lock with a crowbar.
It's more like hacking a door lock by twisting it 45 degrees clockwise and then pushing.
Your best defense against burglary isn't cops, dogs, or security systems.
Your best defense against burglary is availability of meaningful, good paying work in your geographic area.
That's why the 1% clump together in gated communities or live far away from everybody else. Because they know cops, dogs and security systems are mostly just security theater, and the best way to be truly secure in your belongings is to stay far away from the hungry and unemployed.
Used by which remote controls? Many cheaper universals can send only on the frequencies that are the most commonly used and cover about 95% of consumer IR devices, but it's not at all rare to find an IR remote-controlled device that operate a little outside those common bands, especially from smaller or newer manufacturers, and those universal remotes won't work with those devices. While a better (and more expensive) universal remote does. I have run into that myself, personally, with some obscure branded devices. A cheap universal I have couldn't learn their signals, while my more capable universal could lean them, as well as upload the hex codes for those IR signals to my computer for duplication on other capable remotes.
And "keys versus macros" was simply an example of signal length and complexity. Cheap remotes often only handle short, simple sequences while more capable remotes can handle more longer and more complex signals, including pauses. Not that you need specific signals for this application... just an open keyline.
So, the problem is simply that the IR signal involved is outside of the receive/transmit band of the specific universal remote he used. But that does not mean it is outside the receive/transmit band of every universal remote ever made, which the writer implies. The writer made an expansive, definitive statement based on a single example. If, by chance, the writer had used a better remote he might have made an expansive, definitive statement that universal remotes do work for this, and been equally wrong. Because some can work, and some cannot.
If your "security" system cost $8 like the one they hacked, you probably got what you paid for. I doubt that anyone is using this kind of thing to secure anything of importance.
This. You don't pay AU$8 for a security system to guard your Picassos or Tang dynasty Chinese vases. You pay AU$8 for a security system that does nothing more than make a noise when an unsuspecting person enters an area. It's not going to stop someone who is determined to steal from you.
This article is ... on so many levels it is ridiculous.
I don't know how much an Arduino costs these days, but he's now spent a considerable amount of money to duplicate the function of a device he can get online for $4 (there are two remotes in the package).
The people that this alarm system are intended to foil aren't going to case the site long enough to determine that an alarm is in use and that is it brand X with a remote that can be bypassed by spending $20 for an IR learning toy. They're going to walk into the area being protected and hear the alarm going off. If the owner is in the vicinity and hears it, he'll call the cops and the device has been successful. If he's not, well, it wasn't. I don't think many people are stupid enough to think that a noisemaker will stop someone who doesn't care if there is a noise. Like I said, nobody is relying on a AU$8 alarm to protect a Picasso. They might spend that much to get a notice when one of the kids is raiding the fridge, though. Or a 'coon is on the back porch. I doubt a 'coon has the skill to defeat this thing, although I don't know how smart Aussie 'coons are.
From the other side, I would say that you are wrong. I have known several burglars, and all of them agree that home security systems are effective. If they see a house has an alarm, they simply move to the next house.
Home security systems are like door locks. They are useless keeping out someone determined, but are pretty effective at making your house more bother than it is worth for a burglary.
Home security systems don't need better remotes because most people don't use ir remotes to access their home security systems, and most burglars don't 'case' houses before robbing them.
"Plugging in values, we get the frequency of 38.52khz.
Wait a minute. Don't many infrared recievers use 38khz as a carrier wave? Yep, they do. But in signals sent by your TV, this carrier wave is sent in a discrete number of pulses with well timed on and off periods. The alarm for this security system just sends the carrier wave on."
Is that .5kHz deviation large enough to be not recognized by the remote anymore? it can't be the code/pattern as there isn't one
bickerdyke
No it's like hacking a door lock by getting the key, making a copy and opening the door. People get paid for articles like that??
What is accepted as a technical article these days astounds me.
Possibly, but I think the more likely issue is that remote in question is balking at sending a continuous stream of all zeros.
yea but think about all those systems that use apps to control them from anywhere. what happens when someone finds a way to make those unsecure?
Yes, think about it, but not in here because it has very little to do with an $8 IR-controlled toy.
(Toy in this case referring to the "security system" not the "toy" used to defeat it)
I'm not surprised by what you say, it sounds reasonable. The signs then are just as effective as actually having the system. Working in the security industry I've recognized a couple of houses in our neighborhood that show security system signs for companies that either don't exist or which only exist in other states.
Those aren't actually security systems, then. They're deterrent systems.
"Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
Unlocked with a 20$ 'toy'.. While the 'security system' "can be bought on E-Bay for $7.80 AU". The real toy here is the alleged security system. If you expect a 7.80$ system to add any protection to your house, you're a moron and deserve to be burgled, imho.
My downstairs apartment neighbor has a dog. Always barks when I'm going up or down the stairs, sometimes before.
I used to live in a house with a driveway that was right next to my neighbor's, separated only by a low fence and a few feet of grass. The dog was usually outside, and considered my driveway to be part of his territory, so he'd bark if I went out to the car or drove up and got out of it.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
It's not much different from one of those TV-B-Gone remote controls that turn of TVs, except they're programmed to run through all the common TV shutoff codes and he figured out which one he needed for his particular device. (They're basically just a microcontroller, IR LED, battery, and switch.)
As far as "there's an app for that" goes, most of the TV remote control apps I've seen cost a few dollars, just because they can, and because Apple encourages you to charge money to use their app store.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Hate to break it to you, but the tools to break any sort of lock or key system (non-software) are typically extremely cheap.
Mag-strip duplication can be done with $20~ of equipment, most locks can be picked with pennies worth of equipment, many safes with a $20 stethoscope, and almost every RF or IR-based security/garage door system could be hacked with under $20 of electronics parts.
it is a big deal because unlike a universal remote, security systems are supposed to be, well, secure. you shouldnt be able to hack a security system with a 20$ toy.
The article is about hacking an $8 security system! I don't think anybody is going to purchase it thinking it's going to protect them against hackers with sophisticated reverse engineering knowledge.
That's been discussed a lot on here in the past.
One in particular that I remember was about a laptop locking cable that you could unlock with a pen in just a few seconds.
If a criminal wants a laptop, and sees 3 sitting around. No one is at them, and he has a few moments of no one looking. One is on a desk with the easily defeated cable. One is on another desk, tied down with a piece of string. The third was just put into a laptop bag, and is on the floor by a chair.
He won't go for the one with the cable. Even if he was prepared and knew exactly how to do it, it is still an obstacle. Even the one in the string requires a little extra time to untie or cut. The one in the bag on the floor is easiest, as he can just pick it up and keep walking.
The only variation on this would be the perceived value. If the one in the bag looked like an antique, he'd disregard it in favor of one that he can sell. If it's the one with the cable, and may get someone's attention by picking the lock, he may just move on to somewhere else.
The same applies to homes. All things equal except for security, the insecure house is the easy target and will get broken into. If the insecure house is a dilapidated hovel, but there is a nicer house that's an easy enough target, he'll go for the nicer one or pick a different neighborhood with better targets.
Serious? Seriousness is well above my pay grade.
Hahaha, disregard that, I suck cocks!
The same scare circulated several years ago about automobile remote keyless entry systems. http://www.snopes.com/autos/techno/lockcode.asp
/steve