Hacking Connected Home Alarm Systems – The Cheap [Part 1]

TL;DR: We were wondering whether price affects the security of IoT appliances. So we verified the security of two differently priced connected home alarm systems. Both IoT alarms are marketed as an easy solution to protect your home. Unfortunately we find this not to be the case as we identified multiple critical vulnerabilities in both systems. This blog post discusses the results of  hacking the cheap alarm system. A follow-up post will give details on the expensive alarm system.

This blog post discusses some critical vulnerabilities which could allow attackers to disable both alarm systems remotely. Given the security critical nature of the appliances we decided not to mention exploitation details or specific devices and to focus on the bigger picture; What security vulnerabilities were identified and can they be fixed? All vulnerabilities were disclosed to the vendors.

Does price affect the security of IoT appliances?

To find an answer to this question, we bought one cheap and one expensive IoT home alarm system. Why alarm systems? Because they are security critical systems. We install them at home to protect us against burglars. We trust our safety to these devices, so we expect top notch security regardless of price.

In terms of price, both devices are actually still quite cheap compared to professional grade systems. The cheap one was acquired from an overseas web shop. The alarm system and the sensors that are required to secure your entire home will cost around 200€. The expensive one was bought from a reputable European web shop. Securing an entire home would cost three times as much, around 600€.

Both devices are shown in the below picture. Both alarm systems consist of a couple of intrusion detection sensors that you install around your house and an alarm hub that you connect to your home WiFi network. You control the alarm hub either via a remote or via the mobile application. Both the mobile application and the alarm hub communicate with the vendor’s cloud infrastructure. In case a burglar would enter your house, the sensor would trip and send a message to the hub which then relays the message to the vendor’s cloud infrastructure which then relays this message to the mobile application.

alarms
The tested IoT alarm systems: the expensive one (left) and the cheap one (right). The card box was put around the alarm systems to make them less obviously recognisable.

Real life attack scenarios

Finding an answer on whether price affects the security of IoT appliances can’t really be answered by comparing two appliances. However, what we can say is that we found numerous critical vulnerabilities on both devices.

This blog post will show you a couple of realistic attack scenarios that target the cheap alarm system.

Attack 1 – Jamming of sensor communication

I think we can all agree that the most basic functionality of an alarm system is that the alarm makes a lot of noise when a burglar trips a sensor. Unfortunately, the cheap alarm system is vulnerable to a jamming attack.

During a jamming attack an attacker will make a lot of noise on a wireless communication channel in an attempt to make it impossible for the receiver of the signal to properly understand it. A simple analogy would be two people in a club where loud music is playing. They will have a difficult time understanding each other due to the loud music.

The below movie shows how jamming can render the alarm system useless. Note that the jammer that we used in this video is a very small jammer that does not make a lot of noise. For it to be effective, we have to place it very close to the receiver. In  a real life attack scenario an attacker would buy a bigger jammer that is capable of jamming communication for long ranges and for multiple communication channels at once. Note that these can be bought online for a couple of hundred euros!

 

Attack 2 – The key under the doormat attack

key under doormat
You might as well hide your key under the doormat…

All communication between the cheap’s alarm hub and the mobile application is done so over your home network when the mobile application resides on the same network as the cheap’s alarm hub. All commands that are send towards the hub are send in cleartext, without authentication and are the same for every alarm hub. As a result all an attacker has to do to disarm the cheap alarm system is send a well crafted TCP packet to the alarm hub.

To make matters even worse, the cheap alarm system hosts a WiFi hotspot that is used by the mobile application during the initial setup. This hotspot is never disabled after the setup phase and is protected by a default password!

Attack 3 – Remote alarm takeover

What if an attacker could disarm all alarm systems from the comfort of his chair at home? Well, thanks to an authorization flaw in the cloud infrastructure of the cheap alarm system this nightmare becomes reality. All an attacker needs is an account that is not linked to the alarm system and the ID of the cheap alarm system that he/she wishes to take over. You could even make a tool that allows this to be done easily.

cheap_remote_takeover
Authorization flaw allows attackers to make a tool to take over the cheap alarm system.

The likelihood of this attack being exploited by an attacker depends mainly on how difficult it is for an attacker to guess the ID of the victim’s alarm system. We only bought one alarm system, so we can’t tell for sure, but we expect the IDs to be incremental and thus easily guessable.

What can be done

The good news is that the above discussed vulnerabilities can be fixed and prevented. There are ways to detect and respond to jamming attacks. For example, in this particular case the sensors could send heartbeat messages to the alarm hub, during an actual jamming attack the hub would no longer receive the heartbeats and alarm.

The local alarm takeover can be fixed by making sure that the WiFi hotspot is disabled after the initial setup and that all local communication is encrypted and properly authenticated.

The remote alarm takeover can be fixed by increasing the complexity of the device identifiers and by using a device pairing mechanism that has to be initiated and managed from the hub. Additionally, the hub could display a code during pairing that has to be entered by the mobile application.

Last but not least, the cheap alarm system includes the functionality to update its firmware! So fixing these issues should be easy… right?

Responsible disclosure

We tried contacting the vendor of the cheap appliance back in August 2017, when we initially discovered the findings (over a year ago). However, our efforts to contact the vendor were without much success, and we never got access to a technical team (even after sharing the severity of our findings). The alarm system covered in this blog post is – as far as we know – only being sold on cheap overseas web shops. In addition, it’s sold under many different brands which makes it very difficult to contact somebody that can fix these issues.

What’s next

In a follow-up blog post, we will discuss the security of the more expensive alarm system and see if price actually does affect the security of the connected home alarm systems we reviewed! Stay tuned!

 

 

4 thoughts on “Hacking Connected Home Alarm Systems – The Cheap [Part 1]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s