How to Hack an ADT Alarm System

This report explains the key steps in hacking an alarm system, like ADT, as was presented in a Defcon 22 presentation.

The risk of such a hack has become major news as a class action lawsuit was filed against ADT recently, claiming that ADT could be 'easily hacked'.

Summary

According to the Defcon 22 presentation, the most straightforward way to hack / disable an alarm system is to:

• Find out the frequency the alarm system transmitter uses from publicly available FCC documentation.
• Get a software defined radio, set it to that frequency to jam it.
• Periodically, for very short periods of time, stop jamming to overcome / trick anti-jamming functionality in the system.

For those interested in reading the original research, see Logan Lamb's Defcon 22 whitepaper [link no longer available] and presentation [link no longer available].

Finding Frequencies

The hack relies on knowing which unencrypted wireless frequencies are used by intrusion alarms.  Specifically, the frequency band used by individual types of sensors and devices. In the US, commercially sold wireless devices are issued licenses by the FCC and the specific frequency they use for communication is public record.

For example, Honeywell's license catalog [link no longer available] includes over 300 license applications since late 2011. The record includes frequency information for devices like:

• Ademco Panel (~433.92 MHz)
• Tuxedo Touch Panel [link no longer available] (WiFi: 2412.0 - 2462.0 MHz)
• Various Motion Sensors (~310 Mhz - 350 MHz) (eg: PIR1 [link no longer available], PIR2 [link no longer available])
• Keypads [link no longer available] (344.94 MHz)
• Door and Window Sensors [link no longer available] (315.0 MHz)

Indeed, even 'proprietary' systems sold to major alarm companies carry public FCC filings, like this ADT keypad [link no longer available] and the entire wireless 2GIG catalog [link no longer available].

A quick search of most major alarm companies return records, including

• UTC (GE, Tyco, ADT) (310.0 MHz to ~990 MHz)
• Vivint [link no longer available] (~905.0 MHz)
• Napco [link no longer available] (~319.0 MHz - 320.0 MHz )
• Sensormatic [link no longer available] (~550.0 MHz - 927.25 MHz)

See the full list of companies [link no longer available] with FCC applications on file here.

To exploit this weakness, the main challenge is knowing which system / transceiver the site being targeted uses. This would be easiest for inside jobs, but possibly quite hard going after a facility one has never been in. In any case, prominently displaying window stickers or yard signs could actually assist a hacker into zeroing in on a specific range of frequencies:

Software Defined Radio

The equipment needed to search out, monitor, and jam these frequencies are commonly classified as 'SDRs' or 'Software Defined Radios [link no longer available]' and are widely available. The primary function of these devices is to scan a range of radio bandwidth for activity on known frequencies. Using USB connected scanner cards and laptops, an entire spectrum of wireless traffic is visable:

The specific type of SDR demoed in the Defcon hack is profiled in the video clip below:

Once wireless alarm activity is observed, exploiting it is straightforward. For example, this Vivint Motion Detector [link no longer available] is shown to operate at 345.0 MHz. Disrupting normal communication with the wireless control panel requires overpowering or jamming alarm signal from that sensor using the same setup.  

Overcoming Anti-Jam Protection

Some alarm systems are equipped with anti-jamming features that monitor for this tactic. The cyber-researchers found that if the jamming is turned off for a fraction of a second, and right back on that it would still stop the system from triggering its anti-jam alert while still blocking real alerts from being sent when an intrusion occurs. In general, panel RF Jamming features must be enabled by the installer.

For example, the researchers defeated Honeywell's protection by running a jam for 20 seconds, turning it off for one second, then rerunning the jamming routine. (See Defcon Whitepaper Section 4.3.2 [link no longer available]) This process effectively defeated the panel's anti-jamming protection. Another exploit for 2GIG/Vivint panels modified the process by turning the jam on for 50 seconds, but turning it off for 0.2 seconds.

The specific parameters of an anti-jam process vary according to panel type, but researchers found the protection could be defeated with trial and error in test systems.

Not a Cheap Hack

The equipment cyber-researchers used to pull off the exploits are quite expensive. The pricing for the requisite SDR with ample power ranges between $1000 and $4000 USD, and require a high level of technical experience to deploy effectively. 

The Defcon researcher reported his setup cost more than $2000, a cost that will certainly be out of reach or tolerance for many 'smash & grab' criminals.

While SDRs are easy to get and inexpensively available online, like this $15 example from Amazon, their effectiveness has not been evaluated. The whitepaper only reflects results achieved by using moderately expensive, professional gear.

Other Advanced but More Complex Exploits