How to Hack an ADT Alarm System

Author: Brian Rhodes, Published on Jan 26, 2015

This report explains the key steps in hacking an alarm system, like ADT, as was presented in a Defcon 22 presentation.

The risk of such a hack has become major news as a class action lawsuit was filed against ADT recently, claiming that ADT could be 'easily hacked'.

Summary

According to the Defcon 22 presentation, the most straightforward way to hack / disable an alarm system is to:

  • Find out the frequency the alarm system transmitter uses from publicly available FCC documentation.
  • Get a software defined radio, set it to that frequency to jam it.
  • Periodically, for very short periods of time, stop jamming to overcome / trick anti-jamming functionality in the system.

For those interested in reading the original research, see Logan Lamb's Defcon 22 whitepaper and presentation.

Finding Frequencies

The hack relies on knowing which unencrypted wireless frequencies are used by intrusion alarms.  Specifically, the frequency band used by individual types of sensors and devices. In the US, commercially sold wireless devices are issued licenses by the FCC and the specific frequency they use for communication is public record.

For example, Honeywell's license catalog includes over 300 license applications since late 2011. The record includes frequency information for devices like:

Indeed, even 'proprietary' systems sold to major alarm companies carry public FCC filings, like this ADT keypad and the entire wireless 2GIG catalog.

A quick search of most major alarm companies return records, including

Get Video Surveillance News In Your Inbox
Get Video Surveillance News In Your Inbox

  • UTC (GE, Tyco, ADT) (310.0 MHz to ~990 MHz)
  • Vivint (~905.0 MHz)
  • Napco (~319.0 MHz - 320.0 MHz )
  • Sensormatic (~550.0 MHz - 927.25 MHz)

See the full list of companies with FCC applications on file here.

To exploit this weakness, the main challenge is knowing which system / transceiver the site being targeted uses. This would be easiest for inside jobs, but possibly quite hard going after a facility one has never been in. In any case, prominently displaying window stickers or yard signs could actually assist a hacker into zeroing in on a specific range of frequencies:

Software Defined Radio

The equipment needed to search out, monitor, and jam these frequencies are commonly classified as 'SDRs' or 'Software Defined Radios' and are widely available. The primary function of these devices is to scan a range of radio bandwidth for activity on known frequencies. Using USB connected scanner cards and laptops, an entire spectrum of wireless traffic is visable:

The specific type of SDR demoed in the Defcon hack is profiled in the video clip below:

Once wireless alarm activity is observed, exploiting it is straightforward. For example, this Vivint Motion Detector is shown to operate at 345.0 MHz. Disrupting normal communication with the wireless control panel requires overpowering or jamming alarm signal from that sensor using the same setup.  

Overcoming Anti-Jam Protection

Some alarm systems are equipped with anti-jamming features that monitor for this tactic. The cyber-researchers found that if the jamming is turned off for a fraction of a second, and right back on that it would still stop the system from triggering its anti-jam alert while still blocking real alerts from being sent when an intrusion occurs. In general, panel RF Jamming features must be enabled by the installer.

For example, the researchers defeated Honeywell's protection by running a jam for 20 seconds, turning it off for one second, then rerunning the jamming routine. (See Defcon Whitepaper Section 4.3.2) This process effectively defeated the panel's anti-jamming protection. Another exploit for 2GIG/Vivint panels modified the process by turning the jam on for 50 seconds, but turning it off for 0.2 seconds.

The specific parameters of an anti-jam process vary according to panel type, but researchers found the protection could be defeated with trial and error in test systems.

Not a Cheap Hack

The equipment cyber-researchers used to pull off the exploits are quite expensive. The pricing for the requisite SDR with ample power ranges between $1000 and $4000 USD, and require a high level of technical experience to deploy effectively. 

The Defcon researcher reported his setup cost more than $2000, a cost that will certainly be out of reach or tolerance for many 'smash & grab' criminals.

While SDRs are easy to get and inexpensively available online, like this $15 example from Amazon, their effectiveness has not been evaluated. The whitepaper only reflects results achieved by using moderately expensive, professional gear.

Other Advanced but More Complex Exploits

The equipment and basic process of this exploit can be modified into other methods for tricking alarm systems. For example, the basic jamming attack might also be used to spoof the (non-alarming) presence of supervised alarm sensors if exact device details are known. However, such an attack would likely require significant time investment not typical of random 'smash and grab' robberies. These are explained in more detail in Logan Lamb's Defcon 22 whitepaper.

2 reports cite this report:

Bosch Intrusion Detection Profile on Aug 10, 2016
This is a first in a new IPVM series profiling intrusion detection / alarm offerings. In this series, starting with Bosch, we examine: Key...
ADI Scare Tactics Against DIY Security on Nov 27, 2015
ADI wants you to buy alarm system parts from them, not those kits on the Internet. Leveraging scare tactics, they have made an unsurprisingly...

Comments (1)

Only IPVM PRO Members may comment. Login or Join.

Great article, we do our best to stay away from wireless alarm devices. However, when we do use them we use spread spectrum, 2 way wireless.

Related Reports on Wireless

Glass Doors and Access Control Tutorial on Feb 22, 2017
The biggest challenge for many access control systems are glass doors. Here's what happens when a maglock is improperly installed to an existing...
Directory of Alarm Panel Manufacturers on Feb 16, 2017
Alarm panels are the central controller of intrusion systems. The following is a list of manufacturers of alarm panels. This directory only covers...
Alarm Panels - Canned vs Integrated on Feb 07, 2017
Alarm control panels generally come in one of two types: Integrated alarm controllers, with controls and the keypad in the same...
Tyco DSC PowerSeries Neo Intrusion Tested on Jan 30, 2017
Tyco's intrusion system line, DSC, is one of the most widely installed brands. Their primary intrusion panel series, PowerSeries Neo, is...
Startup Targets Rapid Deployment Cameras on Jan 27, 2017
Easy to deploy "wire free" cameras have been a goal of the security industry for some time. Manufacturers, such as Micropower, have tried, and...
2Gig Expands Into Commercial Intrusion With Vario on Jan 23, 2017
2GIG, an alarm product manufacturer best known for their wireless products, has introduced a new line of wired panels aimed at the commercial...
IP Networking Course January 2017 on Jan 12, 2017
This is the only networking course designed specifically for video surveillance professionals plus it includes live training, personal help and...
Honeywell Ademco Vista Intrusion System Tested on Jan 11, 2017
One of the biggest brands in security holds one of the most common intrusion lines. We bought and tested a Honeywell Vista 15P intrusion...
10 Key Comparison Metrics For Intrusion Panels on Jan 10, 2017
In this note, IPVM reviews fundamental features and attributes for evaluating and comparing intrusion alarm panels.  These criteria are: Number...
Ubiquiti $99 Mesh Node Challenges Wireless Competitors on Jan 05, 2017
Ubiqiuti has become a significant force in wireless video surveillance applications but they have never done mesh. Historically, mesh has been...

Most Recent Industry Reports

Uniview (UNV) IP Cameras Tested on Feb 22, 2017
"We're #3," in China says Uniview (UNV). While the company significantly trails Hikvision and Dahua in total sales, one notable difference is that...
Glass Doors and Access Control Tutorial on Feb 22, 2017
The biggest challenge for many access control systems are glass doors. Here's what happens when a maglock is improperly installed to an existing...
Exacq Favorability Results on Feb 22, 2017
For years, Exacq has been one of the most frequently favored VMSes in IPVM integrator statistics (e.g., see Favorite VMS Manufacturers...
The Hot RMR Company - Electric Guard Dog on Feb 22, 2017
The financiers at the Barnes Buchanan conference praised a company named 'Electric Guard Dog'. While the name sounds fairly low tech, the money and...
Hikvision Leads Multi-Manufacturer Sales Promo on Feb 21, 2017
Earlier this month, Hikvision launched new 'super value' kits, with 40% discounts, and now Hikvision is offering another promo, but this time they...
Washington DC MPD's Surveillance Equipment on Feb 21, 2017
The Washington DC Metropolitan Police Department's surveillance system was hacked in January 2017. Two immediate questions were: Whose...
Hikvision Ezviz Mini 360 Plus - $80 Autotracking Camera Tested on Feb 21, 2017
Autotracking, integrated IR, local storage, full HD, cloud access: $80. That is the claim of Hikvision EZVIZ's new Mini 360 Plus. But for this...
Lenel Improving Customer Support on Feb 21, 2017
Lenel has faced significant criticism recently (see Lenel Partners Angry, Lenel Does Not Care, Worst Access Control 2016, Lenel Favorability...
'Dirty': Hikvision Attacks Genetec on Feb 20, 2017
Hikvision is angry at the growing public awareness that Hikvision is owned by the Chinese government. They took aim at Genetec,...
Directory of Alarm Company Brokers on Feb 20, 2017
Selling an RMR based business, such as alarm company, can be highly profitable, with acquisition prices of 36 to 48x RMR (equivalent to 3 to 4x...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact