How to Hack an ADT Alarm System

Author: Brian Rhodes, Published on Jan 26, 2015

This report explains the key steps in hacking an alarm system, like ADT, as was presented in a Defcon 22 presentation.

The risk of such a hack has become major news as a class action lawsuit was filed against ADT recently, claiming that ADT could be 'easily hacked'.

Summary

According to the Defcon 22 presentation, the most straightforward way to hack / disable an alarm system is to:

  • Find out the frequency the alarm system transmitter uses from publicly available FCC documentation.
  • Get a software defined radio, set it to that frequency to jam it.
  • Periodically, for very short periods of time, stop jamming to overcome / trick anti-jamming functionality in the system.

For those interested in reading the original research, see Logan Lamb's Defcon 22 whitepaper and presentation.

Finding Frequencies

The hack relies on knowing which unencrypted wireless frequencies are used by intrusion alarms.  Specifically, the frequency band used by individual types of sensors and devices. In the US, commercially sold wireless devices are issued licenses by the FCC and the specific frequency they use for communication is public record.

For example, Honeywell's license catalog includes over 300 license applications since late 2011. The record includes frequency information for devices like:

Indeed, even 'proprietary' systems sold to major alarm companies carry public FCC filings, like this ADT keypad and the entire wireless 2GIG catalog.

A quick search of most major alarm companies return records, including

Get Video Surveillance News In Your Inbox
Get Video Surveillance News In Your Inbox

  • UTC (GE, Tyco, ADT) (310.0 MHz to ~990 MHz)
  • Vivint (~905.0 MHz)
  • Napco (~319.0 MHz - 320.0 MHz )
  • Sensormatic (~550.0 MHz - 927.25 MHz)

See the full list of companies with FCC applications on file here.

To exploit this weakness, the main challenge is knowing which system / transceiver the site being targeted uses. This would be easiest for inside jobs, but possibly quite hard going after a facility one has never been in. In any case, prominently displaying window stickers or yard signs could actually assist a hacker into zeroing in on a specific range of frequencies:

Software Defined Radio

The equipment needed to search out, monitor, and jam these frequencies are commonly classified as 'SDRs' or 'Software Defined Radios' and are widely available. The primary function of these devices is to scan a range of radio bandwidth for activity on known frequencies. Using USB connected scanner cards and laptops, an entire spectrum of wireless traffic is visable:

The specific type of SDR demoed in the Defcon hack is profiled in the video clip below:

Once wireless alarm activity is observed, exploiting it is straightforward. For example, this Vivint Motion Detector is shown to operate at 345.0 MHz. Disrupting normal communication with the wireless control panel requires overpowering or jamming alarm signal from that sensor using the same setup.  

Overcoming Anti-Jam Protection

Some alarm systems are equipped with anti-jamming features that monitor for this tactic. The cyber-researchers found that if the jamming is turned off for a fraction of a second, and right back on that it would still stop the system from triggering its anti-jam alert while still blocking real alerts from being sent when an intrusion occurs. In general, panel RF Jamming features must be enabled by the installer.

For example, the researchers defeated Honeywell's protection by running a jam for 20 seconds, turning it off for one second, then rerunning the jamming routine. (See Defcon Whitepaper Section 4.3.2) This process effectively defeated the panel's anti-jamming protection. Another exploit for 2GIG/Vivint panels modified the process by turning the jam on for 50 seconds, but turning it off for 0.2 seconds.

The specific parameters of an anti-jam process vary according to panel type, but researchers found the protection could be defeated with trial and error in test systems.

Not a Cheap Hack

The equipment cyber-researchers used to pull off the exploits are quite expensive. The pricing for the requisite SDR with ample power ranges between $1000 and $4000 USD, and require a high level of technical experience to deploy effectively. 

The Defcon researcher reported his setup cost more than $2000, a cost that will certainly be out of reach or tolerance for many 'smash & grab' criminals.

While SDRs are easy to get and inexpensively available online, like this $15 example from Amazon, their effectiveness has not been evaluated. The whitepaper only reflects results achieved by using moderately expensive, professional gear.

Other Advanced but More Complex Exploits

The equipment and basic process of this exploit can be modified into other methods for tricking alarm systems. For example, the basic jamming attack might also be used to spoof the (non-alarming) presence of supervised alarm sensors if exact device details are known. However, such an attack would likely require significant time investment not typical of random 'smash and grab' robberies. These are explained in more detail in Logan Lamb's Defcon 22 whitepaper.

7 reports cite this report:

Simplisafe 'All New' Generation 3 Tested on Feb 08, 2018
Feared by the traditional alarm industry, Simplisafe has launched its 'all new' Generation 3 platform that they declare is "Stronger. Faster....
Testing DMP XTLPlus / Virtual Keypad Vs Alarm.com & Honeywell on Dec 13, 2017
DMP has a strong presence in commercial intrusion alarms, but not in residential. However, the company's XTLPLus wireless combo panel and Virtual...
Wireless Burglar Alarm Sensors Guide on Jul 21, 2017
Wireless sensors for burglar alarm sensors are an increasingly common option for the historical labor intensive wired alarm systems. However,...
2Gig Intrusion Megatest (GC2 & GC3 Panels Tested) on Mar 28, 2017
2Gig is one of the most widely used intrusion systems, with two product lines that are the main offering of many alarm companies, huge national...
DMP Intrusion Tested (XR Series) on Mar 09, 2017
DMP is a major provider of intrusion systems, but lacks the global brand recognition of some of its rivals (such as Bosch, Honeywell, DSC, or...
Bosch Intrusion Detection Profile on Aug 10, 2016
This is a first in a new IPVM series profiling intrusion detection / alarm offerings. In this series, starting with Bosch, we examine: Key...
ADI Scare Tactics Against DIY Security on Nov 27, 2015
ADI wants you to buy alarm system parts from them, not those kits on the Internet. Leveraging scare tactics, they have made an unsurprisingly...

Comments (3)

Only IPVM PRO Members may comment. Login or Join.

Great article, we do our best to stay away from wireless alarm devices. However, when we do use them we use spread spectrum, 2 way wireless.

May I ask what specific products you use?

This was an old post! We actually do a lot of wireless now and we use DMP. Both residential and commercial including commercial fire alarm with DMP wireless.

Related Reports on Wireless

VMS Export Shootout - Avigilon, Dahua, Exacq, Genetec, Hikvision, Milestone on Sep 13, 2018
When crimes, accidents or problems occur, exporting video from one's video surveillance system is critical to proving incidents. But who does it...
Ligowave Wireless Profile - Ubiquiti Competitor on Aug 27, 2018
Ubiquiti has become the most common choice for wireless in video surveillance (see Favorite Wireless Manufacturers) but not without controversy and...
Assa Aperio Wireless Access Reader R100 Tested on Aug 23, 2018
Wireless access control is frequently promoted by manufacturers as a way to cut installation costs. Perhaps the biggest proponent of this is mega...
Backboxes for Video Surveillance Tutorial on Aug 15, 2018
Backboxes are a necessity in surveillance, whether for managing cable whips, recessing cameras, adding wireless radios. But it can be confusing to...
Directory of Video Surveillance Startups on Jul 18, 2018
This directory provides a list of video surveillance startups to help you see and research what companies are new or not yet broadly known entity...
Amazon Ring Alarm System Tested on Jul 16, 2018
Amazon Ring is going to hurt traditional dealers, and especially ADT, new IPVM test results of Ring's Alarm system underscore. IPVM found that...
July 2018 IP Networking Course on Jul 12, 2018
Registration is closed. This is the only networking course designed specifically for video surveillance professionals.  Lots of network training...
S2 Access Control / 'Unified Security Management' Profile on May 08, 2018
In our 13th access control company profile, we examine S2 Security's Netbox platform: Unified Security Management Platform positioning Core...
IP Network Hardware for Surveillance Guide on May 02, 2018
Video surveillance systems depend on IP networking equipment. In this guide, we explain the key pieces of equipment and features, explaining where...
Favorite Access Control Manufacturers 2018 on Apr 26, 2018
150+ Integrators told IPVM "What is your favorite access control management software/system? Why? Unlike the 2016 access favorites where a group...

Most Recent Industry Reports

Avigilon Announces AI-Powered H5 Camera Development on Sep 19, 2018
Avigilon will be showcasing "next-generation AI" at next week's ASIS GSX. In an atypical move, the company is not actually releasing these...
Favorite Request-to-Exit (RTE) Manufacturers 2018 on Sep 19, 2018
Request To Exit devices like motion sensors and lock releasing push-buttons are a part of almost every access install, but who makes the equipment...
25% China Tariffs Finalized For 2019, 10% Start Now, Includes Select Video Surveillance on Sep 18, 2018
A surprise move: In July, when the most recent tariff round was first announced, the tariffs were only scheduled for 10%. However, now, the US...
Central Stations Face Off Against NFPA On Fire Monitoring on Sep 18, 2018
Central stations are facing off against the NFPA over what they call anti-competitive language in NFPA 72, the standard that covers fire alarms....
Chinese Government Praises Hikvision Following Xi Jinping on Sep 17, 2018
The Chinese government council responsible for managing China's state-owned companies praised Hikvision’s obedience to China’s authoritarian leader...
Amazon Ring Spotlight Cam Tested on Sep 17, 2018
Amazon's Ring has released their latest camera entry, the Spotlight Cam, which we bought and tested in our Consumer IP Camera Analytics...
European Mega Security Firm Verisure Pushing Security Fog on Sep 17, 2018
The European mega security firm Verisure (Securitas Direct), with a reported 2 million customers, is pushing security fog, as shown in this BBC...
IP Camera Cable Labeling Guide on Sep 14, 2018
Labeling cables can save a lot of money and headaches. While it is easy to overlook, taking time to label runs during installation significantly...
Favorite Intercom Manufacturers 2018 on Sep 14, 2018
Intercoms are certainly increasing in popularity, driven by the integration of video and IP networking. But who is the favorite? On the one side,...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact