How to Hack an ADT Alarm System

By: Brian Rhodes, Published on Jan 26, 2015

This report explains the key steps in hacking an alarm system, like ADT, as was presented in a Defcon 22 presentation.

The risk of such a hack has become major news as a class action lawsuit was filed against ADT recently, claiming that ADT could be 'easily hacked'.

Summary

According to the Defcon 22 presentation, the most straightforward way to hack / disable an alarm system is to:

  • Find out the frequency the alarm system transmitter uses from publicly available FCC documentation.
  • Get a software defined radio, set it to that frequency to jam it.
  • Periodically, for very short periods of time, stop jamming to overcome / trick anti-jamming functionality in the system.

For those interested in reading the original research, see Logan Lamb's Defcon 22 whitepaper [link no longer available] and presentation [link no longer available].

Finding Frequencies

The hack relies on knowing which unencrypted wireless frequencies are used by intrusion alarms.  Specifically, the frequency band used by individual types of sensors and devices. In the US, commercially sold wireless devices are issued licenses by the FCC and the specific frequency they use for communication is public record.

For example, Honeywell's license catalog [link no longer available] includes over 300 license applications since late 2011. The record includes frequency information for devices like:

  • Ademco Panel (~433.92 MHz)
  • Tuxedo Touch Panel [link no longer available] (WiFi: 2412.0 - 2462.0 MHz)
  • Various Motion Sensors (~310 Mhz - 350 MHz) (eg: PIR1 [link no longer available], PIR2 [link no longer available])
  • Keypads [link no longer available] (344.94 MHz)
  • Door and Window Sensors [link no longer available] (315.0 MHz)

Indeed, even 'proprietary' systems sold to major alarm companies carry public FCC filings, like this ADT keypad [link no longer available] and the entire wireless 2GIG catalog [link no longer available].

A quick search of most major alarm companies return records, including

Get Notified of Video Surveillance Breaking News
Get Notified of Video Surveillance Breaking News

  • UTC (GE, Tyco, ADT) (310.0 MHz to ~990 MHz)
  • Vivint [link no longer available] (~905.0 MHz)
  • Napco [link no longer available] (~319.0 MHz - 320.0 MHz )
  • Sensormatic [link no longer available] (~550.0 MHz - 927.25 MHz)

See the full list of companies [link no longer available] with FCC applications on file here.

To exploit this weakness, the main challenge is knowing which system / transceiver the site being targeted uses. This would be easiest for inside jobs, but possibly quite hard going after a facility one has never been in. In any case, prominently displaying window stickers or yard signs could actually assist a hacker into zeroing in on a specific range of frequencies:

Software Defined Radio

The equipment needed to search out, monitor, and jam these frequencies are commonly classified as 'SDRs' or 'Software Defined Radios [link no longer available]' and are widely available. The primary function of these devices is to scan a range of radio bandwidth for activity on known frequencies. Using USB connected scanner cards and laptops, an entire spectrum of wireless traffic is visable:

The specific type of SDR demoed in the Defcon hack is profiled in the video clip below:

Once wireless alarm activity is observed, exploiting it is straightforward. For example, this Vivint Motion Detector [link no longer available] is shown to operate at 345.0 MHz. Disrupting normal communication with the wireless control panel requires overpowering or jamming alarm signal from that sensor using the same setup.  

Overcoming Anti-Jam Protection

Some alarm systems are equipped with anti-jamming features that monitor for this tactic. The cyber-researchers found that if the jamming is turned off for a fraction of a second, and right back on that it would still stop the system from triggering its anti-jam alert while still blocking real alerts from being sent when an intrusion occurs. In general, panel RF Jamming features must be enabled by the installer.

For example, the researchers defeated Honeywell's protection by running a jam for 20 seconds, turning it off for one second, then rerunning the jamming routine. (See Defcon Whitepaper Section 4.3.2 [link no longer available]) This process effectively defeated the panel's anti-jamming protection. Another exploit for 2GIG/Vivint panels modified the process by turning the jam on for 50 seconds, but turning it off for 0.2 seconds.

The specific parameters of an anti-jam process vary according to panel type, but researchers found the protection could be defeated with trial and error in test systems.

Not a Cheap Hack

The equipment cyber-researchers used to pull off the exploits are quite expensive. The pricing for the requisite SDR with ample power ranges between $1000 and $4000 USD, and require a high level of technical experience to deploy effectively. 

The Defcon researcher reported his setup cost more than $2000, a cost that will certainly be out of reach or tolerance for many 'smash & grab' criminals.

While SDRs are easy to get and inexpensively available online, like this $15 example from Amazon, their effectiveness has not been evaluated. The whitepaper only reflects results achieved by using moderately expensive, professional gear.

Other Advanced but More Complex Exploits

9 reports cite this report:

Nortek Security CEO Out, Company Pivoting on May 28, 2019
Nortek Security's CEO, Michael O'Neal is out, after 8 years leading the company, in what Nortek described to IPVM as them having 'pivoted strongly...
European Startup Ajax Profile - They "Stand Against Evil" on Jan 03, 2019
European intrusion detection startup Ajax Systems proclaims: How are they standing against evil? And what are the differentiators and potential...
Simplisafe 'All New' Generation 3 Tested on Feb 08, 2018
Feared by the traditional alarm industry, Simplisafe has launched its 'all new' Generation 3 platform that they declare is "Stronger. Faster....
Testing DMP XTLPlus / Virtual Keypad Vs Alarm.com & Honeywell on Dec 13, 2017
DMP has a strong presence in commercial intrusion alarms, but not in residential. However, the company's XTLPLus wireless combo panel and Virtual...
Wireless Burglar Alarm Sensors Guide on Jul 21, 2017
Wireless sensors for burglar alarm sensors are an increasingly common option for the historical labor intensive wired alarm systems. However,...
2Gig Intrusion Megatest (GC2 & GC3 Panels Tested) on Mar 28, 2017
2Gig is one of the most widely used intrusion systems, with two product lines that are the main offering of many alarm companies, huge national...
DMP Intrusion Tested (XR Series) on Mar 09, 2017
DMP is a major provider of intrusion systems, but lacks the global brand recognition of some of its rivals (such as Bosch, Honeywell, DSC, or...
Bosch Intrusion Detection Profile on Aug 10, 2016
This is a first in a new IPVM series profiling intrusion detection / alarm offerings. In this series, starting with Bosch, we examine: Key...
ADI Scare Tactics Against DIY Security on Nov 27, 2015
ADI wants you to buy alarm system parts from them, not those kits on the Internet. Leveraging scare tactics, they have made an unsurprisingly...

Comments (3)

Only IPVM Members may comment. Login or Join.

Great article, we do our best to stay away from wireless alarm devices. However, when we do use them we use spread spectrum, 2 way wireless.

May I ask what specific products you use?

This was an old post! We actually do a lot of wireless now and we use DMP. Both residential and commercial including commercial fire alarm with DMP wireless.

Related Reports

Last Chance - Register Now - October 2019 IP Networking Course on Oct 10, 2019
Last Chance - Register Now - Fall 2019 IP Networking Course. The course starts next week. This is the only networking course designed...
Dahua Intercom Tested on Feb 07, 2019
Video intercoms are a growing market with video surveillance manufacturers expanding into this niche. IPVM is continuing its series of video...
Camera Disruptor Wyze Enters Sensor / Security Market on Mar 28, 2019
Wyze, the company that has disrupted consumer IP cameras, combining American marketing and Chinese manufacturer, has just announced its expansion...
Amazon Marketing Pro Installs of Amazon Security Systems on Apr 25, 2019
Is Amazon a threat to conventional providers like ADT, Vivint and Brinks Home Security? Many say no. Now, Amazon is advertising free in-home...
Manufacturer Favorability Guide 2019 on Jun 12, 2019
The 259 page PDF guide may be downloaded inside by all IPVM members. It includes our manufacturer favorability rankings and individual...
Risk of Amazon Alexa Guard: No Battery Or Cell Backup on Jun 20, 2019
Amazon positions its Alexa Guard Service as a "smart home security system" and says it can help you "keep your home safe". However, the...
Siklu $400 Compact 60GHz Radio on Jul 24, 2019
Siklu first entered the video surveillance market with a $6,000 per link solution, is now aiming down market with their newest 60GHz wireless...
Alarm.com Suffers Outage on Jul 26, 2019
Alarm.com suffered a major outage this week, impacting its 5+ million customers. Inside, we examine what happened, what Alarm.com told IPVM and...
Critical Vulnerability Across 18+ Network Switch Vendors: Cisco, Netgear, More on Aug 26, 2019
Cisco, Netgear and more than a dozen other brands, including small Asian ones, have been found to share the same critical vulnerability, discovered...
Verkada Notification Outage on Dec 12, 2019
Verkada is suffering an event notification outage and analytic search failures. Inside, we examine what the issues are, what Verkada told IPVM...

Most Recent Industry Reports

IronYun AI Analytics Tested on Feb 17, 2020
Taiwan startup IronYun has raised tens of millions for its "mission to be the leading Artificial Intelligence, big data video software as a service...
Access Control ADA and Disability Laws Tutorial on Feb 17, 2020
Safe access control is paramount, especially for those with disabilities. Most countries have codes to mandate safe building access for those...
ISC West 2020 Removes China Pavilion, No Plans To Cancel Or Postpone on Feb 17, 2020
ISC West plans to go on next month, amidst concerns over coronavirus. However, the Asia / China Pavilion has been removed, show organizers...
Hanwha Wisenet X Plus PTRZ Tested on Feb 14, 2020
Hanwha has released their PTRZ camera, the Wisenet X Plus XNV-6081Z, claiming the "modular design allows for easy installation". We bought and...
IPVM Conference 2020 on Feb 13, 2020
IPVM is excited to announce our 2020 conference. This is the first and only industry event that will be 100% sponsor-free. Like IPVM online, the...
Bosch Dropping Dahua on Feb 13, 2020
Bosch has confirmed to IPVM that it is in the process of dropping Dahua, over the next year, as both IP camera contract manufacturer and recorder...
BluB0X Alleges Lenel, S2, Software House Are Dinosaurs on Feb 13, 2020
BluB0X is running an ad campaign labeling Lenel, S2, Software House, Honeywell, AMAG and more as dinosaurs: In a follow-up email to IPVM,...
London Live Police Face Recognition Visited on Feb 13, 2020
London police have officially begun using live facial recognition in select areas of the UK capital, sparking significant controversy. IPVM...
Converged vs Dedicated Networks For Surveillance Tutorial on Feb 12, 2020
Use the existing network or deploy a new one? This is a critical choice in designing video surveillance systems. Though 'convergence' was a big...