How to Hack an ADT Alarm System

By: Brian Rhodes, Published on Jan 26, 2015

This report explains the key steps in hacking an alarm system, like ADT, as was presented in a Defcon 22 presentation.

The risk of such a hack has become major news as a class action lawsuit was filed against ADT recently, claiming that ADT could be 'easily hacked'.

Summary

According to the Defcon 22 presentation, the most straightforward way to hack / disable an alarm system is to:

  • Find out the frequency the alarm system transmitter uses from publicly available FCC documentation.
  • Get a software defined radio, set it to that frequency to jam it.
  • Periodically, for very short periods of time, stop jamming to overcome / trick anti-jamming functionality in the system.

For those interested in reading the original research, see Logan Lamb's Defcon 22 whitepaper [link no longer available] and presentation [link no longer available].

Finding Frequencies

The hack relies on knowing which unencrypted wireless frequencies are used by intrusion alarms.  Specifically, the frequency band used by individual types of sensors and devices. In the US, commercially sold wireless devices are issued licenses by the FCC and the specific frequency they use for communication is public record.

For example, Honeywell's license catalog [link no longer available] includes over 300 license applications since late 2011. The record includes frequency information for devices like:

  • Ademco Panel (~433.92 MHz)
  • Tuxedo Touch Panel [link no longer available] (WiFi: 2412.0 - 2462.0 MHz)
  • Various Motion Sensors (~310 Mhz - 350 MHz) (eg: PIR1 [link no longer available], PIR2 [link no longer available])
  • Keypads [link no longer available] (344.94 MHz)
  • Door and Window Sensors [link no longer available] (315.0 MHz)

Indeed, even 'proprietary' systems sold to major alarm companies carry public FCC filings, like this ADT keypad [link no longer available] and the entire wireless 2GIG catalog [link no longer available].

A quick search of most major alarm companies return records, including

Get Notified of Video Surveillance Breaking News
Get Notified of Video Surveillance Breaking News

  • UTC (GE, Tyco, ADT) (310.0 MHz to ~990 MHz)
  • Vivint [link no longer available] (~905.0 MHz)
  • Napco [link no longer available] (~319.0 MHz - 320.0 MHz )
  • Sensormatic [link no longer available] (~550.0 MHz - 927.25 MHz)

See the full list of companies [link no longer available] with FCC applications on file here.

To exploit this weakness, the main challenge is knowing which system / transceiver the site being targeted uses. This would be easiest for inside jobs, but possibly quite hard going after a facility one has never been in. In any case, prominently displaying window stickers or yard signs could actually assist a hacker into zeroing in on a specific range of frequencies:

Software Defined Radio

The equipment needed to search out, monitor, and jam these frequencies are commonly classified as 'SDRs' or 'Software Defined Radios [link no longer available]' and are widely available. The primary function of these devices is to scan a range of radio bandwidth for activity on known frequencies. Using USB connected scanner cards and laptops, an entire spectrum of wireless traffic is visable:

The specific type of SDR demoed in the Defcon hack is profiled in the video clip below:

Once wireless alarm activity is observed, exploiting it is straightforward. For example, this Vivint Motion Detector [link no longer available] is shown to operate at 345.0 MHz. Disrupting normal communication with the wireless control panel requires overpowering or jamming alarm signal from that sensor using the same setup.  

Overcoming Anti-Jam Protection

Some alarm systems are equipped with anti-jamming features that monitor for this tactic. The cyber-researchers found that if the jamming is turned off for a fraction of a second, and right back on that it would still stop the system from triggering its anti-jam alert while still blocking real alerts from being sent when an intrusion occurs. In general, panel RF Jamming features must be enabled by the installer.

For example, the researchers defeated Honeywell's protection by running a jam for 20 seconds, turning it off for one second, then rerunning the jamming routine. (See Defcon Whitepaper Section 4.3.2 [link no longer available]) This process effectively defeated the panel's anti-jamming protection. Another exploit for 2GIG/Vivint panels modified the process by turning the jam on for 50 seconds, but turning it off for 0.2 seconds.

The specific parameters of an anti-jam process vary according to panel type, but researchers found the protection could be defeated with trial and error in test systems.

Not a Cheap Hack

The equipment cyber-researchers used to pull off the exploits are quite expensive. The pricing for the requisite SDR with ample power ranges between $1000 and $4000 USD, and require a high level of technical experience to deploy effectively. 

The Defcon researcher reported his setup cost more than $2000, a cost that will certainly be out of reach or tolerance for many 'smash & grab' criminals.

While SDRs are easy to get and inexpensively available online, like this $15 example from Amazon, their effectiveness has not been evaluated. The whitepaper only reflects results achieved by using moderately expensive, professional gear.

Other Advanced but More Complex Exploits

9 reports cite this report:

Nortek Security CEO Out, Company Pivoting on May 28, 2019
Nortek Security's CEO, Michael O'Neal is out, after 8 years leading the company, in what Nortek described to IPVM as them having 'pivoted strongly...
European Startup Ajax Profile - They "Stand Against Evil" on Jan 03, 2019
European intrusion detection startup Ajax Systems proclaims: How are they standing against evil? And what are the differentiators and potential...
Simplisafe 'All New' Generation 3 Tested on Feb 08, 2018
Feared by the traditional alarm industry, Simplisafe has launched its 'all new' Generation 3 platform that they declare is "Stronger. Faster....
Testing DMP XTLPlus / Virtual Keypad Vs Alarm.com & Honeywell on Dec 13, 2017
DMP has a strong presence in commercial intrusion alarms, but not in residential. However, the company's XTLPLus wireless combo panel and Virtual...
Wireless Burglar Alarm Sensors Guide on Jul 21, 2017
Wireless sensors for burglar alarm sensors are an increasingly common option for the historical labor intensive wired alarm systems. However,...
2Gig Intrusion Megatest (GC2 & GC3 Panels Tested) on Mar 28, 2017
2Gig is one of the most widely used intrusion systems, with two product lines that are the main offering of many alarm companies, huge national...
DMP Intrusion Tested (XR Series) on Mar 09, 2017
DMP is a major provider of intrusion systems, but lacks the global brand recognition of some of its rivals (such as Bosch, Honeywell, DSC, or...
Bosch Intrusion Detection Profile on Aug 10, 2016
This is a first in a new IPVM series profiling intrusion detection / alarm offerings. In this series, starting with Bosch, we examine: Key...
ADI Scare Tactics Against DIY Security on Nov 27, 2015
ADI wants you to buy alarm system parts from them, not those kits on the Internet. Leveraging scare tactics, they have made an unsurprisingly...

Comments (3)

Only IPVM Members may comment. Login or Join.

Great article, we do our best to stay away from wireless alarm devices. However, when we do use them we use spread spectrum, 2 way wireless.

May I ask what specific products you use?

This was an old post! We actually do a lot of wireless now and we use DMP. Both residential and commercial including commercial fire alarm with DMP wireless.

Related Reports

Duress Codes For Alarms Systems on May 02, 2017
An alarm system can call for help in the event of an attempted break in, but only if it is armed. If an adversary forces an authorized user to...
Burglar Alarm Partitions Guide on May 10, 2017
Many burglar alarm systems have a single designated level of access for users. A user can arm or disarm the entire alarm by entering a single code....
TVT Backdoor Disclosed on Apr 09, 2018
Security researcher Bashis has disclosed a backdoor in TVT video surveillance products, with TVT issuing its own 'Notification of Critical...
Testing DMP XTLPlus / Virtual Keypad Vs Alarm.com & Honeywell on Dec 13, 2017
DMP has a strong presence in commercial intrusion alarms, but not in residential. However, the company's XTLPLus wireless combo panel and Virtual...
Genetec Self-Discloses Critical Vulnerability on Jul 31, 2018
In an unprecedented move for the video surveillance industry, Genetec has self-disclosed a critical software vulnerability across Security Center...
Alarm Circuits Guide on May 09, 2017
Alarm circuits are a fundamental element of wired burglar systems. Designing the alarm circuit greatly affects its performance. In particular, more...
Dahua Wiretapping Vulnerability on Aug 02, 2019
IPVM has validated, with testing, and from Dahua, that many Dahua cameras have a wiretapping vulnerability. Even if the camera's audio has been...
Dahua Access Control Tested on Oct 10, 2017
Can Dahua become a major force in access control? We bought Dahua's ASC1202B [link no longer available] to find out. We tested Dahua access and...
Power For Burglar Alarms on Jul 14, 2017
In order to operate, alarm panels require the high voltages found in electrical outlets be converted to the low voltages they run on. In this...

Most Recent Industry Reports

Avigilon ACC Cloud Tested on Jul 08, 2020
Avigilon merged Blue and ACC, adding VSaaS features to its on-premise VMS, offering remote video and health monitoring that was previously limited...
The US Fight Over Facial Recognition Explained on Jul 08, 2020
The controversy around facial recognition has grown significantly in 2020, with Congress members and activists speaking out against it while video...
Sperry West / Alibaba Tablet Temperature Measurement Tested on Jul 07, 2020
In April, we ordered a ~$500 temperature tablet from Alibaba. We set it to the side while doing 18 other temperature screening tests but, after...
Facial Recognition: Weak Sales, Anti Regulation, No Favorite, Says Security Integrators on Jul 07, 2020
While facial recognition has gained greater prominence, a new IPVM study of security systems integrators shows weak sales, opposition to...
Video Surveillance 101 Book Released on Jul 07, 2020
IPVM's unique introduction to video surveillance series is now available as a 145-page eBook. Designed for managers, salespeople, and engineers new...
Startup Duranc Presents AI VSaaS on Jul 06, 2020
Duranc presented its system at the May 2020 IPVM Startups show. A 30-minute video from Duranc including IPVM Q&A Background on the...
Low Voltage Nation Wants to "Help You Carve Out A Fulfilling Career" Interviewed on Jul 06, 2020
It is difficult to make your way in this industry as there is little formal schooling. However, one person, Blake Urmos, the Founder of Low Voltage...
The Next Hot Fever Detection Trend - $100 Wall-Mounted Units on Jul 06, 2020
The first wave of the booming fever detecting market was $10,000+ cameras, now interest for ~$2,000 tablets is high and the next big thing may be...
Cisco Meraki Unlocks IP Cameras With RTSP Tested on Jul 06, 2020
Meraki opened up its cameras to 3rd party NVRs/VMSes by offering RTSP streaming because of "the need to solve a business problem". We tested...