How to Hack an ADT Alarm System

By: Brian Rhodes, Published on Jan 26, 2015

This report explains the key steps in hacking an alarm system, like ADT, as was presented in a Defcon 22 presentation.

The risk of such a hack has become major news as a class action lawsuit was filed against ADT recently, claiming that ADT could be 'easily hacked'.

Summary

According to the Defcon 22 presentation, the most straightforward way to hack / disable an alarm system is to:

  • Find out the frequency the alarm system transmitter uses from publicly available FCC documentation.
  • Get a software defined radio, set it to that frequency to jam it.
  • Periodically, for very short periods of time, stop jamming to overcome / trick anti-jamming functionality in the system.

For those interested in reading the original research, see Logan Lamb's Defcon 22 whitepaper and presentation.

Finding Frequencies

The hack relies on knowing which unencrypted wireless frequencies are used by intrusion alarms.  Specifically, the frequency band used by individual types of sensors and devices. In the US, commercially sold wireless devices are issued licenses by the FCC and the specific frequency they use for communication is public record.

For example, Honeywell's license catalog includes over 300 license applications since late 2011. The record includes frequency information for devices like:

Indeed, even 'proprietary' systems sold to major alarm companies carry public FCC filings, like this ADT keypad and the entire wireless 2GIG catalog.

A quick search of most major alarm companies return records, including

Get Video Surveillance News In Your Inbox
Get Video Surveillance News In Your Inbox

  • UTC (GE, Tyco, ADT) (310.0 MHz to ~990 MHz)
  • Vivint (~905.0 MHz)
  • Napco (~319.0 MHz - 320.0 MHz )
  • Sensormatic (~550.0 MHz - 927.25 MHz)

See the full list of companies with FCC applications on file here.

To exploit this weakness, the main challenge is knowing which system / transceiver the site being targeted uses. This would be easiest for inside jobs, but possibly quite hard going after a facility one has never been in. In any case, prominently displaying window stickers or yard signs could actually assist a hacker into zeroing in on a specific range of frequencies:

Software Defined Radio

The equipment needed to search out, monitor, and jam these frequencies are commonly classified as 'SDRs' or 'Software Defined Radios' and are widely available. The primary function of these devices is to scan a range of radio bandwidth for activity on known frequencies. Using USB connected scanner cards and laptops, an entire spectrum of wireless traffic is visable:

The specific type of SDR demoed in the Defcon hack is profiled in the video clip below:

Once wireless alarm activity is observed, exploiting it is straightforward. For example, this Vivint Motion Detector is shown to operate at 345.0 MHz. Disrupting normal communication with the wireless control panel requires overpowering or jamming alarm signal from that sensor using the same setup.  

Overcoming Anti-Jam Protection

Some alarm systems are equipped with anti-jamming features that monitor for this tactic. The cyber-researchers found that if the jamming is turned off for a fraction of a second, and right back on that it would still stop the system from triggering its anti-jam alert while still blocking real alerts from being sent when an intrusion occurs. In general, panel RF Jamming features must be enabled by the installer.

For example, the researchers defeated Honeywell's protection by running a jam for 20 seconds, turning it off for one second, then rerunning the jamming routine. (See Defcon Whitepaper Section 4.3.2) This process effectively defeated the panel's anti-jamming protection. Another exploit for 2GIG/Vivint panels modified the process by turning the jam on for 50 seconds, but turning it off for 0.2 seconds.

The specific parameters of an anti-jam process vary according to panel type, but researchers found the protection could be defeated with trial and error in test systems.

Not a Cheap Hack

The equipment cyber-researchers used to pull off the exploits are quite expensive. The pricing for the requisite SDR with ample power ranges between $1000 and $4000 USD, and require a high level of technical experience to deploy effectively. 

The Defcon researcher reported his setup cost more than $2000, a cost that will certainly be out of reach or tolerance for many 'smash & grab' criminals.

While SDRs are easy to get and inexpensively available online, like this $15 example from Amazon, their effectiveness has not been evaluated. The whitepaper only reflects results achieved by using moderately expensive, professional gear.

Other Advanced but More Complex Exploits

The equipment and basic process of this exploit can be modified into other methods for tricking alarm systems. For example, the basic jamming attack might also be used to spoof the (non-alarming) presence of supervised alarm sensors if exact device details are known. However, such an attack would likely require significant time investment not typical of random 'smash and grab' robberies. These are explained in more detail in Logan Lamb's Defcon 22 whitepaper.

[premium_content]

8 reports cite this report:

European Startup Ajax Profile - They "Stand Against Evil" on Jan 03, 2019
European intrusion detection startup Ajax Systems proclaims: How are they standing against evil? And what are the differentiators and potential...
Simplisafe 'All New' Generation 3 Tested on Feb 08, 2018
Feared by the traditional alarm industry, Simplisafe has launched its 'all new' Generation 3 platform that they declare is "Stronger. Faster....
Testing DMP XTLPlus / Virtual Keypad Vs Alarm.com & Honeywell on Dec 13, 2017
DMP has a strong presence in commercial intrusion alarms, but not in residential. However, the company's XTLPLus wireless combo panel and Virtual...
Wireless Burglar Alarm Sensors Guide on Jul 21, 2017
Wireless sensors for burglar alarm sensors are an increasingly common option for the historical labor intensive wired alarm systems. However,...
2Gig Intrusion Megatest (GC2 & GC3 Panels Tested) on Mar 28, 2017
2Gig is one of the most widely used intrusion systems, with two product lines that are the main offering of many alarm companies, huge national...
DMP Intrusion Tested (XR Series) on Mar 09, 2017
DMP is a major provider of intrusion systems, but lacks the global brand recognition of some of its rivals (such as Bosch, Honeywell, DSC, or...
Bosch Intrusion Detection Profile on Aug 10, 2016
This is a first in a new IPVM series profiling intrusion detection / alarm offerings. In this series, starting with Bosch, we examine: Key...
ADI Scare Tactics Against DIY Security on Nov 27, 2015
ADI wants you to buy alarm system parts from them, not those kits on the Internet. Leveraging scare tactics, they have made an unsurprisingly...

Comments (3)

Only IPVM PRO Members may comment. Login or Join.

Great article, we do our best to stay away from wireless alarm devices. However, when we do use them we use spread spectrum, 2 way wireless.

May I ask what specific products you use?

This was an old post! We actually do a lot of wireless now and we use DMP. Both residential and commercial including commercial fire alarm with DMP wireless.

Related Reports on Wireless

Access Control Job Walk Guide on May 22, 2019
Significant money can be saved and problems avoided with an access control job walk if you know what to look for and what to ask. By inviting...
Mining Company Security Manager Interview on May 10, 2019
First Quantum Minerals Limited (FQML) is a global enterprise with offices on 4 continents and operations in 7 countries with exploratory operations...
Registration Closed - Spring 2019 IP Networking Course on May 02, 2019
Register now for the Spring 2019 IP Networking course here - Closed. Last chance now.   This is the only networking course designed specifically...
UK Installer CCTV Aware - Flat Pricing, No Salespeople on Apr 10, 2019
This is a different kind of company. They do flat pricing, they do not have any salespeople and 50% of their sales are sold and booked...
Cambium Wireless Video Surveillance Profile on Mar 27, 2019
Cambium Networks, spun out of Motorola Solutions in 2011, says "outdoor durable radios are in their DNA" and they are targeting video surveillance...
Casino Security Consultant Carl Lindgren Interview on Mar 26, 2019
For more than 20 years, Carl Lindgren worked as a casino surveillance pro, while being active (and sometimes outspoken) on various online video...
Large Hospital Security End User Interview on Mar 21, 2019
This large single-state healthcare system consists of many hospitals, and hundreds of health parks, private practices, urgent care facilities, and...
Large US University End-User Video Surveillance Interview on Mar 18, 2019
Schools have become targets in modern days of active shooters and terrorist fears. The need for video and access security is high. Universities...
Church Technology Director Security Interview on Mar 07, 2019
With 40+ years of experience in IT from a wide array of verticals, including US and foreign military, and large corporate and industrial settings,...
Ubiquiti Favorability Results 2019 on Feb 18, 2019
Ubiquiti has quietly grown into a $1+ billion annual revenue company, with offerings across wireless, wireline network and video surveillance (see...

Most Recent Industry Reports

NJ Law Requires Apprenticeship For Public Works Integrators on May 24, 2019
Few integrators do a formal apprenticeship program. However, now a NJ law is requiring any integrator on public works projects (such as state...
Security / Privacy Journalist Sam Pfeifle Interview on May 24, 2019
Sam Pfeifle is best known as the outspoken former Editor of Security Systems News. After that, he was publications director at the International...
Verkada Video Quality Problems Tested on May 23, 2019
Verkada suffers from numerous video quality problems, not found in commercial IP cameras, new IPVM testing of Verkada vs Axis and Hikvision...
Average Frame Rate Video Surveillance 2019 on May 23, 2019
What is the average frame rated used in video surveillance systems? In IPVM's 2011 statistics, the average was 6-8fps increasing to ~10fps in...
Access Control Job Walk Guide on May 22, 2019
Significant money can be saved and problems avoided with an access control job walk if you know what to look for and what to ask. By inviting...
ASCMA / Monitronics Declares Chapter 11 Bankruptcy Plan on May 22, 2019
Monitronics is entering into Chapter 11 bankruptcy. The company, also called Ascent Capital Group Inc., aka ASCMA, aka Brinks Home Security,...
US Considers Sanctions Against Hikvision and Dahua on May 22, 2019
The US government is considering blacklisting "up to 5" PRC surveillance firms, including Hikvision and Dahua, Bloomberg reported, with human...
Dahua USA Celebrates 5 Years of Errors on May 21, 2019
Dahua USA is, in their own words, 'celebrating' 5 years in North America or as trade magazine SSN declared: Dahua Technology finds success in...
Axis ~$150 Outdoor Camera Tested on May 21, 2019
Axis has released the latest in their Companion camera line, the outdoor Companion Dome Mini LE, a 1080p integrated IR model aiming to compete with...
Covert Facial Recognition Using Axis and Amazon By NYTimes on May 20, 2019
What if you took a 33MP Axis camera covering one of the busiest parks in the US and ran Amazon Facial Recognition against it? That is what the...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact