The Interceptor Aims To Fix Vulnerability In Millions of Alarm SystemsBy Brian Rhodes, Published Jan 08, 2018, 10:28am EST
Security executive Jeffery Zwirn claims a 'catastrophic' flaw exists in 'millions of alarm systems', and dealers could be liable if not fixed. His product, The Interceptor prevents a thief or building fire from locking up an alarm panel to prevent it from dialing out, sounding keypad alarms, or from triggering alarm messages at the worst possible time.
Alarm Industry Liable For 'Not State Of The Art' Systems
Zwirn told IPVM: "Shorted wiring on the databus is a significant vulnerability to expected function" that he "sees often during forensic alarm failure investigations." He forwarded us a legal opinion deeming stock panels a legal liability and not 'state of the art' unless equipped with The Interceptor:
"Manufacturers of security alarm panels, distributors and dealers are all at risk for lawsuits based on strict product liability, negligence and breach of implied warranties if a product placed into the stream of commerce and sold to a customer is dangerous or defective and causes or contributes to personal injury or property damage. These lawsuits cost manufacturers, distributors, dealers and their insurers millions upon millions of dollars in losses each and every year."
The Problem: Shorting Panel Devices Can Lock Them Up
The Interceptor addresses the shorting out of powered serial databus channels causing all connected devices to 'lock up' and become unresponsive. Shorts can occur when a building fire melts cables, or when a burglar knows how to tamper with a system keypad at an entrance.
His solution for making panels 'state of the art' adds a power supervision card, preventing line shorts from killing the attached devices and ensures that critical devices like communicators still dial out if trouble happens.
Installation is described as 'simple, but not DIY' ~ 20-minute process for alarm installers, following similar schematic locations regardless of panel:
Importantly, the product does not draw power from the panel directly, but rather is tied into the panel's backup battery, thereby avoiding the 'electrical short' condition that disables the entire bus. Rather, devices normally directly connected to the panel's data bus are then connected to The Interceptor instead.
How Shorted Databus Wiring Happens
Zwirn explains two primary methods that alarms are vulnerable to shorted databus:
If alarm cables melt together during a fire, the panel databus can be shorted, and especially since this cabling often runs through attics and crawlspaces it is generally vulnerable to high heat. Even an indirect exposure to fire can damage the wires and potentially render the system inoperable.
Disabling During Break-Ins
Another way databus wiring can be shorted requires technical knowledge and time during a burglary. When an intruder breaks into a home, they locate a keypad (often located at a garage door or non-perimeter door), remove it from a wall, jump or twist together two of the wires on the back, and do this before the system calls out to a central station.
This exploit also is contingent on a hardwired, not wireless, keypad being found. Otherwise, the exploit requires finding a hardwired motion sensor, climbing up high enough (via ladder) and again shorting wires on the back before a monitoring station call is made.
Panel Databus Explained
Hardwired alarm panels typically include connection ports for devices that are not simple NO (normally open) and NC (normally closed) contact sensors. The 'databus' is often used for inputting commands and settings into the alarm panel, and system keypads are generally connected on these types of ports.
While the exact name of these ports vary by manufacturer, they are identified by the fact they include 2 data connections (TX/RX) and 2 power connections (+/-) per port. The image below shows an example of databus ports on a Bosch G-Series panel:
The Interceptor Product Overview
The developer's demo video is embedded below and show the particulars of how the board connects to a typical panel system:
Add-in Supervision Board
The product is a small ~5" X 3.5" circuit board that retrofits inside existing alarm panel enclosures. The card has as MSRP of ~$120, and one per bus channel is needed, typically one unit per panel.
Alarm devices normally connected directly to a panel are then attached to this card, which is individually fused and draws power from the system's battery:
Intrusion devices typically installed on these channels include parallel wired keypads, motion sensors, zone expanders, communicators, and auxiliary relays. However, the card is not used on individual alarm zones or zoned components like door/window contacts, glass break sensors, or wireless sensors using a board integrated radio. These types of connections are not generally vulnerable to the electrical short risk, nor are they parallel powered, so The Interceptor has no impact.
Not Replaced By Central Station 'Check-Ins'
Zwirn says it is not likely that central stations 'heartbeat' or 'check-in' polling, where the station calls back to the panel rather than the panel calling the station, could detect a shorted databus.
Those check-ins are intermittent intervals, often scheduled once per day or even once per month. The 'heartbeat' is used to confirm 'all is well' with a panel without the panel initiating it, and is helpful in discovering panel problems if no message is sent. Moreover, Zwirn says even if such a function was operable even at the exact time as a genuine security event was occurring, that exception would likely be classified as a 'trouble' event, not a full-fledged 'alarm' that triggers first responder dispatch.
Problem In Some, Not All, Panels
However, not all alarm panels are vulnerable to the problem The Interceptor addresses. Traditional, panel-based, hardwired alarm systems can be, but the majority of 'all-in-one' combo system most likely have integrated system keypads, and radio modules often are plugged into slots not using data bus channels at all.
Zwirn specifically identifies two common systems as candidates to use The Interceptor in company literature, citing particular 'system popularity in the residential market':
Additionally, systems providing a powered, serial-type data bus channel (like Elk M1) can be retrofitted with the card.
However, the developer has not tested the card with all systems using a data bus. For example, DMP XR Series and Bosch G-Series Intrusion have not been tested by the company as benefiting or needing the card.
Unneeded In All-In-One Wireless Systems
Additionally, one of the most popular residential alarm system form factors will not benefit from the card, including 2Gig Intrusion Panels, Honeywell's LYNX Touch 5100, DMP XTLPlus / Secura, and DIY offerings like Honeywell Indiegogo-Funded DIY Intrusion System, Simplisafe, Nest Secure, Canary, and the onslaught of many others in the consumer space.
For Panel Makers, Not Field Fixable, But Not Significant Problem
A big factor in the lack of uptake of The Interceptor is the cost and complexity of physically adding in this component to the millions of panels in use. Zwirn tells us that despite approaching several manufacturers with his solution, none have yet expressed interesting in adding it or licensing it in their designs.
Perhaps more than any other indicator, this reflects the issue The Interceptor addresses is not considered a significant problem, nor has been a considerable source of concern for either end users or panel manufacturers.
In terms of product success, The Interceptor faces some obstacles. We see two major problems that could limit acceptance:
- Risk Too Small: Even beyond whether or not The Interceptor works is the question whether the risk it addresses is significant enough to warrant resolving. In general, the risk of burglars breaking in to a house or business fast enough and then shorting out a keypad is contrary to the typical 'smash & grab' archetype burglary where a thief enters, steals, and exits as quickly as possible.
- A Feature, Not Product: The long-term outlook is clouded by requiring purchase of a separately installed device that might be otherwise resolved by the manufacturer through a product redesign. Zwirn says he is open to licensing his solution to manufacturers, potentially reducing development time and more rapidly addressing a 'widespread' safety issue.
Vote / Poll