When it comes to burglary, we often imagine individuals who use brute force or common tools to break into your doors and windows (see how to use a credit card to open a door), take all your valuables, and then attempt to run away before police arrive. Our existing security systems are designed for for those kind of criminals. But with the rise of smart security systems, what if criminals have learned to bypass your system and disable your alarms?
Although FBI has yet to release reports of burglars who actually hacked a security system to break into a house, it is worth knowing that there our technology today is not 100% fail proof. That’s likely because police departments don’t report that type of information or don’t have any evidence to know that’s what happened even if it did.
This post will review some of the popular home security systems that have been hacked and how the companies responded to the vulnerabilities.
We have summarized a list of breached security systems and how the companies handled the issues:
Wireless transmissions can be recorded by a third party and reuse data packets to disable the alarms.
Company promised to update their hardware to incorporate an upgradeable firmware.
Authentication can be bypassed using SSL certificate validation, authentication and access control.
Company promised to improve their firmware to protect the system from hacking incidents.
Failure to encrypt communication signals which can be intercepted by a SDR device.
Company promised to come up with plans to fix the vulnerabilities, but did not address the encryption issues.
Failure to encrypt communication signals which can be intercepted by a SDR device.
ADT settled a $16 million class action lawsuit to resolve hacking allegations.
Failure to encrypt communication signals, lack serial authentication which allows a third party to view from your camera, and SSD and PSK not removed despite of factory resetting.
Company was able to fix the serial switching problems and willing to update their firmware to solve the factory reset and PSK issues. However, no specific solutions yet were provided for the unencrypted communication issues.
Want to learn more about how these security systems compare to others?
If you're reading about these security systems and wondering what the other options are, we've got your back! We put together a comprehensive comparison of security systems at https://24-7-home-security.com/home-security-system-comparison-tool/
How to Hack Simplisafe
IOActive, security consulting firm from Seattle, confirmed that Simplisafe can be hacked by recording wireless transmissions between its system components. The researchers from the firm tested the devices in August 2015 using external microcontrollers and some codes to be able to listen to the wireless transmissions from Simplisafe’s system components. An intruder only needs to set-up the device about 100 feet from your home, and record the code whenever you disarm the system. The data packet is then transmitted to the hacking device. From then on, the hacker can simply resend the data packet to the Simplisafe device to disarm the system anytime.
Did SimpliSafe Fix the Vulnerabilities of their Security System?
On the other side, Simplisafe says the hacking method is unlikely to happen as none of their customers ever reported burglary connected to unexplained disarm events. The company also promised to update their hardware to incorporate upgradeable firmware so that customers can be protected from hacking events like this. We could find no confirmation the fix ever happened.
With the rise of connected smart homes, more and more security systems are being exposed, and iSmartAlarm is no exception. It was discovered that a hacker can simply bypass the system’s authentication to turn off the alarm, allowing intruders to break into your home without a trace. The flaw of the system was verified by Ilia Shnaidman in 2017, the Head of Security Research from BullGuard’s Dojo.
Exploiting iSmartAlarm with Command Playback
The company designed the components such as the sensors, locks and cameras to connect to an app via the internet. A hacker can then exploit the SSL certificate validation, authentication and access control of the system. So if an intruder knows the flaws of the system, he can simply use it to disable your alarms and break into your home anytime.
iSmartAlarm’s Response to the Disclosed Vulnerabilities of their System
iSmartAlarm has not addressed the specific issues but promised to improve their firmware to protect the system from hacking incidents. If you are a user of the security system, you are advised check for updates regularly and take off any stickers containing information about your devices.
How Vivint Camera Was Hacked
Cybersecurity researcher Logan Lamb discovered early 2014 a security flaw from Vivint by using a friend’s 2GIG Go!Control panel. Using a SDR (software-defined radio) device, he was able to bypass the system by suppressing the alarm at will.
Exploiting Vivint’s Security System with Command Playback
Logan exposed that even though we have modern designs for the security systems today, the technology used behind these systems were still from the 90s. The wireless communications failed to encrypt or authenticate signals which allow him to send his own signals to the control panel and do things he wishes.
Hacking Vivint’s Security System With Jamming
Sophisticated SDRs can simply interfere with the transmissions, falsely turn your alarm off, or jam your system from 65 to 250 yards away.
With these findings, it means that a tech-savvy burglar can simply disarm your system to get your stuff without a trace or a prankster can control your devices and even watch you while you’re asleep without your knowledge.
Vivint’s Response to the Vulnerabilities
Vivint has investigated the case and promised to come up with plans to fix the vulnerabilities. However, they have also mentioned that range and battery performance can be affected if encryption will be implemented in their communication systems. Considering that it is unlikely for burglars to use Logan’s method to break into homes, they’ve decided that using encryption was not worth it.
In case you've changed your mind with Vivint, you can read our post about what happens if you break contract with Vivint.
Exploiting ADT’s security system with Command Playback
Logan Lamb was also able to play around with an ADT security system using another system. The problem he has discovered was almost same with Vivint - the failure to encrypt sent signals which makes intruders intercept signals, send commands, and manipulate the control panels to turn the alarms on and off. Despite using different hardware designs, the system was basically no different from other wireless systems that can be easily hacked.
Wireless systems depend on radio frequency signals to transmit signals from the sensors to the control panel. A tech-savvy intruder can manipulate this using a SDR so he can turn on or off the alarms whenever he wants to. And what’s even more alarming is that anyone can buy an SDR as cheap as $10 on Amazon.
Did ADT fix the vulnerability in their security systems?
ADT was dismissive about the findings and claimed that they have never received a report of a hacking incident using this method. Despite this, ADT settled a $16 million class action lawsuit to resolve allegations regarding the company’s failure to disclose the product’s vulnerabilities due to lack of encryptions.
How Swann Security Was Hacked
Exploiting with Command Playback
Swann is an Australian firm that sells security systems to almost all countries, including the US. However, just like the other security systems exposed, it was not exempted from the vulnerability allegations.
Silvio Cesare from Qualys discovered that Swann security systems can be hacked due to unencrypted communication signals. This enables hackers to intercept signals, send commands, and play with the control panels. Moreover, Cesare was able to capture stored passwords using a microcontroller, creating another flaw that an intruder might use to disarm the system.
Public Video Camera Feeds!
On top of that, Pen Test Partners researchers Andrew Tierney, Chris Wade and Ken Munro, University of Surrey professor Alan Woodward, Scott Helme BBC hacker, and independent researcher Vangelis Stykas were able to switch video feeds from Swann security cameras. This was easily done since the cameras use its serial number to connect to their cloud service. The API would be able to authenticate you but at the same time allow you to view particular cameras whether you’re authorised or not.
Don’t sell or return your camera, your network may be at risk
Another discovery was that resetting your camera will not remove the SSID and pre-shared keys of the previous wireless networks the device was connected. If somebody else will get your camera (for example, you’ve decided to sell or give it to someone else) it’s possible that the next user can access details from your network.
Swann’s Reaction to the Vulnerabilities
Swann was able to fix the serial switching problems. They were also willing to update their firmware to solve the factory reset and PSK issues. Thus, users need to make sure that their firmware and apps are updated regularly to the latest versions. As for the security system, Swann has yet to make a statement regarding the unencrypted communication.
Additional Security Tips to Consider
As mentioned, security systems doesn’t fully guarantee 100% protection. Most security systems today are still dependent on radio frequencies for communication which, without proper encryption and obfuscation of commands, can still be accessed by criminals. Unfortunately, most security companies are dismissive of the vulnerabilities since it is unlikely burglars would be smart enough to hack your system. But for researchers, this statement is still debatable and a subject of concern. After all, anyone with an internet connection can learn how to do it in a few minutes.
For your reference, we have listed below some of the security systems that we believe are the least vulnerable to exploitations or, at least, have never been reported for hacking issues (however, if you do have some news or info reporting any hacking issues of these systems, do let us know in the comment section):
Hi, I’m Christy, and I’m an electronics engineer by profession. I have taught in a university for 2 years while pursuing my master’s degree in cognitive radio and worked for a company to develop wireless medical devices. Currently, I’m doing research for a doctorate degree in engineering using a wireless sensor network for smart agriculture. I’ve been active in our local IoT community, IoT Cebu, where I participate in conducting talks about Arduino, Raspberry Pi, and DIY home automation using Wi-Fi and ZigBee devices.