Also - this is a much less expensive radio to use for the attack:
<http://greatscottgadgets.com/hackrf/>
Pre-order for now but they exist today so they should be shipping soon.
Bad URL for the HackRF One. Try this:
http://greatscottgadgets.com/hackrf/
WOW…$299 is all it costs to compromise and defeat a 2GIG/Vivint panel… Shipping is estimated for August.
The talk was canceled and removed from the websites for BH and DEFCON but the deck and paper were still on the conference CD. See attached.
Hint: Honeywell, ADT\DSC, 2gig.
DEFCON-22-Logan-Lamb-HOME-INSECURITY-NO-ALARMS-FALSE-ALA_002.pdf (1.78 MB)
DEFCON-22-Logan-Lamb-HOME-INSECURITY-NO-ALARMS-FALSE-ALARMS-.pdf (237 KB)
Great find, thanks.
Interesting to note that we’re better off with Q65 (RF Jam) set to disabled…
I haven’t read the pdf’s…but why would disabling rf jamming detection be prefered? You would think you would want the panel to go into trouble if jamming is detected…
According to Jay w/Suretycam, and 2GIG, this is what they recommended…
See: http://suretydiy.com/wp-content/uploads/GoControl-System-Security-Letter.pdf
It seems to me that it would be akin to disabling real time scanning on your computer antivirus…leaving you wide open and defenseless.
Read PDF…
So, rf jamming detection doesn’t stop the hack, but instead makes it easier for the hacker to further compromise the system and send false alarm activations.
2GIG has some issues they need to resolve.
I’m curious about that too. It would stand to reason that having an additional line of defense in Q65 wouldn’t hurt anything.
Apparently it makes the attack more devastating… (I edited above post)
Copy/paste from the slides… will leave it to others for interpretation…
[IN HONEYWELL SECTION OF SLIDES]
Jamming
• Spot Jamming
– Blast noise! 
– It… works? Really?
• Manufacturers are aware of the threat
– Introducing ‘RF Jam’
– Once enabled, the spot jammer fails
How quickly can we turn simple jamming off and on?
• Pretty quick, about ¼ of a second
• Is that good?
– Yup
– Supervisory transmission requires 0.77 s
– Alarm transmission requires 3.54 s
What does this get us?
• RF Jam Disabled
– Covert infiltration and exfiltration
• RF Jam Enabled
– Covert infiltration, exfiltration, and alarm triggering
– When enabled, RF Jam is a liability
[IN ADT SECTION OF SLIDES]
ADT Specifics
• Completely Wireless
• RF Jam Detection capable, but disabled
• Unable to get Installer Code
– Yeah, there’s a fee for that
– Thanks ADT
[IN 2GIG SECTION OF SLIDES]
2GIG Specifics
• Hybrid System
– Wired and wireless devices
– RF Jam Detection capable, but disabled
• Sooo, we enabled it! 
This is an issue that we take very seriously and will be looking into the matter. I want to thank everybody bringing this issue to our attention.
Hopefully we’ll see some new firmware asap.
I think at least some of the issues will persist even after a firmware update. They cannot fix the issue of replay attacks and jamming without also modifying the wireless sensors.
To counter all of the attacks:
- Spread spectrum frequency hopping to resist jamming.
- When a new wireless sensor is registered to the panel, it needs to provide and receive a dynamically assigned public key.
- Sensor to panel communication could remain one-way but will use the public key of the panel to encrypt messages to it.
- Rolling cryptographic code to prevent replay attacks.
Mistakes vendors make:
- Every device ships with the same private key (anyone with the key can eavesdrop).
- Not implementing a way to ensure that every message is unique (to prevent replay attacks).
- Implement symmetric encryption with a fixed shared key on every device.
- Fixed frequency makes jamming a simple an inexpensive countermeasure.
- Frequency hopping uses a fixed or predictable pattern.
Other possible vulnerabilities to research:
-
I don’t think the researcher was able to derive the disarm PIN. This would be possible if the alarm user enters it into a PAD1 or similar. Manchester encoding is used, no encryption. This would be possible with the $10 TV tuner SDR.
-
The researcher specifically excluded vulnerabilities in the panel software. It is possible that there are buffer overflow vulnerabilities in the software that receives messages from sensors. This would be simple to test for with a USRP or HackRF board.
-
The researcher also didn’t examine the firmware. That is available to all of us and can be easily examined with software like IDA Pro. Firmware analysis may reveal hidden backdoors that vendors leave for device recovery and troubleshooting. It may also reveal bugs that could be exploited from the panel or an external device.
Keep in mind that the fix for this problem is expensive and will likely result in the price of the equipment to go up substantially. Although these flaws are unlikely to be exploited in real life, I think they should be fixed. Perhaps 2gig needs to offer a DEFCON security mode and a Crackhead security mode. The former protects against these vulnerabilities and costs a lot more. The later doesn’t need to and is cheap.
$299 for the HackRF isn’t that much, and all it will take is someone to use it on say a 2GIG or Vivint panel to facilitate entry in the course of a rape/home invasion/armed robbery to cripple the system.
Someone gets raped, severely injured, or starts a fire, and/or there is a death as a result of the panel failing as a result of this known/unfixed exploit, youre talking multimillion dollar liability…
Its not any different then say GM being aware of faulty brakes, which they are slow or reticent to recall/fix, that as a result causes passenger deaths…
A buyer/customer has a clear right to expect security/fire protection/life safety systems to operate properly, and to have known defects addressed. This opens the door for class action lawsuits also.
Vivint is 2GIG’s biggest customer, and there are a lot of people who hate Vivint, 800,000 exploitable Vivint systems may be very tempting to a malicious hacker or someone who wants notoriety.
There are also commercial/government/local government and schools that use the 2GIG/Vivint systems (and other equally exploitable systems).
The potential to wreck havoc, and cripple the major commercial/residential security systems easily and cheaply has endless possibilities…
Its like selling a $299 “remote access” tool to all the major security/life safety systems. Imagine if a total stranger could just login/access/control your system via the ADC mobile app and everyone else’s for the low price of $299…
For example, see: https://www.hackthissite.org/forums/viewtopic.php?f=79&t=9113
Does this exploit carry over to z-wave devices on 2gig panels (as primary controller)?
As in, could an intruder theoretically trigger a door to unlock via a paired Kwikset Smartcode Deadbolt?
Kwikset smartkey/smartcode deadbolt? You realize that those are the worst locks on the market, zwave functionality had already been compromised, and the locks in any event be opened in a matter of minutes (as fast as you can open it with a key). So easy a monkey can do it…
"The researchers discovered that a single, unnamed Z-Wave door lock manufacturer [Kwikset] has a bug in their implementation of the Z-Wave secure node association protocol that could allow a hacker within Z-Wave range of the network to reset the lock’s user codes and unlock the door from outside."See: http://www.2gigforum.com/threads/56-Can-Hackers-Unlock-My-Z-Wave-Door-Lock?p=85&viewfull=1#post85
That’s a joy.
EDIT:
Looks like I’m buying 2 new touchscreen Z-Wave deadbolts… looking at Yale (ANSI 2) and Schlage (ANSI 1) - thx for heads up rive.
So, Kwikset/Yale/Schlage aside, does this exploit allow for a z-wave unlock trigger?
This vulnerability probably doesn’t lead to a z-wave compromise unless you have automation rules configured to unlock doors on arm/disarm.
Would it make the system safer if GE sensors are used and the panel radio is replaced with the dual 319/345 MHz radio: 2gig-drec2-319
Probably can’t use image sensors and extra touchpad then, but if it makes the system more secure, it could work for small installations.
Anyone knows where to find more information on the encryption or rolling algorithm used for GE/interlogix signal transmission?
Rive why do you keep showing the 25.00 kwikset lock from home Depot, , that not a zwave lock, the new kwikset lock is a level 2 and it has a full compliment of numbers. Also notice that all the equipment allegedly hacked is on the 345 mhz. Honeywell,2gig and DSC use these frequency, , GE uses 319.5 because the govt allocated it to them and only them, it’s an old military frequency used for refueling tankers, it’s a ever changing algorithm, , try it with a snifter and you will see
The lock in the video is an ANSI 1 Kwikset/Weiser “smartkey” deadbolt (Weiser is Kwikset). The “smartcode” zwave deadbolt uses the exact same type of cylinder/mechanism (you can tell its the same by the ‘slot’/mark to the left next to the keyway) the deadbolt is the same deadbolt regardless of whether it has the added functionality of zwave protocol or not added to it.
In any event, the zwave protocol for Kwikset is/was flawed, and included a bug in their implementation of the Z-Wave secure node association protocol that could allow a hacker within Z-Wave range of the network to reset the lock’s user codes and unlock the door from outside. Many, many Kwikset (hundreds of thousands) zwave “Smartcode” deadbolts/locks currently installed and in use, have this flaw still.
Double whammy. Not only does Kwikset Smartkey and zwave Smartcode locks suck, but the zwave protocol is flawed on most of the existing deadbolts/locks.
ANSI grade 2 and ANSI grade 3 locks are not as good as ANSI grade 1 deadbolts/locks, and in Kwikset’s case ANSI grade 1 and ANSI grade 2 locks/deadbolts are garbage, and are weaker than comparible ANSI grade 2 locks from Schlage, Medeco, and Yale, just to name a few. According to some of the reports, Kwikset should never have gotten the Grade 1 rating at all. It stands to reason, that if their Grade 1 locks suck, their grade 2 and grade 3 locks are even worse, affording the same protection that a toy lock would.
Kwikset ANSI Grade 1 deadbolt easily defeated:
See: http://endthelie.com/2013/08/03/researchers-reveal-that-millions-of-secure-kwikset-smartkey-locks-can-be-opened-with-simple-tools/#xDP0pmhHUpfpPMy1.99
Kwikset is a garbage lock whether its zwave capable or not. If you are concerned about your home security, but want zwave lock functionality, do yourself a favor and steer clear of the kwikset family of deadbolts and locks.
Ask any qualified and reputable professional locksmith what their opinion of Kwikset deadbolts/locks are if you have any doubt’s regarding the Quality of The “Smartkey” or zwave “Smartcode” Kwikset brand.
The z-wave alliance requires locks and security devices to use the optional z-wave security protocols - the early Kwikset did not do that and shouldn’t have been certified. The z-wave vulnerability in Kwikset locks is not present in anything marketed today. They resolved the issue and stopped selling the vulnerable version. I still wouldn’t buy it.
Kwikset is the value brand.
Schlage makes a z-wave lock that has ANSI Grade 1 (not all of them do though so check before purchasing). The ANSI Grade measures the resistance to force and the longevity of the mechanism. The Yale Real Living lock is a grade 2. Go with the grade 1 - there isn’t any reason not to (the price is the same or less for the Schlage). If you have a grade 1 deadbolt, you should consider reinforcing the door jamb with something like Armor Concepts’ Door Jamb Armor. Don’t bother with an expensive deadbolt if there is only a matchstick holding the bolt in the jamb.
ANSI doesn’t measure the resistance to surreptitious entry (picking or bumping). The bypass cores in all of the locks can easily be picked in a time that is similar to the smart key vulnerability. If you worry about lockpicking (it very rarely happens in burglary) then replace the core with a high security core with a restricted key profile. Medeco, Abloy or Schlage Primus. These are resistant to drilling, picking and have profiles that can’t be easily reproduced.
I hope this information is useful.