On
a recent Friday evening, Logan Lamb and his girlfriend turned up at a
co-worker’s birthday party in Knoxville, Tennessee with a 12-pack of
cheap beer, 4 craft beers for the birthday boy, and some hacking tools,
namely a software-defined radio (SDR) capable of monitoring wireless
transmissions. Lamb had been doing research on the way popular security
systems, such as those from Vivint and ADT, can be turned against their
owners to spy on their activity or suppressed so that they fail to go
off when an intruder enters the home. His co-worker had a 2GIG
Go!Control panel from Utah-based Vivint and was willing to be a guinea
pig. Lamb asked the birthday celebrant to arm the system and then let
the guests wander normally. The alarm did not get triggered as it should
when the system’s armed and a door opens, and the Vivint central
control station that would call the police when such a thing happened
did not get a heads up. Lamb was able to suppress the alarm through
intercepting the system’s unencrypted wireless communications with the
sensors around the home, and sending his own signals to the main
controls. After about an hour, though, the alarm started shrieking.
Logan had neglected to plug his computer in and it went to sleep to
conserve battery power, allowing the system to do what it was meant to
do. “It didn’t ruin the party,” says Lamb. But it did make the security
system seem less secure.
Lamb is a cybersecurity researcher at the Department of Energy’s Oak Ridge National Laboratory. “I primarily break things,” he explains. He started probing security systems in his spare time after a co-worker ordered one at the office. He was able to play around with an ADT system thanks to the graciousness of his girlfriend’s father, who had one at home. The different vendors’ products all had the same problem: legacy wireless communications from the 90s that failed to encrypt or authenticate signals. He could be pick up the signals being sent from sensors on windows and doors to the main control system using a cheap SDR, meaning he could see transmissions from sensors — which are sent even when the system is unarmed — and track when people were opening and closing windows and doors. With a more sophisticated SDR, he could interfere with transmissions, setting the alarm off falsely by telling it doors were opening when they weren’t or jamming the system so that it wouldn’t go off, even if doors did open. He could do this from 65 to 250 yards away– basically a house over. Using his methods, a would-be tech-savvy thief could suppress an alarm while going in and out with your stuff; a prankster neighbor could set your alarm off; or someone could monitor when you’re active at the house. At the very least, someone with an SDR could determine based on signals being sent whether you actually have an alarm system, or have just planted a “Protected by ADT” sign in your front yard.
Lamb plans to present his findings in Las Vegas next month. He’s not the only presenter at the popular back-to-back hacker conferences there, Black Hat and Defcon, who has set his sites on the way security systems can be subverted to make their owners less secure. Researchers Colby Moore and Patrick Wardle of Synack turned their hacking skills against Dropcam, the wireless video monitoring device recently acquired by Google-owned Nest. “We saw Dropcams popping up all over here in Silicon Valley with tech incubators and big tech start-ups using them as security cameras,” said Moore. “It seems like the future of where video monitoring for consumers is going.”
Moore and Wardle discovered a small number of flaws in the Dropcam that could lead to it being compromised, but the attacker would need to get his or her hands on the cam to crack it. The most notable problem they discovered was a button on the back of the device that can be pressed when it’s booting up to put the camera into receptive USB mode. Once in that mode, an attacker could install spyware to turn the surveillance camera into one that surveils audio and video of its owners, or install a program that could make them see video of the attackers’ choosing. And as with another Black Hat presentation about jailbreaking the Nest, the security hack could be used to enhance consumer privacy — allowing a data-protective Dropcam owner to install a program that would prevent their video feed from being sent to Dropcam’s cloud. All in all, the researchers thought the Dropcam was far more secure than other Internet-connected cameras, some of which have been hacked remotely by strangers on the Internet — ahem, Foscam — but that Dropcam’s security could be improved by only running signed software from the company. Your own Dropcam is probably secure, as long as it’s never been in the hands of someone who might want to turn it against you. “Don’t accept cameras from strangers. It’s a good motto,” says Wardle, who also advised against buying them used.
Both Dropcam and the security system vendors were dismissive of the hacks. Dropcam is more concerned about protecting customers from remote hacks than ones done by someone with the device in hand. The general rule of thumb in the security community is that if someone has physical access to your device, you’re pwned. “All hardware devices – from laptops to smartphones – are susceptible to jailbreaking. If anything, Dropcam might actually provide the best solution for preventing physical access because we’ll notify you if someone were to approach or disconnect your camera,” said Greg Duffy, Dropcam’s CEO. “What’s far more important is preventing remote access, and Dropcam has excellent security to prevent this. Our cameras won’t communicate to anyone on the Internet – only Dropcam cloud servers, and we haven’t had any intrusions or access to private data to date.”
Meanwhile, the security system vendors said the hacks had never occurred in the wild, to their knowledge. “Safety and security is a top priority at ADT, and we have spent the past 140 years earning the trust of our customers,” said ADT spokesperson Jason Shockley. “Because we have yet to see the details of this particular research, we are unable to comment on the specifics.”
Vivint and another security company with the vulnerability that asked the researcher not to name it both said they have a jamming detection feature in their wireless security systems, though Lamb says he was able to program around it and that the companies didn’t detect his suppression of their alarms. Vivint’s vice president of innovation Jeremy Warren said the company is investigating the vulnerability that Lamb found in the jamming detection with plans to fix it. He also said that Vivint has never actually detected anyone jamming a system’s signal. As for the spying that could be done by a techno-lurker, Warren said it’s easily replicated by a person without an SDR sitting outside the house watching people opening windows and doors. Lamb though says that an adversary could make an embedded system to stash in the vicinity of a home to gather information all the time.
“It’s in the realm of hypothetical possibilities but I think people just driving their car around and looking at a community is a simpler and less costly, exotic way of doing this. This requires someone to have sophisticated tools that are not widely available, and that mitigates the impact,” said Warren by phone. “It shouldn’t be a concern to consumers. We really think this is an extremely exotic thing that will have zero impact on our customer base.”
Lamb argues though that SDRs are getting cheaper and more ubiquitious; a simple one goes for $10 on Amazon.
Warren said Vivint has looked at encrypting communications on the system but that it has a negative impact on “range and battery performance” and decided it wasn’t worth it after “balancing that against a highly hypothetical situation where a person needs to be nearby anyway.”
“Wireless transmissions by their nature are subject to potential risks,” said one security system maker in a statement. “Our security systems meet or exceed industry standards and include a variety of protections, such as available encryption, tamper resistance and jamming detection, which when employed significantly improve security.”
Those worried about this kind of monitoring may want to go ahead and employ those options.
“The idea of covering a home with more security sensors does not translate into a more secure home,” says Lamb. “The end goal of all this is to make better systems.”
Lamb is a cybersecurity researcher at the Department of Energy’s Oak Ridge National Laboratory. “I primarily break things,” he explains. He started probing security systems in his spare time after a co-worker ordered one at the office. He was able to play around with an ADT system thanks to the graciousness of his girlfriend’s father, who had one at home. The different vendors’ products all had the same problem: legacy wireless communications from the 90s that failed to encrypt or authenticate signals. He could be pick up the signals being sent from sensors on windows and doors to the main control system using a cheap SDR, meaning he could see transmissions from sensors — which are sent even when the system is unarmed — and track when people were opening and closing windows and doors. With a more sophisticated SDR, he could interfere with transmissions, setting the alarm off falsely by telling it doors were opening when they weren’t or jamming the system so that it wouldn’t go off, even if doors did open. He could do this from 65 to 250 yards away– basically a house over. Using his methods, a would-be tech-savvy thief could suppress an alarm while going in and out with your stuff; a prankster neighbor could set your alarm off; or someone could monitor when you’re active at the house. At the very least, someone with an SDR could determine based on signals being sent whether you actually have an alarm system, or have just planted a “Protected by ADT” sign in your front yard.
Lamb plans to present his findings in Las Vegas next month. He’s not the only presenter at the popular back-to-back hacker conferences there, Black Hat and Defcon, who has set his sites on the way security systems can be subverted to make their owners less secure. Researchers Colby Moore and Patrick Wardle of Synack turned their hacking skills against Dropcam, the wireless video monitoring device recently acquired by Google-owned Nest. “We saw Dropcams popping up all over here in Silicon Valley with tech incubators and big tech start-ups using them as security cameras,” said Moore. “It seems like the future of where video monitoring for consumers is going.”
Moore and Wardle discovered a small number of flaws in the Dropcam that could lead to it being compromised, but the attacker would need to get his or her hands on the cam to crack it. The most notable problem they discovered was a button on the back of the device that can be pressed when it’s booting up to put the camera into receptive USB mode. Once in that mode, an attacker could install spyware to turn the surveillance camera into one that surveils audio and video of its owners, or install a program that could make them see video of the attackers’ choosing. And as with another Black Hat presentation about jailbreaking the Nest, the security hack could be used to enhance consumer privacy — allowing a data-protective Dropcam owner to install a program that would prevent their video feed from being sent to Dropcam’s cloud. All in all, the researchers thought the Dropcam was far more secure than other Internet-connected cameras, some of which have been hacked remotely by strangers on the Internet — ahem, Foscam — but that Dropcam’s security could be improved by only running signed software from the company. Your own Dropcam is probably secure, as long as it’s never been in the hands of someone who might want to turn it against you. “Don’t accept cameras from strangers. It’s a good motto,” says Wardle, who also advised against buying them used.
Both Dropcam and the security system vendors were dismissive of the hacks. Dropcam is more concerned about protecting customers from remote hacks than ones done by someone with the device in hand. The general rule of thumb in the security community is that if someone has physical access to your device, you’re pwned. “All hardware devices – from laptops to smartphones – are susceptible to jailbreaking. If anything, Dropcam might actually provide the best solution for preventing physical access because we’ll notify you if someone were to approach or disconnect your camera,” said Greg Duffy, Dropcam’s CEO. “What’s far more important is preventing remote access, and Dropcam has excellent security to prevent this. Our cameras won’t communicate to anyone on the Internet – only Dropcam cloud servers, and we haven’t had any intrusions or access to private data to date.”
Meanwhile, the security system vendors said the hacks had never occurred in the wild, to their knowledge. “Safety and security is a top priority at ADT, and we have spent the past 140 years earning the trust of our customers,” said ADT spokesperson Jason Shockley. “Because we have yet to see the details of this particular research, we are unable to comment on the specifics.”
Vivint and another security company with the vulnerability that asked the researcher not to name it both said they have a jamming detection feature in their wireless security systems, though Lamb says he was able to program around it and that the companies didn’t detect his suppression of their alarms. Vivint’s vice president of innovation Jeremy Warren said the company is investigating the vulnerability that Lamb found in the jamming detection with plans to fix it. He also said that Vivint has never actually detected anyone jamming a system’s signal. As for the spying that could be done by a techno-lurker, Warren said it’s easily replicated by a person without an SDR sitting outside the house watching people opening windows and doors. Lamb though says that an adversary could make an embedded system to stash in the vicinity of a home to gather information all the time.
“It’s in the realm of hypothetical possibilities but I think people just driving their car around and looking at a community is a simpler and less costly, exotic way of doing this. This requires someone to have sophisticated tools that are not widely available, and that mitigates the impact,” said Warren by phone. “It shouldn’t be a concern to consumers. We really think this is an extremely exotic thing that will have zero impact on our customer base.”
Lamb argues though that SDRs are getting cheaper and more ubiquitious; a simple one goes for $10 on Amazon.
Warren said Vivint has looked at encrypting communications on the system but that it has a negative impact on “range and battery performance” and decided it wasn’t worth it after “balancing that against a highly hypothetical situation where a person needs to be nearby anyway.”
“Wireless transmissions by their nature are subject to potential risks,” said one security system maker in a statement. “Our security systems meet or exceed industry standards and include a variety of protections, such as available encryption, tamper resistance and jamming detection, which when employed significantly improve security.”
Those worried about this kind of monitoring may want to go ahead and employ those options.
“The idea of covering a home with more security sensors does not translate into a more secure home,” says Lamb. “The end goal of all this is to make better systems.”