Wireless Alarm System Vulnerabilities
Recently I had a chance to look at a number of intruder alarm systems sold via Amazon and eBay. These devices sell for up to £150, and a number are best sellers
- Kerui W18 Alarm
- Blitzwolf BW-IS22 Smart Home Security Alarm
- Digoo DG-HAMB Smart Home Security System
- AGSHome Smart Alarm
As discussed in my last post, RF frequency communication can be captured relatively easily, using a software-defined radio (SDR). All four devices use 433MHz RF to communicate between the sensors and the base station. Capturing transmissions from each device proved extremely simple; the following shows the result of triggering one of the door sensors included with the Kerui alarm:
I decided to capture the results of pressing the alarm arm/disarm fob for each device. These are used to remotely enable or disable the alarm. Using SDR# I captured both the AF and IQ transmissions. The results for each are as follows:
The top line shows keypress 1, and the bottom keypress 2. As you can see, for each device the two are identical. This means that once the code is captured it can be reused by an attacker to arm and disarm the alarm at will. Not something that is desirable for a security system!
It appears that the majority of these generically named devices use 433MHz and non-rolling codes. More expensive devices seem to prefer the 868MHz band, and also rolling codes. These are more secure, but can still be jammed to stop a sensor activation from registering at the base station and triggering the alarm. They are also vulnerable to RollJam-type attacks. The moral of the story? Use something with wires!
The following CVEs are related to this work: CVE-2023-31759, CVE-2023-31761, CVE-2023-31762, CVE-2023-31763.