Inside Job: Exploiting Alarms Systems and the People Who Monitor Them
by Nicholas Koch
When you walk into a building, what do you see? Do you see the receptionist greeting you at the front desk? Perhaps a guard checking badges and making sure people who are coming in are actually allowed in? What about the smaller things though, like the motion detector in the corner of the room, or the contact on top of the doors and windows? When I presented "Inside Job" for HOPE 2020, I knew that there were a myriad of talks about covert entry. Bypassing alarms with a handheld radio or canned air has been covered ad nauseam by now, but I never noticed anyone talk about what the person monitoring those sensors sees when you do start jamming sensors? What do they send to the operators who are responsible for calling the owners and police? More importantly, how do you get around the alarm system snitching on you and ruining your day?
The first thing we need to go over is what a central station is. To put it simply, it's no different than a Security Operations Center (SOC). The operators have a terminal, and their job is to wait on various types of signals to come in, such as an alarm or a system trouble, and call the premises or owner to see if they want the police, fire department, or service to be scheduled. One constant of all UL certified central stations is that there must always be at least two operators in central at any given time. This allows for some redundancy in case something happens to the other operator. Central stations, however, can vary in size, ranging from the tiny mom and pop shops to large call centers. As for how busy they are, well that depends on a few factors, such as service area, how many people are monitoring in that central station, weather conditions, and even things like time changes which can affect how quickly alarms get processed. If false alarms and the thought of you messing up on procedure for an alarm potentially getting someone killed wasn't enough, you also have to deal with angry customers screaming in your ear for doing your job and the fact that, depending on your central station, you might not even have a proper break, as some consider the time between alarms your break time (nothing like nearly choking on your dinner because you have to start dispatching on a panic alarm...). These stressors mean that your poor operator is likely to make a mistake that can be exploited.
This doesn't mean that we should just do away with human operators like some places have done. What makes them so great is that with some experience in dealing with alarms, they can know when it is appropriate to go out of procedure to get the proper authorities to where they need to be. We haven't learned how to program instinct into AI yet, and that is the greatest threat to any wannabe thief trying to get into your building.
Now, I mentioned procedure, but what do I mean by that? Different alarms and signals have certain instructions on how to handle them. For example, burglary alarms. In commercial systems, when we receive a burglary alarm like a door, window, glass break, or motion detector, we have a primary and a secondary number to call. Primary is likely the premises, and secondary is most often the owner or manager. If we contact someone from one of those numbers and get a clear code, then we can disregard the alarm. If not, then we call the police, and we then proceed to go down the keyholder list to see if it was one of them who set it off. (This list can be as small as one person, or in some cases as large as 25, though I don't doubt that larger exist.) If we contact someone, we can cancel if we get a code, see if they want to meet the police, then relay that information to them or continue on request. If we reach nobody, we put the signal on hold for 30 minutes and, when that time is up, we'll get it again and call back for resolution for our logs. Fire alarms are similar, with the exception that we dispatch first, then start calling people. However, as I mentioned earlier, there are times where you want to go out of procedure. Perhaps the primary number always goes to voicemail after hours, for example, and an operator could just skip that number and call secondary then dispatch, then explain why you went out of procedure in their notes. A more serious example would include certain combinations of alarms, like a glass break sensor followed by a motion detector. Procedure dictates that you take the two minutes to call primary and secondary and leave messages on their voicemails because their phones are off before dispatch, but because this combination just screams break-in, you would be justified in calling the police first, then calling keyholders.
As for system troubles, well, we're very rarely going to call police on those, but they always will result in a call to someone. Typically, things that will cause a system trouble signal would be something like a power failure, low battery (for either a zone or the backup battery for the system), phone line failures, loss of RF supervision, temperature alarms, expander module failures, and RF signal jams. Now the low batteries and the power failures are self explanatory, but what about the other ones? Well, let's start with your phone line failure. Alarm systems typically have a primary and a secondary phone line (in addition to things like a cellular uplink and/or a wavelink backup, but I digress...). And when one of those goes down, we get a notification and have to call to let someone know.
With a loss of RF supervision, what happens is that a wireless zone has stopped communicating with the alarm system. This is normally caused by the battery dying, but can also be caused by the signal being jammed, however, don't get it confused with an RF signal jam. An RF signal jam occurs when the wavelink backup (a backup transmitter that communicates over radio instead of phone lines) gets jammed out by something like a ham operator transmitting on the wrong frequency. Of the two, the jam is more serious, because not only are communications between central and the alarm system being blocked, but wavelink systems often act as repeaters for other wavelink systems. So if one is jammed, you may end up with multiple systems coming in with radio problems.
Temperature alarms are their own special thing. They act as a trouble signal, but really what's going on is that we have a sensor that tells us if something is hotter or colder than what it's meant to be, and so we need to call up the premises or the owner to let them know. This is normally something like someone leaving a freezer door open, or a server room getting too hot, and not something worth calling the fire department over.
Finally, we have an expander module failure. This is something I never mentioned in the talk, but it's one of the few trouble signals that we do normally dispatch on as if it was an alarm. Expander modules act as repeaters for the wireless zones in an alarm system. Without that expander module, those zones might be out of range for the security system. This means that if it goes out, an intruder may have a large portion of the building that they can go through without setting anything off.
Now, before we move away from procedures, I do want to elaborate a little bit more on wavelink backups because they do perform an important function, in that they allow for something called dual-processing. Dual-processing allows two operators to process an alarm at the same time. This means that we can get the police called faster and contact keyholders faster. The reason why this happens is that radio waves travel faster than the phone line, which has to dial out to central before sending the alarm. That wavelink signal only tells us that it's an audible burglary alarm though, and not where it's coming from. Dual-processing can be a great way to get faster response times, however it can be a bit of a hindrance for other customers if your alarm company's central station is small. If two people are handling what is basically one alarm, and the central station only has two or three people, it may lead to increased response times. This is something you want to keep in mind when determining the type of system you would want and what alarm company to go with.
Speaking of alarm systems, what kinds are there? In the talk I went through a few, including some instructions that would aid you in impersonating an operator, or prevent you from fumbling around the keypad trying to disarm the damn thing. I won't go into as much detail here, as you can likely figure out what the panel is and then pull the manual up for it. However, I can tell you how most alarm systems are set up, as well as mention one system in particular.
Alarm systems typically consist of your control box, the panel, sensors, and transmitters for communicating with central. The control box is normally stored in a closet and is locked up, and contains the brains of the system. Gaining access to this is the equivalent of gaining access to a company's networking closet (hell, they might be in the same room). This is where all the sensors are connected, where your phone lines (POTS and/or VoIP) are connected, where your wavelink and cellular backups are connected, and where the alarm panel is connected. I should note though that if you attempt to open this while the system is armed, you're likely in for a bad time, as there is going to be a tamper switch in the control box that'll cause the system to go off.
Many people (myself included) talk about the panel as if it's the entire system. In reality, it's closer to your computer's keyboard. Your typical alarm layout is a set of arming keys; a command key; and either dedicated buttons for panic or fire, or programmable buttons like A, B, or C that trigger an audible or silent panic alarm. If you have access to the code, then look on the panel. Most of the time if the 1 key says "OFF," then your disarm procedure is [code] and 1, otherwise you're likely able to just input the code and it'll disarm. Security systems typically have three types of codes: owner, user, and installer.
Owner codes allow for use of all security functions, and normally are limited to one per system.
User codes can be programmed as arm or disarm only, as a duress code, or a guest code where it can only disarm if it was used to arm the system.
Installer codes are what the installer used to program the system. Like the guest code, it can only disarm the system if it was used to arm, but it does allow for use of all security functions as well as other perks, like program mode. Program mode allows you to do things like change phone lines, disable zones, and wavelink/cellular backups... however, it's not something you should rely upon getting.
This is because if the alarm company did their jobs correctly, the installer code should either be disabled from the panel or require a complete power down (from both the wall and the battery). In addition, you'll need to gain access to the control box and flip a standby switch, followed by either having the manual ready to go for some tedious reprogramming or a way to remote connect to the system (known as ramming the system, or Remote Access Management). The exception to this rule is the VISTA-20 system, also known as the Ademco 4140. They're not seen much anymore, but they allow for easy reprogramming from the panel. If you see one in the wild and it's disarmed, put 4110 into the panel. This is the default installer code and, if it doesn't scream at you, 800 will drop you into program mode. Do keep in mind though that a lot of the same things apply, like sometimes requiring a power down or being locked out completely.
So, we're 2,089 words into this article, not counting the words in this sentence - when do we get to the exploits? Right now, actually. Remember at the start when I asked you what you saw when you walked into a building? You may see motion detectors, door and window contacts, glass breaks, but you likely don't see everything. You might not see what type of panel they're using, or if they have any sort of backup communications. This is where the alarm certificate comes in, an invaluable tool for recon that you can get without looking like a goon casing a joint.
The alarm certificate is a document your alarm system gives your alarm company that tells them what type of alarm system you have, if it has a wavelink or cellular backup, what types of zones are installed, what police department and fire department will respond, how long the system has been online, and if it is actively monitored. While this won't tell you where everything is, this is enough information for you to get a game plan started, and know what you can and can't do to get inside. The best part is that you likely won't even need a code to get one of these. You can just pose as an insurance company and call the alarm company up and ask for one on behalf of your customer. Just provide a fax number or a legitimate enough looking email, and you will likely get your alarm certificate.
Now that you know what you're up against, let's talk about the weather. There's a few weather conditions that you can plan for that will make certain methods of entry more viable than others. For example, thunderstorms. Thunder and lightning tend to be rather annoying for users and operators alike, due to the light from the lightning setting off motion detectors and the thunder setting off the glass breaks. Under normal conditions, as I mentioned earlier this would result in some operators just skipping calling primary and secondary numbers and going straight to dispatch, but not here. We know this is likely a false alarm. What happens 90 percent of the time is that we call our customer and they mention that it's likely the storm, and request a disregard for all signals for the night, or at least the motion detectors and glass breaks. Alternatively, we may not contact anyone and call the police, and they may just refuse to go out because of how often it's happening. Either way, a storm is a great excuse to either try to go the covert route and pick your way in (I'd use the front door for this or else you may set off the alarm, as some doors are set to go off instantly), or the destructive route, and just chuck a brick through the window. It's not like the system or the operators can tell the difference at the moment. I would keep in mind that if you do go tossing bricks, however, the sound of the glass may carry as much as the sirens, and if you jostle the frame too much, you may also set off a window contact, which may arouse suspicion even if there is a disregard for the account.
Another weather condition you can take advantage of is extreme cold. This does two things. The most likely thing you may come across is frost forming on a window, causing the glass break to go off. If you know it's below freezing, this may be an opportunity for destructive entry by breaking the window. Just keep in mind that while there may be a disregard on glass breaks, there likely isn't one on motion detectors. Another thing that commonly happens during these conditions is that the contacts on windows and doors tend to pop off their surfaces, causing false alarms. This happens because water will get in between the surface and the adhesive and freeze, then thaw, and freeze, and, after enough times, it'll just give and pop off. This makes jimmying open a window or getting through a door a little more viable.
High heat can also cause sensors to start falling off doors and windows. This time it's because the heat is causing the adhesive to weaken. Eventually, the door or window contact will just fall off the door or window.
Wind can also be used to your advantage. Strong gusts tend to rattle doors and windows, causing enough trouble that they're likely not to be taken as seriously by the users or alarm company. What you want to do here is go to a door and rattle it hard in an attempt to trigger the alarm, then go and wait somewhere you can watch but aren't clearly in view. I say this because there may be cameras on the inside. The owner will get the call that the alarm has gone off and check the cameras. If there's nobody there, then that zone may be disregarded. However if nobody picks up, then the cops are going to be sent to check it out. You'll want to wait about 30 minutes to see if the police are coming, 45 minutes if the conditions are particularly bad, as that would cause delays in the response time of both central and the police. If nobody has come, then go ahead and try to get in through that same door.
That previous example leaves me an opportunity to segue to another opportunity called the police disregard. So, let's say that while you were waiting, the police came, checked out the premises, then left. Instead of going in, which may cause the alarm to sound again, continue to rattle that door, then run back to where you were waiting. This annoying game of ding dong ditch will summon the cops again, and again, and again until the police just refuse to go out there again. There is some risk involved with this, though. Depending on where you are, and how many f*cks your police department gives, they may decide to stake out the area instead of just leave. The business can also be fined for a flashing alarm as well, so this may not go over well in your pen-test report.
If you cased the outside of the building, you may have some additional clues as to how you can get around certain zones in the alarm system. For example, have they had any recent bug or rodent problems? An exterminator vehicle outside or bills found through Dumpster diving may let you know. Bugs can often set off motion detectors by crawling on them, flying around, or making nests. Rodents are often big enough to set off motion detectors as well. If this seems to be a recurring problem, then they may have motion detectors disabled until it's taken care of, or a disregard on motion detectors, which would still cause the alarm to sound, but at least you won't have the cops called on you. This also applies to pets. Sometimes people will bring animals to where they work, or have office pets. Dogs can not only set off motion detectors, but also glass breaks with their barking. Cats almost always inevitably set off motions. They might not always be visible from the outside, but if you do notice something like a stray cat around the building, and it's cold out, you may have some disabled motion detectors inside.
But what if you want to just shut the system off itself? Well, here's where some social engineering comes in. Have you noticed how every place with an alarm system has a "protected by" sticker on the door or a sign out front? Those will often have the number of the alarm company on them. What you want to do is spoof that number, then call the business (or the owner if you have access to their number) and say that you're with their alarm company and you are noticing a system trouble like a low battery or a phone like failure, and that it restored (meaning that the problem fixed itself) but you just needed to let someone know about it, then ask for their code. Most of the time, you'll get the code because to them it's as if you're speaking in tongues, and they just want to be left alone if it's not serious. Now, depending on what you're given, you have two paths. If you are given a numeric code, likely four-digits but can sometimes go up to six, that's likely the code to disarm the panel. Sometimes they'll give a five-digit code, with 1 at the end, and all that means is that the real code is the first four numbers, then the 1 key to disarm the system. If you're given a word, then you have some extra work to do. Now you need to call central up and pretend to be the user. You can ask for a list of usable codes, or add a new one. Just know that things like code changes will often take a full business day to go into effect. In addition, sometimes another person is notified of the change. Once you have your codes, you can start your break in.
You get into the building and disarm the system. Great! But why is the phone ringing? Congrats! You opened up outside of normal hours and caused an invalid opening! Don't panic, this is standard procedure, you're at the home stretch. Pick up the phone and give a name (preferably one of an employee, but any one will work in a pinch) and the code you entered into the panel. Bam! You're done, time to pillage.
Now, I was saving this last one for the end for a reason. For context, we had a customer who ran a warehouse and he didn't have motion detectors installed. Well, someone noticed this and waited until after everyone had gone home. Before coming back with a van, and I shit you not, he cut himself a new door, so that he could avoid setting off the door contacts. He then proceeded to rob this customer blind, and there was nothing we could do because he didn't set off any of the alarms. I'm not saying that you should go and cut a giant hole in a wall if you notice that there's no motion detectors. After all, it's impractical, dangerous, and will likely get your ass kicked if caught... but, should the opportunity arise, well, you only live once.
So, we've covered some ways to get around alarm systems that aren't often talked about, but what about how to harden your defenses to mitigate these attacks? Well, the first bit of advice I would give is to never let someone request an alarm certificate on your behalf. Knowledge is power - don't give it away so easily. What you want to do is tell your central station that only the owner should be able to request one, and to require a code before sending one out. Another thing you can do is notify a manager or owner if someone opens at an odd hour, causing an invalid opening. That added verification can prevent significant losses, both from outside attackers and insiders. In addition to that, each user should have their own code with their name on it, instead of just something generic like "opener" or "manager." This gives accountability to all the keyholders on the account and allows the owner to see who is going in at what time so they can decide if police need to be called.
Another bit of advice I can give is to trust your gut when you get a random call from your alarm company. If something seems off, hang up and call them back. If that random system trouble is real, then it's still there. If it's not, then you may have just avoided someone trying to steal your code. An added precaution you can have is to require a code from central, so that it goes both ways. They confirm their identity with their code, and you confirm yours with your code.
Finally, the single most important bit of advice I can give you is to be kind to your operators. This isn't just because I am one, but because if you're known to be rude, you may end up with slower response times, because nobody wants to call you. You may not be notified of trouble signals in a timely manner, or in some cases the operators may call the cops on you out of spite.
Conversely, when you're kind to the operators and build a relationship with them, they'll make sure to watch your back. There will be less misunderstandings on instructions, and you can get a little bit of insight into how they're doing. After all, if an operator starts to sound exhausted constantly, they may be overworked, which could be a sign that things aren't going well and you need to change companies.
I'd like to close this out by saying that if you do anything here, just to be careful. Some things you do may have collateral damage. If you have any questions or corrections (because I'm not perfect), feel free to reach out on my Twitter (@SauronLazy) and let me know.
Plunder well.