Schneier on Security
A blog covering security and security technology.
« Architecture and Security |
| Security and Class »
October 19, 2006
Lousy Home Security Installation
Impressively bad. (Yes, it's an advertisement. But there are still important security lessons in the blog post.)
1. The keypad is actually the control panel. This particular model is called a Lynx and is manufactured by Honeywell. However, most of the major manufacturers have their own version of an "all-in-one" control panel, siren & keypad (Here is a link to GE's version). These all-in-one models were designed to simplify installation and are typically part of "free" or low-cost alarm systems. They are all equally useless.
The most important problem with systems like this is the fact that you need to have a delay time in order to open your door and get to the keypad each time you enter your home. So, when a crook breaks in, they also have the same amount of time. If the crook follows the sound of the beeping keypad they will be standing in front of not only the keypad, but the brains of the alarm system. So, rather than punching in a valid code, the crook could simply rip the entire unit off of the wall.
Provided that they rip the panel off of the wall before the alarm sends its first signal, it will never be able to send a signal.
2. If point #1 wasn't bad enough (or maybe because the installer who put the 'system' in realized how useless it was going to be) the power supply for the system is located right beside the keypad/control panel. Unplug the transformer (which is just barely able to stay plugged in as it is) and the alarm loses power. This provides a really convenient way for someone to either accidentally or intentionally unplug the system and wait for the back-up battery to die.
3. Even worse, the phone jack has also been located beside the power supply. The phone jack is the alarm systems only connection to the outside world. If it gets unplugged, the system cannot communicate and a crook would not have to go through the hassle of ripping the panel off of the wall.
Posted on October 19, 2006 at 9:46 AM
• 24 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
My understanding of alarm systems monitored by phone line (and I'm thinking specifically of the BT "redcare" system) is that they don't need to send a signal to alarm so much as cease sending one regularly...
Frankly any alarm system that can be rendered useless by removing the phone line is useless as that can usually be cut from outside the building!
I don't think #2 is much of a point; on my system at least the backup battery is good for several hours, and I don't think people present illegally will wait that long for it to run down.
(My system also has the keypads and the alarm separate from the controller.)
Kieran, that's not the way either of the two alarm systems I've had have worked; they both made an active call when something triggered them. One can get cellular or radio backup connectivity for a system, which renders cutting the phone line useless.
Also in the UK most external alarm sounders have their own battery charged from the main unit, you gut the trickle charge and the sounder goes off so atleast people in the very near vacinity are aware that something might be happening.
However in London you get so many false alarms that most people ignore them or get upset.
Did you intend to put in a link for the GE system? It's not showing up in my browser.
The panels I have seen do communicate regularly with the central monitoring system via telephone and/or analog cellular as a backup. If the panel fails to "ping", the monitoring system will generate a wire cut alert or similar notification for radio outage. The humans monitoring these events are trained to respond to them as if they were burglaries. This is in addition to sending codes for other break-in conditions the panel receives from sensors: motion detectors, glass break, door strips, etc.
It seems as if a regular, cryptographically-authenticated "all OK" signal would address all of this. Of course, I'd want to have a somewhat more robust source of power and comms before using that to reduce false alarms...
As noted before, phone lines can be cut outside the home. Cell phone and radio backup can be easily jammed. Jamming is illegal, of course, but that's not going to stop someone already doing something illegal. Compared to the penelties for robbing a house, penelties for jamming don't even seem that severe:
The original post is as much (or more) of an indictment against the specific 'all-in-one' models of security systems rather than simply the installation of it. The problem is that these all-in-ones are being sold as part of many of the low-cost security systems in people's homes all over N. America... by big companies whose names people trust. They only learn of these faults after a burglary.
In this particular model (the Lynx) the back-up battery is incapable of holding the power for much longer than an hour or two. The risk pointed out with this installation is that if someone was in the house (ie. nanny, workman, etc.) he/she could unplug both the power and phone lines while inside and then easily return later without detection.
re: the pinging issue: the only way to maintain a continous connection with the central station is to have a dedicated phone line that is not used for anything else, that way the alarm can ping back and forth all day long. However, in most homes, people share the phone line that they use for voice calls with the alarm... so the alarm is only programmed to take the phone line to send an alarm signal. In terms of cost, it is often cheaper to have a cellular back-up that will send all signals wirelessly than it is to maintain a dedicated line and pay for the non-stop pinging.
The problem with these all-in-one panels is that they are marketed to people who cannot afford to have a proper system installed ... the only goal is to get something into the house as cheaply as possible so that the alarm company can get a recurring revenue stream from the monitoring.
The main point I was originally trying to make was that if this is what people are counting on to protect their home, they might be better off without monitoring and using that money on better locks, doors, glass, etc.
At our company, our sales people are forbidden from selling these systems. When we come to a house that already has one to look at taking over the monitoring, we also refuse to monitor the equipment even if it was installed by someone else. This stuff is that bad.
It's not that hard to fix, but without the adjustments, there is no security being offered.
This is why real security systems have redundant lines, cellular backup, and redundant power. Not to mention a system at the other end of the line waiting for anything beyond normal reporting to happen, at which point, someone is called and officers are dispatched. If someone is willing to a) cut power to the building, b) cut phone lines, and c) do this while carrying a cellular jammer, the interruption will still be noticed and dispatch will happen.
I had one of the cheap alarm systems in my condo. There was the keypad, which connected through a wall into a closet, then about 3 feet of wire into a locked box which supposedly contained the heart of the alarm system. From there was another wire to phone plug.
The craziest thing in my opinion was the the siren was left outside the locked box. It had two tiny wires going into it. When my place was broken into, the burglar cut one of those wires and the siren was never heard. When I asked the alarm company guy why such a brain-dead design, why not place the siren inside the locked box, he said that the siren is louder if it is outside the box. Argh!
So yeah, in my experience a cheap alarm system is not very effective as an alarm system. It may have some deterrence against casual burglars, but anyone who has seen those before does not need to worry about them. To the homeowner they do provide a minor benefit: if your place is burglared, some alarm companies will actually pay the deductibe of your home insurance. Of course, the longer you have the system without burglaries the less attractive this deductibe payment becomes.
Couldn't it just dial in immediately and signal the entrance and then either dial in a second time or stay on the line until the delay expires and signal that the code has been entered?
Not that I have much confidence that it does anything like that.
Higher end systems these days don't use dedicated lines any more since dedicated lines have become much more expensive. Instead they use the cell phone network as a backup system.
Someone mentioned this idea on Reddit also. It seems like a good idea at first, but do you want your alarm system dialing out and keeping the line open for probably 30 seconds every time you come home and disarm the system?
I had an alarm system like that once in an apartment I owned. It served its purpose admirably by raising the resale value more than the cost of the system.
My "real" security system was an insurance policy.
You know, you don't even need to destroy anything. Unless the homeowner has sprung for a second line exclusively for the alarm, all the crook has to do is pick up the nearest phone and dial out, to an accomplice at a payphone, or a 900 number, or anything. The system can't send a signal to the monitoring company while the phone is engaged, so the thief is free to steal whatever he wants.
Security systems can have some effectiveness, but they take a lot more effort and expense than most are willing to spend on it. Anything less, and it's simply more security theater.
As I recall, didn't burglar alarms used to run on an inexpensive dry pair? Also called an "alarm" pair, sans dialtone, I think they usually ran on the other bundled pair running into the house, hence allowing keepalives and lack of interference from regular phone calls. This "alarm pair" was co-opted for DSL in more recent years, which may explain the (otherwise inexplicable) running of alarm over the regular house line.
Anyway, keepalives over cell seem to be the right solution, and with throwaway phones costing next to nothing, I can't figure out why even the cheapest systems couldn't offer this, except to cause an artificially low entry price point.
"However in London you get so many false alarms that most people ignore them or get upset."
When I worked designing alarm systems for one of the market leaders a few years ago the false alarm rate in London was 98%, i.e. 2% were real breakins.
We figured that if we built a slightly more expensive system which would reduce the false alarm rate to 50% we'd get support from the insurance companies and police in the form of lower premiums and better response times.
Needless to say the idea bombed, most of these systems are just for show :(
Most people I know don't use the alarm. The rely on the "This home protected by company XXX" sign or window stickers to be detterent.
I was in one home were the owner mounted a siren on the roof over his garage and installed a key pad that was visible from the window next to his door. He wired the pad so the arm light would blink, but the rest of the system was non-functional.
He was a police officer.
"We figured that if we built a slightly more expensive system which would reduce the false alarm rate to 50% we'd get support from the insurance companies and police in the form of lower premiums and better response times.
Needless to say the idea bombed, most of these systems are just for show :("
I think we are all missing the point, an alarm system is not realy a security device for the average house/person, just a tick box on the insurance premium form.
So free market economics would sugest as long as you have a box on the wall marked alarm (even if it contains nothing) you are better off because you pay less for the same level of cover...
In the UK you can by an alarm system from a DIY store for less than 200 Euro's/USD and install it yourself in a day. The same thing from an alarm company will cost you around 2500 Euro's/USD installed in your home, plus the anual maintanance fee of 200 Euro's/USD...
So the question is why bother fitting an alarm...
I had a conversation with a house braker several years ago about what encoraged / discoraged him and he made the following observations over a friendly pint,
1, Do the house owners look like they have anything to steal? ie nice tidy garden well kept exterior, packing boxes from expensive consumer items in the garbage, oh and shiny brass numbers on the door.
2, Do they have a dog or other animal that might raise an alarm?
3, Do they have easy/concealed entry? apparently plastic double glasing is favourity because you can open it in less than thirty seconds with a small screwdriver, nice hedges and fences are good as they cover your entry into the property (usually through the kitchen window or French windows in a house).
4, Can you easily check if somebody is home? Look for changing lights and movment in the evening and listen for radio / TV through the letter box during the day apparently you never knock as you will always be remembered...
6, What is the name of the people living there? This is very to find out in the UK and it alows you to say you are working for them if chalenged. Write the address and name on a bit of paper along with any old mobile phone number (or look up the local land line dial code and just invent the last four digits).
He only mentioned alarms after all this, and he said the best thing for an external alarm if you can reach it is that "expanding foam" in an airarsole as it mutes a piezo sounder or stops a bell ringing, otherwise just ignore it everybody else does. As for the telephone, home systems do not have "RedCare lines" nor do the managing companies phone them up, so just pull out the wires from the external junction box on the house wall.
I also asked him what scared him most, he said a dog without a bark, and CCTV as you never know where it might be recorded and you don't have time to look.
He also mentioned how you deal with a neighbour or somebody else who chalenges you. Apparently it workes just about every time.
Along with the bit of paper from 6 have a couple of keys on a new cheap key ring and have them in your hand. You say to the neighbour you have come to sort out Mrs Smith's (or whatever the name is) badly flushing toilet (it is slow to refil).
If they ask why you don't have tools you say they are in your car just down the road/around the corner, and as most toilet flushes need only the ball cock adjusting which you could do by hand, you thought you would look and see first before luging up your tools.
You then go on and try the keys in the lock and (as they don't fit/work) you say that's odd and get out your bit of paper and your mobile phone out and dial the number. Move around a bit as though you are having trouble getting a signal, but realy use it to make sure you have a clear escape route. Then as the number will not work or be wrong ask the nosey person if they have the right number...
Apparently 99 time out of 100 they belive you and either get you the number (if they have it) or comiserate with you, and you just walk slowly away, after asking them if they have any little plumbing jobs that might need doing. They then almost entirley forget what you look like...
So based on that you would be better of making your house look a bit run down, not have nice things on display, and leave a radio or TV on whilst you are out, oh and get some external lights and timer lights for your house, and tell your neighbours that you do your own DIY and trades people will never call...
So, the continous monitoring is known as UL Installation No. 1, Grade AA Requirements. It's typical of what a small branch bank might have. Some other tricks involve aggregating the lines into cables with as many conductors as possible, which makes it hard to identify which to cut. Modern banks apparently use several alarm sensors, and only alert if two go off within a short period of time. They also have some neat ones for vaults like "sound integrators", which basically measure sound levels over time, and if the cumulative value (weighted exponentially probably) goes over a threshhold, it alerts.
In John Carrol's excellent book "Computer Security" (in publication since the 70s), he discusses "interlocked alarm circuits", where to defeat one alarm one must defeat all the communication circuits interlocked with it. Supposedly this is what defeated a 1975 burglary attempt on Brinks in Montreal.
Does anyone have any idea what a set of circuits like that would look like? My intuition tells me you could interlock three differential voltage sources in a triangular formation, where severing one link would cause the voltages to rebalance over the other two circuits, but I haven't thought this through and would _really_ appreciate any information or speculation on this (as long as it's informed speculation).
Although a high-end cat burglar may have the know-how to jam cell phones, most criminals are dumb. So dumb they aren't employable, or are too lazy to learn a skill, like lockpicking. Heck, most locksmiths don't do it, either. If I read the FCC regulations properly, you can use HAM bands to send a recorded message if it involves protecting life or property.
If you're worried about someone kicking in your door, check out mul-t-lock's ball bearings; they extrude from the bolt, trapping it in the door frame. Why ball bearings? They're standard parts, available in hardened steel, and not easy to shear. However, Medeco locks have better characteristics when it comes to high-end attackers who know how to pick locks (mul-t-locks are vulnerable to "bumping").
BTW, Matt Blaze's site (www.crypto.com) has some really neat papers applying cryptanalytic techniques to physical security.
We have a clever solution to the line cut issue for legacy alarm systems.
Our solution is installed onto an existing system in the home. We add two upgrades to existing systems - first, once our Link is installed, your system is monitored over broadband, wireless and a phone line. Completely redundant and all channels are monitored in real-time. If your line gets cut or your broadband goes down, etc., we can send you an email or SMS message. Secondly, we give you remote access and control of your alarm system. You can arm/disarm, set up user codes and monitor all aspects of your home from any Internet connected device. Our solution is also configurable to alert the customer about any event that the existing system picks up - even if the system isn't armed. One cool application of this is the ability to be notified when your childrn get home from school. Our service also includes the traditional central station monitoring as you would expect.
Check out http://www.ucontrol.com if you are interested.
On my home phone, I took out the phone line they put in and ran it underground out of site into the home. I then placed a line from the now dummy phone jack and buried it in the ground a few feet and tied it around a rod to keep it from pulling out easy if they tug on it. If it is cut or shorted it is actually wired as a zone on my alarm and it sounds and dials out over the real phone line I hid. I'm sure the phone company would frown but I felt it a good solution since I traveled a bit with my job for weeks at a time.
I have a Lynx system and there are a few things to mention. I ALWAYS set my system for "Instant", which means there is no delay time once the alarm is triggered, the system immediately dials. By the time the burglar ripped the system off the wall, it would be too late. For instance, I've tripped it before by accident and run to the panel and poked in the code and even in those 5-10 seconds, the alarm company called the house. Also, the alarm system can seize control over the phone line. If someone is on the phone and the alarm is triggered, that person will be disconnected and the alarm will dial out. Furthermore, all of my phone lines are buried and the one to the unit on the inside goes through the wall and isn't seen externally. Lastly, the battery backup lasts 24 hours and I've personally witness it lasting 5+ hours. These all-in-one systems aren't as bad as some people make them out to be.
The main point is that the penalty isn't severe enough.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.