Vivint branded 2GIG GoControl panel hacked, compromised and disabled

You might want to enable the panel’s jamming detection… Which by default is disabled on all 2GIG GoControl panels. Set Q65 to (1)

Apparently the jamming detection capability has a vulnerability though that might render it ineffective… According to the article anyways, but it should be noted that no Vivint branded 2GIG panel has jamming detection enabled by default (Q65), and they lock Users out of making Q configuration changes themselves.

The findings/hacking technique is scheduled to be made public next month.

Summary of the article regarding the testing done on a Vivint branded 2GIG GoControl panel:

"Lamb had been doing research on the way popular security systems, such as those from Vivint and ADT, can be turned against their owners to spy on their activity or suppressed so that they fail to go off when an intruder enters the home. His co-worker had a 2GIG Go!Control panel from Utah-based Vivint and was willing to be a guinea pig. Lamb asked the birthday celebrant to arm the system and then let the guests wander normally. The alarm did not get triggered as it should when the system’s armed and a door opens, and the Vivint central control station that would call the police when such a thing happened did not get a heads up. Lamb was able to suppress the alarm through intercepting the system’s unencrypted wireless communications with the sensors around the home, and sending his own signals to the main controls.

Vivint and another security company with the vulnerability that asked the researcher not to name it both said they have a jamming detection feature in their wireless security systems, though Lamb says he was able to program around it and that the companies didn’t detect his suppression of their alarms. Vivint’s vice president of innovation Jeremy Warren said the company is investigating the vulnerability that Lamb found in the jamming detection with plans to fix it. He also said that Vivint has never actually detected anyone jamming a system’s signal. As for the spying that could be done by a techno-lurker, Warren said it’s easily replicated by a person without an SDR sitting outside the house watching people opening windows and doors. Lamb though says that an adversary could make an embedded system to stash in the vicinity of a home to gather information all the time.

Lamb argues though that *SDRs are getting cheaper and more ubiquitious; a simple one goes for $10 on Amazon.

Lamb plans to present his findings in Las Vegas next month."

  • FYI the method to do the above jamming/hacking requires a “Software Defined Radio”, which as stated above runs approx $10 on amazon.

Source: http://www.forbes.com/sites/kashmirhill/2014/07/23/how-your-security-system-could-be-used-to-spy-on-you/

This constant game of cat-and-mouse between hackers and security companies (alarm, web, physical, all of them) is disturbing. At least there appears to be a one month headstart for 2gig to try and make some modifications to prevent such an attack before the exploit is fully in the wild… I am a little concerned that there might not be a fix for this… IMHO If the honeywell protocol between sensors and the panel is unencrypted preventing an attack might be extremely difficult. If it is unencrypted,intercepting the communication between a sensor and the panel is fairly trivial and then the issue simply becomes being louder than the sensor with communications of sensor status. Encrypting these signals would be best, but would require, I would imagine, hardware changes (at least on the sensor end) and a complete revamp of the protocol, essentially making all current sensors obsolete. I would guess an improvement of the jamming detection algorithm would be the only way to try and detect such an attack and alarm in the case of detection, but that’s just another thing to be overcome rather than a long-term fix.

That’s a very interesting article with some very useful information. Thank you for posting it. I will follow up with 2GIG to see what their plan for resolution is.

Actually Stacy, the vulnerability/hacking method to disable 2GIG goes public in a little over a week (Aug 7-10) at the DEFCON hacking conference in Vegas at the Rio Hotel & Casino.

Since it is 2GIG/Vivint default configuration to disable jamming detection (assuming jamming detection isn’t faulty itself and vulnerable to spoofing), I would say 99% of ALL 2GIG users are vulnerable. Vivint alone has near 800,000 customers using the 2GIG Go!Control panels.

So rough estimation is over a million vulnerable systems.

Come to think of it, I bet this is the reason why the GC3 release has been rumored to be pushed back to Q2 2015 as discussed here:

All of the 2GIG panels use the same sensors/unsecured wireless communication protocols… which includes Vivint’s Sky panel.

Vulnerable 2GIG panels:
2GIG Go!Control
2GIG Go! 2.0 (aka Vivint Sky Control)
2GIG GC3 (Go!Control 3)

This is why I prefer the GE/Interlogix sensors they have a rotating algorithm on the 319.5 MHz where as the Honeywell and DSC sensors are pretty much the same every time. But when it comes to Hacking the sensors-- how would the hacker know your system type if you were with a small local company? Vivint I can see hackers know what they use. But how would a burglar know the placement of your sensors, Would they spend the 1,500 dollars to buy this tool, would they even bother? If a professional burglar wants to get in your place they will… These systems are more for deterrence than anything.

@Corxxgold

$1500?..No. Try $10 (on Amazon)

They don’t have to know the location of your sensors…all they have to do is place the SDR outside your home, and it intercepts the unencrypted rf wireless signals as they communicate with the panel. As you open doors/ activate the sensors it gets the info for them. The rest I suspect is just a simple software program that any hacker/programmer can write and run off a notebook PC.

Lamb is making it all available at DEFCON in a week.

Rive – The way I read the article, Lamb was able to get around the jamming detection: “…both said they have a jamming detection feature in their wireless security systems, though Lamb says he was able to program around it and that the companies didn’t detect his suppression of their alarms.” That’s why it seems, at very least, there needs to be work done on the jamming detection.

I’m not sure what could be done, even on the 3.0 panel unless they’re willing to make all sensors obsolete and move to a new generation of sensors. I’m sure someone much smarter than me is working on this, so I guess we’ll see.

Oops correction.

Logan Lamb is the Speaker at the upcoming “Blackhat USA 2014” in Vegas Aug 2-7 (not Aug 7-10).

This is his plan…
“In this talk, I will demonstrate a generalized approach for compromising three systems. We will suppress alarms, create false alarms, and collect artifacts that facilitate tracking the movements of individuals in their homes.”

Attached is 2GIG/Linear’s official response to the article in question.

GoControl-System-Security-Letter.pdf (186 KB)

So basically, they say “enable rf jamming detection” (which by default is disabled)

This effectively would render nearly every single Vivint panel vulnerable as they lock out panels with Q65 disabled. No Vivint panel will be able to detect the jamming. (I doubt Vivint intends to backend over 800,000 panels to enable Q65 in any event, and from what I can gather this isn’t even a configurable option on the skypanels) Not to mention that most Vivint systems only have a handful of sensors, and no Image sensors at all (which operate on 900mhz frequency instead of the normal 345mhz frequency of the normal sensors)

If say the front entry (or any signal entry point is suppressed), and there are no image sensors or other interior sensors like pir motions…than the system will fail because multiple sensors are not triggered…

Another problem I see with this is the fact that Lamb states he is able to intercept the unencrypted data transmissions (of the, I assume, 345mhz signal communications), and “spoof” the sensor data packs so the control panel thinks it is getting legitimate transmissions from sensors that are actually jammed and unable to communicate.

My understanding is that all of the sensors constantly send unencrypted, open transmissions to the panel (supervision/sensor status), so even interior sensors like the pir motions can in theory be intercepted and then spoofed, so instead of an “Open/Activated” the panel receives normal “OK/closed” supervision/sensor status from the jammed/spoofed sensors.

Even though I think 2GIG is blowing smoke, we will all find out soon enough as Logan Lamb plans on demonstrating his method of disabling the panel and circumventing the rf jamming detection next week at Blackhat.

He will be presenting at DEFCON too. I’ll be there and will attend the presentation.

I’ll post the presentation materials here when I get to the con (they put all of the slide decks on a CD given to attendees).

Again, another reason to use GE sensors for their encryption, and the Qolsys panel

@corxxgold - I was surprised to see that GE sensors use encryption. I wasn’t able to find any documentation about how it works. Do you have any references?

$1500?…No. Try $10 (on Amazon)

The $10 SDR cannot be used to perform the jamming. The low cost SDRs can only receive the signal for analysis. You need something like a USRP with a tx card to do the jamming.

Did anyone see the presentation?

EDIT: Scratch that… looks like they pulled the presentation (originally scheduled for Sat Aug 9th):

“Two more talks pulled from Black Hat hacking conference”
http://uk.reuters.com/article/2014/08/04/us-cybersecurity-hackers-talks-idUKKBN0G419O20140804

FYI The three companies Logan Lamb was gonna expose in DEFCON and Blackhat for security vulnerabilities in their panels were Honeywell, ADT, and Vivint.

Looks like they may have threatened Lamb, so he pulled out.

Below is a quote from NPR http://www.npr.org/blogs/alltechconsidered/2014/08/08/338776873/when-hackers-test-for-flaws-they-might-earn-cash-or-threats

"Take security researcher Logan Lamb. He was supposed to be on stage giving a presentation. Instead he’s standing in a corner, literally trembling as he talks.

“I was going to be presenting,” he says. “Because of these pressures put on me, I can’t now.”

Lamb won’t spell out the pressures. But it’s a well-known fact in these hallways that companies threaten people who find weaknesses in their software."

Here is more…looks like they got to him…

"Lamb found he could break the communication between the alarm sensors that monitor movement and the keypad that tells the corporate network when an intruder has broken in. He could also fake an intruder to set off a false alarm.

He says it was fairly easy because the makers of these wireless devices left them unencrypted.

“So some guy with the right hardware could sit out in front of someone’s home and listen in. That’s pretty disconcerting,” Lamb says.

But he won’t name the home security systems he hacked. When asked, he stutters: “I — I can’t go into that.”

FYI, the “hardware” Logan used to completely compromise them was a $1,000 USRP N210.

I think they need to be exposed, else there is no incentive to fix it. Hopefully someone will continue Lamb’s work, and post it anonymously to the internet…let’s the chips fall where they may.

IMO, a security system that is not really secure, and can easily be defeated and compromised, doesn’t provide real security, just the illusion of it.

Would you bet your life, or the lives of your children on such a system?

I agree - if they are attempting to prevent this information from being revealed, they probably don’t have any plans to resolve the issue.

I’m not too concerned though. In my neighborhood, homes aren’t broken into by talented hackers with skills, patience and SDRs. However, it should be fixed and customers should be made aware of this.

Some companies understand security research and handle it well. Some don’t. Those who do will work with the researcher to responsibly disclose the vulnerability and make sure it is resolved. In the case of software, it is pretty easy - issue a patch. In the case of equipment using the Honeywell protocol, it would require replacing the equipment so they are reluctant to do so.

Companies like 2gig should be the ones most concerned about the security of their products. A lot of companies are joining http://builditsecure.ly/ - a group that conducts research and provides guidance on building secure, reliable IoT devices.

The genie is out of the bottle now… Just have to see how this plays out.