Many door and window sensors, motion detectors and keypads that are part of security systems used in millions of homes and businesses can be bypassed by using relatively simple techniques, according to researchers from security consultancy firm Bishop Fox.
The researchers presented some of the bypass methods they discovered in a talk at the Black Hat USA security conference in Las Vegas yesterday, but declined to name any vendors whose products are affected.
"We started looking at security sensors, going from the outside in, and we found a few implementation issues that we can take advantage of," said Drew Porter, a senior security analyst at Bishop Fox.
For example, many door sensors rely on magnetic fields to work and if you hit them with a high enough magnetic field, they trip, Porter said. Window sensors are vulnerable to the same issue, he said.
These sensors have a basic design so bypassing them is not hard, but that wouldn't get intruders very far. The next thing they would need to do is move around the building without setting off motion detectors.
Most motion detectors, even newer ones, use infrared to detect significant changes in the surrounding room's temperature, Porter said. Normally, walking around in a room would set off these sensors, but using something as simple as a piece of styrofoam to shield your body can trick them, he said.
However, since walking around with a large piece of styrofoam can raise suspicion, the Bishop Fox security consultants who frequently assess physical security systems for clients, looked for other ways to bypass these sensors.
They found a few families of motion detectors that can be reset by pointing a source of light of a certain wavelength - infrared or near infrared - at them. This blinds the sensors for as long as the light source is pointed at them plus an additional three seconds, Porter said.
The motion detection sensors of this type are deployed quite often as part of different security systems, the researcher said.
Moving forward from the motion detector sensors, the researchers analysed the keypad systems that send out calls to reporting centers if the alarm is tripped.
These keypads can use cellular networks or landlines to communicate, Porter said.
Many keypads are using old cellular technology and can be easily fooled by setting up a rogue base station - a small cell tower - the researcher said. The keypads will then connect to the attacker-controlled base station instead of the real cellular network, meaning that even if they send out an alert, it wouldn't reach its intended destination, he said.
Once you have the keypad's modem connected to the base station it is also possible to send commands that can temporarily disable existing sensors, change how they react or disable the alarm sound, Porter said. "If the alarm goes off, there is the ability to disable it remotely."
Older keypads that still use landlines would set off the alarm if the line is cut to prevent communication with the reporting center, Porter said. However, it turns out that in order to monitor the link they check for a specific voltage. So if the attacker can tap the line and supply that voltage, he can cut it without setting off the alarm, he said.
At least a third of old security systems and probably a quarter of the newer ones can have all of their components - door locks, motion detectors and keypads - bypassed, Porter said, noting that this is a very rough estimation based on his knowledge of what technologies are currently being used and keeping in mind that physical security systems have a high turnaround. A five-year turnaround in the world of physical security would actually be considered quick, he said.