Bypassing Alarms---The Smart Way.

Exchange the techniques and skills needed to walk the shadows. Post your guides and how-tos here.
Richard.Layne
Member
 
Posts: 3
Joined: Sat Apr 30, 2016 4:31 am

Bypassing Alarms---The Smart Way.

Postby Richard.Layne » Sat Apr 30, 2016 5:28 am

Now that I'm half the man I used to be with just one leg, I rely on technology more than anything else.

The downside, depending on the system, your required software could be free, or in excess of 5000 American Dollars.

The main upside is that you get the keys to the kingdom with this method and depending on the system type, you can disable it remotely without having to lug around a shit-ton of jamming equipment, look like an asshat in a mylar-bag or cut wires.

The first thing you need to understand is that an alarm is simply something called a PLC. This is short for "Programmable Logic Controller". There are a wide variety of manufacturers and ways to connect to them that are far outside the scope of this. You have a wonderful tool called google. Use it, because each system is going to be different.

So, once you figure out your target controller and connect to it, the first method you ought to attempt is to determine the password. The reason for this is that you're not leaving any traces. If you make major edits to the program to bypass the alarm, you need to spend more time un-doing them as well running the risk of breaking the system.

What you're looking for a comparison block or EQU block as shown in the following photo:

Code: Select all
https://imgur.com/a/KTG3R


Once you get to this step, you need to look at the "tags" involved in the compare function. Determine which one the password is, and input that at the alarm panel to disable it.


Go inside, walk around, and do whatever. I don't give a fuck--I'm on a terminal run!

User avatar
Xanatos
Moderator
 
Posts: 2119
Joined: Sun Jun 21, 2009 3:51 am
Location: Right behind you.

Re: Bypassing Alarms---The Smart Way.

Postby Xanatos » Sat Apr 30, 2016 12:50 pm

Any tech specialists here care to verify?
We are all books containing thousands of pages and within each lies an irreparable truth.
What is locked, can be opened. What is hidden, can be found. What is yours... can be mine.

noone
Member
 
Posts: 17
Joined: Sun Aug 04, 2013 6:31 am

Re: Bypassing Alarms---The Smart Way.

Postby noone » Sat Apr 30, 2016 8:47 pm

In short: it depends.

While this could work on PLC based systems that have a control unit that you can somehow access, most reasonably designed ones won't let you do that.
Unless someone was dumb enough to bolt the alarm system to the outside of a building it's supposed to monitor, it will be inside the protected area. Downloading code from one of those isn't instantaneous and requires that you carry a computer. Unless you somehow have access to the alarm system through legitimate means or people who installed it were ridiculously stupid, you will have to spend 5-30 minutes with siren going off and the police on their way.

This has a chance to work on high/mid end large? legacy systems, assuming you can get access to the control unit, have the required software / hardware and time to download and understand the code/data. Most of the systems i know of don't use PLC's, so don't quote me on this (and no, micro controllers are not PLC's).

Regarding microcontroller based ones (normal electronics, not industrial control systems):
Most mid/high end alarm systems have countermeasures to prevent this from happening
- Chassis countermeasures (switches, light sensors, even tilt sensors), (chassis can be glued, screwed with exotic screws or welded shut)
- Board countermeasures (the thing can be covered in epoxy, and you aren't getting that off without pouring nasty chemicals on it). Microcontroller can have the firmware read fuses blown (to bypass those you have to decap the chip in acid and try mucking around with laser probes or try glitching with power/clock/data - not something that is cheap, or fast), firmware can be encrypted (to get the encryption key you have to decap the chip, not fast, not cheap), jtag can be protected (again, decapping or glitching, unless you find an exploit that lets you do it faster - that requires A LOT of skill, and luck).


However, if you are feeling adventurous and don't mind hiding / running from a bunch of people with guns, you can try doing those things:
+ Bypassing the sensors (find a route that isn't protected, use a sensor specific bypass)
In case of low end systems with sensors that aren't authenticated, you could try bridging or cutting the wires that go to the sensor (you do need to know which condition triggers the alarm, though - otherwise it's a 50% chance of doing exactly that).
+ Sometimes, in case of lower end systems, smashing the shit out of the thing (or cutting power/removing battery) will do the trick.
This holds especially true in case of most of the units available on ebay as "alarm system" under 15$
+ Disabling the siren / communication pathways (landline & gsm) can work, if the system isn't sending periodical pings to the monitoring company.
If it is, they will show up as if the system was triggered by a burglar.
+ Using a taser on a bunch of wires connected to the control unit can fry the alarm, if it's not protected against high voltage spikes. This being effective or not will highly vary between manufacturers / models / wires you apply the voltage to. If the system is supposed to send periodical pings, this will be treated the same way as a normal alarm.

Unless you can get your hands on an alarm unit beforehand and have the skill to reverse engineer it, you won't be disabling it by bridging a bunch of wires. Most you can do with a screwdriver and wire cutters is disable a bunch of sensors, if you are lucky.

To sum it up, mid/high end alarms are bad news.

If the system is sending periodical pings to a monitoring company, LEAVE IT ALONE.
Bypassing / taking out a high end alarm system is ridiculously hard. If you haven't researched it thoroughly beforehand, you will trigger something and have to run away from angry people with guns.

If the system is capable of calling someone in case of an intrusion, killing it's connectivity/noise making capabilities is the safest choice.

If the system isn't cheapest crap from china (but can't call the cops), you can try your luck at bypassing it's sensors / disabling the siren.

If the system is the cheapest crap from china, breaking/unplugging it/taking out the battery should do the trick.

Richard.Layne
Member
 
Posts: 3
Joined: Sat Apr 30, 2016 4:31 am

Re: Bypassing Alarms---The Smart Way.

Postby Richard.Layne » Sun May 01, 2016 12:41 am

From what you've written, it appears you have exposure to residential alarm systems where as mine are used by banks, prisons, powerplants, etc. etc. Most of what you wrote at the end of your post is correct, but why are you wasting your time on small systems not guarding anything of value? Anyways, here's some more information you might find interesting since you haven't dealt with a high end alarm system before:

noone wrote:In short: it depends.

While this could work on PLC based systems that have a control unit that you can somehow access, most reasonably designed ones won't let you do that.
Unless someone was dumb enough to bolt the alarm system to the outside of a building it's supposed to monitor, it will be inside the protected area.


Let's start by establishing that access is pretty easy:

Code: Select all
https://www.odva.org/Technology-Standards/EtherNet-IP/Overview


Oh and since you're reading that, you can crash the PLC with the command, "CPU STOP" if you'd like, but that leaves evidence.

If you need it broken down further than that;

Code: Select all
https://www.shodan.io/search?query=S7-1200



Downloading code from one of those isn't instantaneous and requires that you carry a computer. Unless you somehow have access to the alarm system through legitimate means or people who installed it were ridiculously stupid, you will have to spend 5-30 minutes with siren going off and the police on their way.


Since it is easy to establish access (and remote access at that), Why are alarms going off and the police responding? Why are you wanting to download the program instead of view it online with the controller? Why are you lugging a computer around on the execution phase of whatever your doing instead of the recon?

]This has a chance to work on high/mid end large? legacy systems, assuming you can get access to the control unit, have the required software / hardware and time to download and understand the code/data. Most of the systems i know of don't use PLC's, so don't quote me on this (and no, micro controllers are not PLC's).


All of the high end systems use a PLC and distributed I/O. Here's a major example:

Code: Select all
https://www.coresecurity.com/files/attachments/PLC_White_Paper_Newman_Rad_Strauchs_July22_2011_Final.pdf



Regarding microcontroller based ones (normal electronics, not industrial control systems):


A circuit is a circuit man. Same applies to electronics.

Most mid/high end alarm systems have countermeasures to prevent this from happening
- Chassis countermeasures (switches, light sensors, even tilt sensors), (chassis can be glued, screwed with exotic screws or welded shut)
- Board countermeasures (the thing can be covered in epoxy, and you aren't getting that off without pouring nasty chemicals on it). Microcontroller can have the firmware read fuses blown (to bypass those you have to decap the chip in acid and try mucking around with laser probes or try glitching with power/clock/data - not something that is cheap, or fast), firmware can be encrypted (to get the encryption key you have to decap the chip, not fast, not cheap), jtag can be protected (again, decapping or glitching, unless you find an exploit that lets you do it faster - that requires A LOT of skill, and luck).


We've already established that the high end systems use a PLC (or twenty) with the previous points. The el cheapo systems use microcontrollers. Why you might ask? Because it is more efficient to use a microcontroller for a system that needs to be mass produced (think ADT/Brinks)

However, if you are feeling adventurous and don't mind hiding / running from a bunch of people with guns, you can try doing those things:
+ Bypassing the sensors (find a route that isn't protected, use a sensor specific bypass)
In case of low end systems with sensors that aren't authenticated, you could try bridging or cutting the wires that go to the sensor (you do need to know which condition triggers the alarm, though - otherwise it's a 50% chance of doing exactly that).
+ Sometimes, in case of lower end systems, smashing the shit out of the thing (or cutting power/removing battery) will do the trick.
This holds especially true in case of most of the units available on ebay as "alarm system" under 15$
+ Disabling the siren / communication pathways (landline & gsm) can work, if the system isn't sending periodical pings to the monitoring company.
If it is, they will show up as if the system was triggered by a burglar.
+ Using a taser on a bunch of wires connected to the control unit can fry the alarm, if it's not protected against high voltage spikes. This being effective or not will highly vary between manufacturers / models / wires you apply the voltage to. If the system is supposed to send periodical pings, this will be treated the same way as a normal alarm.


With enough force applied to something, it will stop working, even ESD resistant boards!


To sum it up, mid/high end alarms are bad news.


No, no they are not. It's like any other technology that isn't getting exploited heavily yet--the holes aren't patched!

If the system is sending periodical pings to a monitoring company, LEAVE IT ALONE.
Bypassing / taking out a high end alarm system is ridiculously hard. If you haven't researched it thoroughly beforehand, you will trigger something and have to run away from angry people with guns.


Why leave it alone? You can make the high end systems do whatever you want to, even send the police to the wrong place!

If the system is capable of calling someone in case of an intrusion, killing it's connectivity/noise making capabilities is the safest choice.


Disagree, monitoring what it is sending is of more value. Spoof a tower, bro!

noone
Member
 
Posts: 17
Joined: Sun Aug 04, 2013 6:31 am

Re: Bypassing Alarms---The Smart Way.

Postby noone » Sun May 01, 2016 1:18 pm

Let's start by quoting people who should know better than i do:

http://www.plctalk.net/qanda/showthread.php?t=48380

Well most plc's have password protection so no real problem there & the simple answer is to put it in a locked cabinet?


Also i find the remarks about the plc not being safe rubbish. the scada pc has to be the only pc connected to the plc and doesnt need to be on internet or anything, so in what way will the plc be under threat?


As cool as it would be to use a PLC, it makes more sense to purchase a security system - they're specialized and commoditized. You'll get more features and spend less time and money - plus it will be far less prone to user induced mistakes/vulnerabilities.


Regarding your post:

Richard.Layne wrote:From what you've written, it appears you have exposure to residential alarm systems where as mine are used by banks, prisons, powerplants, etc. etc. Most of what you wrote at the end of your post is correct, but why are you wasting your time on small systems not guarding anything of value? Anyways, here's some more information you might find interesting since you haven't dealt with a high end alarm system before:

noone wrote:In short: it depends.

While this could work on PLC based systems that have a control unit that you can somehow access, most reasonably designed ones won't let you do that.
Unless someone was dumb enough to bolt the alarm system to the outside of a building it's supposed to monitor, it will be inside the protected area.


Let's start by establishing that access is pretty easy:

Code: Select all
https://www.odva.org/Technology-Standards/EtherNet-IP/Overview


Oh and since you're reading that, you can crash the PLC with the command, "CPU STOP" if you'd like, but that leaves evidence.

If you need it broken down further than that;

Code: Select all
https://www.shodan.io/search?query=S7-1200




That particular model you linked to started being sold at least 7 years ago, and there are only 166 units available on the entire ipv4 internet.
I'm not convinced most of them are in any way related to alarm systems at all. PLC's are meant to be used in industrial settings (power plants, factories, jails for controlling the cells), not as "brains" for an alarm system.
Not every unit is reachable from the internet. I'd even say that's en exception, not the rule. Very few units will be connected to a network that you can access without somehow disabling the alarm first (it's the equivalent of bolting it to the side of a building). Which does defeat the purpose of this method, unless you have legitimate means that let you access the alarm when it's unlocked (Social engineering your way into a bank in the security contractors uniform might sound like a lot of fun, but it's a rather risky idea).

Richard.Layne wrote:
Downloading code from one of those isn't instantaneous and requires that you carry a computer. Unless you somehow have access to the alarm system through legitimate means or people who installed it were ridiculously stupid, you will have to spend 5-30 minutes with siren going off and the police on their way.


Since it is easy to establish access (and remote access at that), Why are alarms going off and the police responding? Why are you wanting to download the program instead of view it online with the controller? Why are you lugging a computer around on the execution phase of whatever your doing instead of the recon?


It's easy, in very few cases. You won't get the privileged access necessary to make those changes from the internet. You would have to physically be in the equipment room or very close to it access the necessary network. It's not like people put in Ethernet sockets in the lobby that are connected to the alarm system (or make it available on the internet) in 99% of cases.

Richard.Layne wrote:
]This has a chance to work on high/mid end large? legacy systems, assuming you can get access to the control unit, have the required software / hardware and time to download and understand the code/data. Most of the systems i know of don't use PLC's, so don't quote me on this (and no, micro controllers are not PLC's).


All of the high end systems use a PLC and distributed I/O. Here's a major example:

Code: Select all
https://www.coresecurity.com/files/attachments/PLC_White_Paper_Newman_Rad_Strauchs_July22_2011_Final.pdf




That's not a high end alarm system. It's an industrial system. If someone is dumb enough to connect their power plant or jail control system to the internet, sure, you can cause a lot of mischief there, but it's not something that will commonly happen. Especially if they don't have a legacy or very specialized system that uses a PLC.

Richard.Layne wrote:
Regarding microcontroller based ones (normal electronics, not industrial control systems):


A circuit is a circuit man. Same applies to electronics.


No. Not every piece of electronics lets you connect to it over a network and look at / modify it's software.
Some pieces of electronics don't let you do that at all, even with proper debugging equipment if the on-chip fuses are blown.

Richard.Layne wrote:
Most mid/high end alarm systems have countermeasures to prevent this from happening
- Chassis countermeasures (switches, light sensors, even tilt sensors), (chassis can be glued, screwed with exotic screws or welded shut)
- Board countermeasures (the thing can be covered in epoxy, and you aren't getting that off without pouring nasty chemicals on it). Microcontroller can have the firmware read fuses blown (to bypass those you have to decap the chip in acid and try mucking around with laser probes or try glitching with power/clock/data - not something that is cheap, or fast), firmware can be encrypted (to get the encryption key you have to decap the chip, not fast, not cheap), jtag can be protected (again, decapping or glitching, unless you find an exploit that lets you do it faster - that requires A LOT of skill, and luck).


We've already established that the high end systems use a PLC (or twenty) with the previous points. The el cheapo systems use microcontrollers. Why you might ask? Because it is more efficient to use a microcontroller for a system that needs to be mass produced (think ADT/Brinks)


No. Custom electronics are far more powerful than your average PLC and are now cheap/powerful enough to be a viable solution in every case. With customers wanting more shiny new features, or the same features for smaller cost, that's where the market is going. You can still encounter PLC's in alarm systems, but that's mostly legacy or creative abuse for things they weren't meant to do. Or, for controlling industrial systems related to the alarm component - not as "brains" of the solution.

Richard.Layne wrote:
However, if you are feeling adventurous and don't mind hiding / running from a bunch of people with guns, you can try doing those things:
+ Bypassing the sensors (find a route that isn't protected, use a sensor specific bypass)
In case of low end systems with sensors that aren't authenticated, you could try bridging or cutting the wires that go to the sensor (you do need to know which condition triggers the alarm, though - otherwise it's a 50% chance of doing exactly that).
+ Sometimes, in case of lower end systems, smashing the shit out of the thing (or cutting power/removing battery) will do the trick.
This holds especially true in case of most of the units available on ebay as "alarm system" under 15$
+ Disabling the siren / communication pathways (landline & gsm) can work, if the system isn't sending periodical pings to the monitoring company.
If it is, they will show up as if the system was triggered by a burglar.
+ Using a taser on a bunch of wires connected to the control unit can fry the alarm, if it's not protected against high voltage spikes. This being effective or not will highly vary between manufacturers / models / wires you apply the voltage to. If the system is supposed to send periodical pings, this will be treated the same way as a normal alarm.


With enough force applied to something, it will stop working, even ESD resistant boards!



Sure, but you have to apply it to the right part of the solution. If there is an additional communications box that is optically separated from the rest of the system, destroying any other part of it will result in security / cops coming to look what happened. Not to mention systems that send periodical pings.

Richard.Layne wrote:
To sum it up, mid/high end alarms are bad news.


No, no they are not. It's like any other technology that isn't getting exploited heavily yet--the holes aren't patched!



One could argue that alarm systems are one of the most attacked solutions deployed in the wild - in the end, they protect the things people want to steal or keep the most. If it really was that simple, people who install these things would be going around and stealing ridiculous amounts of shit, not getting caught.

Richard.Layne wrote:
If the system is sending periodical pings to a monitoring company, LEAVE IT ALONE.
Bypassing / taking out a high end alarm system is ridiculously hard. If you haven't researched it thoroughly beforehand, you will trigger something and have to run away from angry people with guns.


Why leave it alone? You can make the high end systems do whatever you want to, even send the police to the wrong place!

If the system is capable of calling someone in case of an intrusion, killing it's connectivity/noise making capabilities is the safest choice.


Disagree, monitoring what it is sending is of more value. Spoof a tower, bro!


You can, but only if you have privileged access. Which in most situations isn't the case.
Spoofing a cell tower can be a lot of fun, but it's hardly going to be useful.
Most reasonable systems that send more than a simple ping / call the cops will use encryption, so all you will see is that it's sending something.
That's hardly any news if you did your research beforehand.

User avatar
Shade
Member
 
Posts: 90
Joined: Tue Jun 23, 2015 4:49 pm
Location: Behind you.

Re: Bypassing Alarms---The Smart Way.

Postby Shade » Mon May 09, 2016 11:06 pm

Hey... I know some of these words!

CookieThief
Member
 
Posts: 89
Joined: Sun Aug 23, 2015 6:06 am

Re: Bypassing Alarms---The Smart Way.

Postby CookieThief » Wed May 11, 2016 5:22 am

Me too, "the", "wire" and "it". A few others too.

This is way over my head, I'll just stick to avoiding or running like hell.
The world is dark until your eyes adjust.

User avatar
Psychlonic
Member
 
Posts: 1012
Joined: Mon Oct 29, 2007 3:30 am
Location: The Arena

Re: Bypassing Alarms---The Smart Way.

Postby Psychlonic » Wed May 11, 2016 8:35 pm

^ I feel like this has been an issue plaguing progress against alarm systems in the NO community for years. What would make the content easier to understand and more engaging to you? A video, perhaps? A large picture-by-picture tutorial?
There is a difference between those who feel safest in the light and those who feel safest in the dark.

noone
Member
 
Posts: 17
Joined: Sun Aug 04, 2013 6:31 am

Re: Bypassing Alarms---The Smart Way.

Postby noone » Wed May 11, 2016 11:12 pm

Hey, i'm not saying you shouldn't try it.
I'm just saying it's easy to do something that will end up in a situation that requires quick exfiltration from the area.
A situation where the alarm calls the cops without making anything else is the worst scenario - there are no obvious clues that something is wrong.
By the time you realize how bad the situation is, you might be royally screwed.


Different form wouldn't help. The issue is the amount of additional knowledge one would have to get for this to be viable, which makes the work/benefit ratio a bit high for recreational activities.
So, we need a shortcut.
I think one of the best options is teaching how to categorize / bypass different kinds of sensors, since these are the things that stay mostly the same all across the board. Having a guide that describes how to spot the really crappy systems would be a good idea too.

Tackling an alarm system head on isn't usually a good idea - that's what they are designed to be best at handling.

Imo, a best strategy (in case of something that isn't complete crap) is, usually:
+ Finding a route that won't trigger an alarm
+ Bypassing the sensors / Stealing the pin
+ Hoping that if angry people do decide to pay a visit, they'll assume the alarm is a fluke
(ordered by what is the most reasonable)

Anything else will most likely vary highly between different alarm systems, learning it all is impossible.

Unless you are a professional bank/museum robber, getting to know a particular system enough to be able to bypass it in a non standard way won't be worth the effort.
Last edited by noone on Wed May 11, 2016 11:31 pm, edited 1 time in total.

User avatar
Psychlonic
Member
 
Posts: 1012
Joined: Mon Oct 29, 2007 3:30 am
Location: The Arena

Re: Bypassing Alarms---The Smart Way.

Postby Psychlonic » Wed May 11, 2016 11:30 pm

I wouldn't be against that endeavor, but I'd like to note that from my experience even complete knowledge of how the system works, is wired, where each sensor is located and how to bypass the sensors doesn't do any good. A good alarm system isn't complex, it's simple with lots of overlapping zones of detection. You just can't get close to it while it's armed without some brute force which again brings up that risk vs. reward ratio.

Of course, there are plenty of systems installed with blind spots and faults to prevent false alarms in areas that would otherwise make the system flawless. By example, I know a building here with double doors that aren't covered by any sensor since they were causing false alarms by slight movement and small amounts of cooler air coming in from the outside.
There is a difference between those who feel safest in the light and those who feel safest in the dark.

noone
Member
 
Posts: 17
Joined: Sun Aug 04, 2013 6:31 am

Re: Bypassing Alarms---The Smart Way.

Postby noone » Wed May 11, 2016 11:52 pm

Yes, a well designed system won't be easy to bypass.
It's quite likely that it won't be possible to bypass it in any standard way.
Social engineering might be an interesting thing here. If you somehow find a way to eavesdrop on people responsible for the alarm system (bugging the guards room / owners house or phone might be an interesting challenge), getting the password they use for communicating with the monitoring company might be a viable option.

Still, not every system is well designed / installed. That's what we are hoping for. :)


Return to The Art of Night Ops

Who is online

Users browsing this forum: No registered users and 1 guest

cron