From what you've written, it appears you have exposure to residential alarm systems where as mine are used by banks, prisons, powerplants, etc. etc. Most of what you wrote at the end of your post is correct, but why are you wasting your time on small systems not guarding anything of value? Anyways, here's some more information you might find interesting since you haven't dealt with a high end alarm system before:
noone wrote:In short: it depends.
While this could work on PLC based systems that have a control unit that you can somehow access, most reasonably designed ones won't let you do that.
Unless someone was dumb enough to bolt the alarm system to the outside of a building it's supposed to monitor, it will be inside the protected area.
Let's start by establishing that access is pretty easy:
Code: Select all
https://www.odva.org/Technology-Standards/EtherNet-IP/Overview
Oh and since you're reading that, you can crash the PLC with the command, "CPU STOP" if you'd like, but that leaves evidence.
If you need it broken down further than that;
Code: Select all
https://www.shodan.io/search?query=S7-1200
Downloading code from one of those isn't instantaneous and requires that you carry a computer. Unless you somehow have access to the alarm system through legitimate means or people who installed it were ridiculously stupid, you will have to spend 5-30 minutes with siren going off and the police on their way.
Since it is easy to establish access (and remote access at that), Why are alarms going off and the police responding? Why are you wanting to download the program instead of view it online with the controller? Why are you lugging a computer around on the execution phase of whatever your doing instead of the recon?
]This has a chance to work on high/mid end large? legacy systems, assuming you can get access to the control unit, have the required software / hardware and time to download and understand the code/data. Most of the systems i know of don't use PLC's, so don't quote me on this (and no, micro controllers are not PLC's).
All of the high end systems use a PLC and distributed I/O. Here's a major example:
Code: Select all
https://www.coresecurity.com/files/attachments/PLC_White_Paper_Newman_Rad_Strauchs_July22_2011_Final.pdf
Regarding microcontroller based ones (normal electronics, not industrial control systems):
A circuit is a circuit man. Same applies to electronics.
Most mid/high end alarm systems have countermeasures to prevent this from happening
- Chassis countermeasures (switches, light sensors, even tilt sensors), (chassis can be glued, screwed with exotic screws or welded shut)
- Board countermeasures (the thing can be covered in epoxy, and you aren't getting that off without pouring nasty chemicals on it). Microcontroller can have the firmware read fuses blown (to bypass those you have to decap the chip in acid and try mucking around with laser probes or try glitching with power/clock/data - not something that is cheap, or fast), firmware can be encrypted (to get the encryption key you have to decap the chip, not fast, not cheap), jtag can be protected (again, decapping or glitching, unless you find an exploit that lets you do it faster - that requires A LOT of skill, and luck).
We've already established that the high end systems use a PLC (or twenty) with the previous points. The el cheapo systems use microcontrollers. Why you might ask? Because it is more efficient to use a microcontroller for a system that needs to be mass produced (think ADT/Brinks)
However, if you are feeling adventurous and don't mind hiding / running from a bunch of people with guns, you can try doing those things:
+ Bypassing the sensors (find a route that isn't protected, use a sensor specific bypass)
In case of low end systems with sensors that aren't authenticated, you could try bridging or cutting the wires that go to the sensor (you do need to know which condition triggers the alarm, though - otherwise it's a 50% chance of doing exactly that).
+ Sometimes, in case of lower end systems, smashing the shit out of the thing (or cutting power/removing battery) will do the trick.
This holds especially true in case of most of the units available on ebay as "alarm system" under 15$
+ Disabling the siren / communication pathways (landline & gsm) can work, if the system isn't sending periodical pings to the monitoring company.
If it is, they will show up as if the system was triggered by a burglar.
+ Using a taser on a bunch of wires connected to the control unit can fry the alarm, if it's not protected against high voltage spikes. This being effective or not will highly vary between manufacturers / models / wires you apply the voltage to. If the system is supposed to send periodical pings, this will be treated the same way as a normal alarm.
With enough force applied to something, it will stop working, even ESD resistant boards!
To sum it up, mid/high end alarms are bad news.
No, no they are not. It's like any other technology that isn't getting exploited heavily yet--the holes aren't patched!
If the system is sending periodical pings to a monitoring company, LEAVE IT ALONE.
Bypassing / taking out a high end alarm system is ridiculously hard. If you haven't researched it thoroughly beforehand, you will trigger something and have to run away from angry people with guns.
Why leave it alone? You can make the high end systems do whatever you want to, even send the police to the wrong place!
If the system is capable of calling someone in case of an intrusion, killing it's connectivity/noise making capabilities is the safest choice.
Disagree, monitoring what it is sending is of more value. Spoof a tower, bro!