Researchers show ways to bypass home and office security systems

Many door sensors, motion detectors and security keypads can be bypassed using simple techniques, researchers from Bishop Fox said

Many door and window sensors, motion detectors and keypads that are part of security systems used in millions of homes and businesses can be bypassed by using relatively simple techniques, according to researchers from security consultancy firm Bishop Fox.

The researchers presented some of the bypass methods they discovered in a talk at the Black Hat USA security conference in Las Vegas on Wednesday, but declined to name any vendors whose products are affected.

"We started looking at security sensors, going from the outside in, and we found a few implementation issues that we can take advantage of," said Drew Porter, a senior security analyst at Bishop Fox.

For example, many door sensors rely on magnetic fields to work and if you hit them with a high enough magnetic field, they trip, Porter said. Window sensors are vulnerable to the same issue, he said.

These sensors have a basic design so bypassing them is not hard, but that wouldn't get intruders very far. The next thing they would need to do is move around the building without setting off motion detectors.

Most motion detectors, even newer ones, use infrared to detect significant changes in the surrounding room's temperature, Porter said. Normally, walking around in a room would set off these sensors, but using something as simple as a piece of styrofoam to shield your body can trick them, he said.

However, since walking around with a large piece of styrofoam can raise suspicion, the Bishop Fox security consultants who frequently assess physical security systems for clients, looked for other ways to bypass these sensors.

They found a few families of motion detectors that can be reset by pointing a source of light of a certain wavelength -- infrared or near infrared -- at them. This blinds the sensors for as long as the light source is pointed at them plus an additional three seconds, Porter said.

The motion detection sensors of this type are deployed quite often as part of different security systems, the researcher said.

Moving forward from the motion detector sensors, the researchers analyzed the keypad systems that send out calls to reporting centers if the alarm is tripped.

These keypads can use cellular networks or landlines to communicate, Porter said.

Many keypads are using old cellular technology and can be easily fooled by setting up a rogue base station -- a small cell tower -- the researcher said. The keypads will then connect to the attacker-controlled base station instead of the real cellular network, meaning that even if they send out an alert, it wouldn't reach its intended destination, he said.

Once you have the keypad's modem connected to the base station it is also possible to send commands that can temporarily disable existing sensors, change how they react or disable the alarm sound, Porter said. "If the alarm goes off, there is the ability to disable it remotely."

Older keypads that still use landlines would set off the alarm if the line is cut to prevent communication with the reporting center, Porter said. However, it turns out that in order to monitor the link they check for a specific voltage. So if the attacker can tap the line and supply that voltage, he can cut it without setting off the alarm, he said.

At least a third of old security systems and probably a quarter of the newer ones can have all of their components -- door locks, motion detectors and keypads -- bypassed, Porter said, noting that this is a very rough estimation based on his knowledge of what technologies are currently being used and keeping in mind that physical security systems have a high turnaround. A five-year turnaround in the world of physical security would actually be considered quick, he said.

The Bishop Fox researchers provided recommendations about what owners of such devices can do to mitigate some of the attacks and are also working with the affected vendors to address these problems.

Porter believes that ultimately, the task and cost of upgrading these systems will likely fall with the users.

"I don't really see many vendors going and replacing these units," he said. They'll have to build different units that will have to function differently and some of the required changes will be significant, he said.

Join the CSO newsletter!

Error: Please check your email address.

Tags Bishop Foxsecurityblack hatphysical security

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts