Spoofing Wireless Security Systems

Spoofing Wireless Security Systems
Photo by Stefan Widua / Unsplash

I just got my Flipper Zero device and immediately needed to know, can I spoof RF devices for security alarm systems. Yes I can.

I was aware that it could be possible to interfere with RF signals used by these security systems, but Ive never seen a lot written about it. I was living under the impression that in order to do so you would need a fair amount of knowledge about RF signals and specialized equipment to make it work.


I Was Very Wrong.


I grabbed a Honeywell Lyric panel along with some 5800 series wireless devices and started to tinker. After a quick google search on what frequency they operate on I was able to use the Flipper device to successfully capture the signals sent from the devices to the main security panel. I was also able to replay them back spoofing the devices to the panel. I started with the opening and closing signal of a door sensor, I spoofed the opening signal telling the panel the sensor was open even though the real sensor was sitting right next to me with the magnet in place to show the door sensor in a closed state.

Next I spoofed the closing signal that would show the door sensor in the closed state, again it was successful. But I had one issue, it didn't seem all that reliable. I would sometimes have to send the signal multiple times before the panel would register it. Not great if your trying to trick the panel into thinking the door was never opened in the first place. So I moved on, this wasn't a reliable bypass to the system. Then I grabbed a wireless key fob for the panel. The key fob is used to arm and disarm the panel with ease and does not require inputting the security code in the system.

The key fob was the answer. I was able to spoof the disarm signal to the panel, and if I needed to send it multiple times to get it to register, that was no big deal. I was now able to completely bypass the security system. All with a fairly inexpensive device I bought on the internet and a couple of hours of tinkering.


Conclusion


It is somewhat frightening knowing that its this simple to bypass these security panels. Even though its most likely not something you'll find yourself falling victim to.

The good news is, there are newer models of alarm systems that use two way encrypted communication to the devices preventing this from happening. Hopefully all of these vulnerable systems will be phased out quickly.