Hackers Can Breach Burglar Alarm System With $142 Device – It’s Called YARD Stick One — And, It Only Takes Seconds
A writer going by the name Wagas, had an article, July 18, 2017, on the cyber security website, HackRead.com, with the title above. “YARD Stick One, is a hand-held USB stick, easily available at Amazon.com;” a device “which can substantially help in deactivating wireless burglar alarm systems,” Mr. Wagas wrote. “Priced at just $142 (109 Euros), this gadget is going to increase problems [the risk] for users of wireless burglar alarm systems that do not have external sirens — since criminals can switch them off conveniently with just a click,” he added.
The July 15, 2017 edition of the DailyMailOnline, initially reported this story on its website, in an article by Simon Murphy. The deed can be “done within seconds, by jamming the signal from the battery-powered sensors around the home — that would otherwise sound a siren — [thus] allowing them to discreetly gain entry [to a residence],” Mr. Murphy wrote. Although the device is illegal in Britain, Mr. Murphy noted, “it can be bought online at Amazon and delivered to the customer within two days. Indeed, Mr, Murphy notes that the Daily Mail purchased YARD Stick One from Amazon; and, also bought an ERA MiGuard Alarm System [149 Euros, or about $200] from the electronics store giant, Malpin — in order to carry out the tests,” he added.
“Customers can turn on the MiGuard alarm system using a remote control, in person, or remotely over wi-fi with a smartphone app,” Mr. Murphy explained. “When the device is triggered, it sounds an alarm at the property; and, sends a notification [alert] to the smartphone app, so homeowners are alerted remotely.”
The Daily Mail installed the alarm system at a local London residence; and, “with the homeowners permission, used YARD Stick One to jam the MiGuard alarms system from the outside — within a matter of seconds,” the publication noted. The successful technique, involved “downloading a freely available computer code script — which gives the device [the alarm system] instructions — and [by] simply clicking a button on the [their] laptop.” This simple, easy, and fast step, “disabled the alarm system — which failed to activate, nor notified the homeowner that something was amiss.
Ken Munro, Founder of Pen Test Partners, a renowned cyber security testing firm, warned: “This issue won’t be confined to this brand alone, as many wireless burglar alarms work the same way. It’s likely there are tens of thousands of wireless burglar alarm systems out there in people’s homes that are susceptible [vulnerable] to this kind of attack [hack]. Manufacturers should upgrade their security so this doesn’t happen. Consumers should look for “two-way” systems, which means the alarms can detect jamming attacks like this one.”
ERA told the DailyMail/Mr. Murphy that it “did not know of any instances of [where] the firms wireless alarms being [were successfully] jammed; and, that newer models with external sirens have been fitted with advanced jamming detecting capability.”
Mr. Murphy noted that Amazon declined to comment on the selling of YARD Stick One; but added that “a Malpin spokesman revealed that due to hacking concerns, MiGuard 5 alarm kits will be sold with [an] additional wireless intruder from now on.”
The problem, from the manufacturers standpoint, is the more security you add to the device to make it less hackabke, the more this raises the cost of the device that the consumer must pay — which of course, could make the device less affordable. This increased price no doubt played a part when the Internet was originally conceived. The worldwide web was built based on ease of use and access — security was an afterthought, or lower priority.
And, unless the technology has significantly improved in these kind of devices in the last two years, the ability to detect if your alarm system has been breached is very difficult, and would likely go unnoticed by the majority of homeowners. Indeed, if the jamming is turned off for just a fraction of a second; and, turned right back on, this technique would stop the alarm system from triggering its anti-jam alert, as well as block real alerts from being sent when the intrusion occurs. You could have anti-jamming features inserted by an installer when putting one of these systems in your residence, etc.; but, you may have to ask for it; and/or, be aware of this vulnerability. There is also ‘equipment’ available on the Internet for more higher-tech, expensive alarm systems — which would cost these thieves anywhere from about $1000-$4,000 to purchase — but, the point is, that most, if not all of these systems have some kind of cyber weakness. Much like the Internet itself, the Internet-of-Things (IoT), is also an Internet-of-Threats.
Having said all of that, I am not suggesting that alarm systems shouldn’t be installed in your home. Indeed, just making it more difficult and expensive for the bad guys to get inside your home — is probably good enough most of the time. Rather than bother with you, these thieves will simply move on to the next potential victim — who does not have such an alarm,. But, if you are being specifically targeted for some reason, by a sophisticated/determined adversary — a stalker for example — these kind of alarm systems are not ‘burglar-proof.’ Remember, every Medieval castle in Europe was eventually breached, or compromised. V/R, RCP