Penetration Testing of GSM Alarm : Using Radio Frequency Communication

Abstract: As we rely more and more on technological devices in our daily lives, it is increasingly important that these devices are secure. We examined a GSMalarm system, the Home Secure Basic V2, from a security perspective with the purpose of finding an exploit that could disable the alarm. First, we constructed a threat model of the system using the STRIDE method. Each threat was assigned a severity rating using the DREAD rating system, and was then evaluated practically. Home Secure Basic V2 has two channels of communication; 433 MHz RF and GSM. We found that the 433 MHz channel was vulnerable to replay attacks, and to a lesser extent brute-force attacks. Both of which we see as serious attacks with DREAD-ratings of 12(/15). While GSM initially used the now insecure A5/1 encryption, most operators in Sweden have fully or partially transitioned to using the more secure A5/3 algorithm for GSM-traffic. The alarm supports this algorithm and thus we had no success in performing a sniffing-attack against the GSM-channel in this alarm. It is still theoretically possible, but not with the operators we tried (Telia, Tele2) in Stockholm. Finally, we discuss the practicality of the attacks and present some countermeasures that could be implemented to secure the system.