Bypassing Security Systems: Unraveling an Alarm Panel with the Flipper Zero Device
After I got my Flipper Zero device I immediately needed to know, can I spoof RF devices for security alarm systems. As it turns out, Yes I can.
I was aware that it could be possible to interfere with RF signals used by these security systems, but I never put much more thought into it than that. I was under the impression that in order to do so you would need a fair amount of knowledge about RF signals and specialized equipment to make it work.
Using the Flipper Zero SubGHZ Tool
I grabbed an alarm panel along with some wireless sensors and started to tinker. I'm not going to name the exact panel I used, but it is manufactured by one of, if not, the largest manufacturers of security systems.
After a quick Google search on what frequency the sensors operate on, I was able to use the Flipper device to successfully capture the signals sent from the sensors to the main security panel. I was also able to replay them back spoofing the devices to the panel.
I started with the opening and closing signal of a wireless door sensor, I captured the opening signal telling the panel the sensor was open even though the real sensor was sitting right next to me with the magnet in place to show the door sensor in a closed state.
Next I captured the closing signal that would show the door sensor in the closed state, again it was successful. But I had one issue, it wasn't that reliable. I would sometimes have to send the signal multiple times before the panel would register the signal from the Flipper Zero device. So I moved on, this wasn't a reliable bypass to the system. If I'm going to bypass an alarm system with my Flipper Zero I needed something reliable that will work every time.
Flipper Zero Clones the RF Keyfob
I grabbed a wireless key fob for the panel. The key fob is used to arm and disarm the alarm panel with ease and does not require inputting the security code into the system. The key fob resembles one you would have for your vehicle, with a lock and unlock button.
The key fob was the answer. I was able to capture and clone the key fobs signal and spoof the disarm signal to the panel, and if I needed to send it multiple times to get it to register, that was no big deal as I could continuously send the signal until it takes. I was now able to completely bypass the security system. All with a fairly inexpensive device I bought on the internet and an hour of tinkering.
Real World Threat of Capturing RF Signals with Flipper Zero SubGHZ
How big of a threat is this, is your security alarm system going to get hacked by someone with a Flipper Device? No, probably not. In reality its not likely to happen, the attacker would need to capture the signal from your key fob which means they would need access to it or would need to capture the signal while you use it. Most modern alarm systems also allow you to setup text and push notifications for when the system is armed or disarmed, by setting up those alerts you can know when your alarm system has been disarmed by someone other than you.
Conclusion
While it is possible to capture and spoof the RF signal with the Flipper Zero, there are ways to mitigate it. Keeping your key fob secure, or just not using one is the best option. Newer technology is available that prevents this. There are system available now that encrypt the communication between the alarm panel and device and this is becoming more standard in the industry.
If you are worried about this happening to you, I would suggest not using a key fob and setting up alerts to be sent from your alarm panel to you reporting the events from the alarm system.
