Jak proniknout do zabezpečovacího systému Paradox
Paradox is one of widely used manufacturer of home and company security systems. This company makes several security tools like sirens, IR detectors, etc. Here in Czech republic is Paradox even certified to secure military areas.
Do you trust this system? You should not. I have found very simple way how to unlock any area remotely, without knowing any password. The security bug is in Paradox’es IP100 module, which is absolutely unsafe.
IP100 is internet module which allows you to control (check zones status, lock, unlock) your house. Official description of this module about security says:
- Data sent and received using 128-bit (MD5 and RC4) or 256-bit (AES) data encryption.
- Two-way dynamic authentication.
This is whopper. MD5 and RC4 is used only to encrypt the password, not to encrypt the communication. It means that man-in-the middle attacks can be performed, but it it’s pretty small bug compared to following :-).
How to make the attack and unlock the property:
- Let the user connect into system, or make tiny script which waits for this event. Also social hacking can be used to persuade user to connect.
- As soon as any legal user connects to the system, anyone on the same internet subnet as the legal user can perform the attack. This „hacker“ can do any task which IP100 provides (just with entering good URL into browser). He can watch the zones or arm/disarm the object. This „hacker“ doesn’t need session id (because there is no session handling in IP100) nor usercode nor password. Actions described in following points:
- To check open zones and locked/unlocked status of all subsystems just point to http://router_ip_address:port/statuslive.html. You will get JavaScript, where you can search for: tbl_useraccess = new Array(9,0,0,0,0,0,0,0); - it’s array of zones: 9 means unlocked, 5 means „stay“ and so on. There is also status of all zones.
- The real bad thing is, that „hacker“ can unlock the Paradox system just entering this URL: http://router_ip_address:port/statuslive.html?area=00&value=d. Variable „area“ is identifier from array you got from previous step from array tbl_useraccess. To turn Paradox into stay mode, just enter: http://router_ip_address:port/statuslive.html?area=00&value=s.
Conclusion:
- The only protection of IP100 module is based on IP address (well it was not intended to use this as security protection, but it was used to avoid parallel usage by several users … you can get this point from user’s guide). Don’t even think about translating IP100 from your internal LAN to internet. Use SSH and portforwarding instead.
- Did you ever imagine, that for example webmail would be protected only by IP address, not by user and password. ;o))
What do Paradox think about this?
I have discussed this bug by phone with Mr. Stephane Racicot (Vice-President Customer Relations of Paradox company). He let engineers from Paradox and local distributor (Mr. Mračna from Eurosat) to check this bug and they drew conclusion not beeing a big bug and maybe they will fix it in some future version.
Make your own decission, whether is it big or small one. I’d not like the feeling, that anyone can unlock my house and I’d strongly recommend potential customers to avoid Paradox company (not because making some mistake, but due their attitude to security and the will to solve problems).
SHIT! It really works! I don\’t belive… How is it possible? The Paradox guys were pretty dumb.
Greeting from Russia ;o)
Díky za tento příspěvek. Chtěli jsme původně zabezpečit náš areál Paradoxem, všichni ho moc chválili … no a pochopitelně jsme si to rozmysleli.
Ještě jednou díky!
Thank you for this information, sir.
We will certainly reevaluate using this manufacturer in our solutions.
Sincerely,
Peter N.
Nice but from my test, you did not emphasise on the very important fact that for your “hacking” trick to work, the “hacker” has to be on the same local area network (LAN) as the user that connects to his house. (company network)
If the “hacker” is not in the same work place as the user, meaning outside of the LAN, your “hacking” will never work.
Now, what are the chances that you have a “hacker” in your work place wanting to steal from you, while siting right next to you.
Please get real, what are the odds of this happening! At least find some real hacking tips.
Hello Mr. McLain,
you are right, I wrote about it in sentence “The only protection of IP100 module is based on IP address.”.
But anyways, I’d guess that user connects to the IP100 module very often via GPRS/Edge from his netbook/mobile, if something happens. And anyone can connect to the same cellhone provider and use the same LAN.
In my opinion, I’d never agree with publishing IP100 to the internet. It’s made by bunch of amateurs.
Hi;
Could you give me detail about your GPRS/EDGE router or gateway, what brand..?
Thaks for info.
Regards.