(From 34:2)

Dear 2600:

Response to "How to Improve Zone Protection in Burglary Alarms from 34:1, Cezary Jaronczyk's article talked about how to spoof voltage levels in a circuit to bypass burglary alarms.

The main idea is that a burglary alarm, which works by putting a certain voltage on a line, can detect an open door when that voltage changes.  This assume the mechanism detecting the open door shorts out resistor R1 when the door is closed and puts that resistor back in when the door opens.  However, the circuit presented there doesn't work.

The schematic shown comes with no good explanation but as best I can figure, the op-amp is supposed to put the "correct" voltage back on the rail after the door is opened so that the alarm measurement side (the lower rail or pin-2 on J1) can't see any transition.  However, the op-amp circuit is not connected right.  The switch to the capacitor needs to be connected to Wire 2 so it learns that voltage, since it is that voltage which gets measured by the burglar alarm.

The output of the op-amp needs to be connected to the same wire, not pin-1 on J1.  Connecting it as shown will make the op-amp dump the original voltage on to the circuit upstream from R1, but then when R1 enters the voltage divider, it'll cut that voltage down, which is what we want to avoid.

Another way to say that is that the voltage on Wire 1 will not change when the door is opened, since it's on top of the voltage divider, so it shouldn't be worried about.  It is the detection voltage on Wire 2 that counts, so we need to spoof that.

This assumes that the hacker can attach the ground of the circuit to the same ground as the burglar alarm (perhaps by connecting the chassis together).  If the hacker can't do that, then reversing the connections from what is shown may work better, using Wire 1 as common and Wire 2 as signal output from the op-amp.  This is because Wire 1's voltage won't change in either state (door-closed and door-open), so it makes a good common reference.

In the last part of the article he purports to have a design which cannot be bypassed with the previous method.  His idea is to have the voltage level change randomly, so it can't be spoofed.  However, the idea behind the first circuit is still valid: a voltage-follower op-amp can be used to read the voltage on the low side (the signal), and replicate whatever it is supposed to be, thus cutting out the door-open detector.  Depending on what op-amp the hacker uses, an extremely fast response time can be created easily, which could match the speed of any zone detection circuit.

The schematic shown in Figure 3 is even more confusing and mangled than the one shown in Figure 2.  That last schematic has a number of bogus connections and neither of those last two images gives meaningful information to an informed reader.

Monican