I believe there was an older thread about defeating security systems such as PIRs, and the idea of dusting the four digit code on a terminal could reduce the combination possibilities down to a slightly more probable number. It seems to me that it could be possible to reduce the combination possibilities even more. Let's say that one covertly manages to access the terminal for the security system and manages to dust the prints, ideally revealing the 4 digits used (and less that 4 if numbers are repeated).

If one were to apply a series of special paints, films, or other substances that are invisible to the naked eye, but distinguishable from each other by the individual, to each of the four buttons (a different "color" for each number), one could determine the order in which the numerals are pressed.

For an example scenario: A thief covertly picks or bypasses (non-destructively) the front lock of a commercial store, then proceeds quickly and quietly to the security terminal. Now since he has tripped the alarm, he should have some time (around 1 minute) to access the panel and input the override code. But this doesn't matter, because he's not ready to do his job. What he does is he first dusts the terminal and finds the four numerals that the owner inputs every day; then he proceeds to paint each number with the fore-mentioned "color." He then swiftly makes his escape. The security staff or owner investigate the alarm and chalk it off as a false alarm, as nothing was damaged or taken. The next afternoon, the thief returns, enters, and approaches the terminal again. Using his special method to "see" the colors on the terminal, he can determine the combination. The first should have only one color, the second it's own and the first, ect. Now he has the code, and can input it before the security company is contacted or make an escape and finish the job another day.

There are two issues with this plan. Firstly, what material could one make use of to provide these "invisible colors" most reliably? Secondly, how would this method hold in a practical environment, given that the owner might input the multiple times (check in-check out), or make a mistaken button press.

This first issue, that the the material applied, is my real question to Rouge Science. Maybe a series of acids, or perhaps differing UV paints?

The second issue is very mathematical. If an error was made in the input, how might the "code" be readjusted? What errors should one anticipate?

In my experience 1 minute is being generous. I have more typically seen 30-45 second delays, never a whole minute. Something else to think about is besides dusting the keypad and coloring the keys, if he wants it to look like a false alarm the thief will also need to relock the door behind him, doing all this in a minute (or less) is going to be very, very difficult.


Secondly, how would this method hold in a practical environment, given that the owner might input the multiple times (check in-check out), or make a mistaken button press.


Another similar possible situation might be having different people with different codes using the keypad. Individual codes are often used to track and log who is coming and going. This would throw the calculation into the nearly-impossible in under a minute.


If it was me, I would install a very small hidden camera, preferably wireless, but could be recorded onto a SD card if you have daily access (if it is in a public spot, or you are an employee, etc). That way you have the code known before you even get in the door.

Some consideration could be given to phishing an employee who has the code.

Done right, the code could be secured w/o the "duped" even realizing it.

A discreetly placed mirror?

A close inspection of the keypad (if that's possible w/o raising attention) might reveal keys that have more wear on them, pointing to their use in the code.

Replacement of the keypad w/one of your own making that would record the key strokes might be another (extreme) alternative.

A lot depends on whether or not you have access to the keypad and/or the workplace w/o "supervision".

"if he wants it to look like a false alarm the thief will also need to relock the door behind him"

One would simply need to leave the picked cylinder turned in the "unlocking" orientation and then use a plug spinner to spin the cylinder in the "locking" orientation. Or you could pick the cylinder, open the door slightly, and repick it into the locking direction. Plug spinners are easier and quicker, however.

"I have more typically seen 30-45 second delays, never a whole minute."

None the less, if you have a 30 second signal delay, plus the estimated 2 minute security response time (3 to 5 for a police response), you have a decent handful of seconds to run in, rig the place, and escape.

And also...

This-
"If it was me, I would install a very small hidden camera, preferably wireless, but could be recorded onto a SD card if you have daily access (if it is in a public spot, or you are an employee, etc). That way you have the code known before you even get in the door."

-plus this-
"A discreetly placed mirror?"

-equals a plan with even more potential!

It would blend in perfectly with commercial security mirrors. I've seen ATMs with mirrors designed to allow you to watch the person behind you (preventing over the shoulder reading or back of the head punching) and I imagine a mirror could be far better, and more inconspicuously, placed than a camera alone.

The merits of the original idea were that one could completely rig the terminal almost completely covertly. No cameras or mirrors, and the code has to be imputed eventually.

"Another similar possible situation might be having different people with different codes using the keypad. Individual codes are often used to track and log who is coming and going. This would throw the calculation into the nearly-impossible in under a minute."

If the number of excess codes is not too high, one could "dye" every number and work out the individual codes. For example, if there are three codes, consisting of 4 numbers, one could read the different amounts of dye on each numeral. If #1 has been dusted as a used number, but only has it's own dye, that means it was only used once per code. If it appeared on five different numbers, one could deduce that it must be used in at least 2 codes. With some fast wits, one could logically deduce the codes or at least reduce the possible combinations. But yes, if the terminal was used to many times such a method would be impossible to use (and, well i guess no idea is 100% guaranteed in 100% of all scenarios). None of this would be an issue in a small commercial or residential area, but undoubtably limiting in a large complex.

Does anyone have any suggestions for a dye?

I remember reading in a game book (GURPS Espionage p. 50-51) about a fictional? powder that could be applied to an ordinary item. The powder would transfer to a the subjects hands and hence to everything they touch (until they wash their hands). The idea was that the powder would fluoresce when exposed to a light the intrepid security person would have with them. If there were such a powder it would significantly reduce the amount of time required. Note however that paranoid security would render this moot.

I have seen a substance similar to this before. About 10 years ago I attended a food service seminar put on by the state health dept, and they had several people apply this (it was a lotion if I recall correctly) to their hands, then go try to wash it off. The exercise was to show the typical person didn't really wash their hands well at all. After they washed their hands they were then exposed to a UV light, showing where they missed.

A quick Google search:
http://www.glogerm.com/

http://www.arrowscientific.com.au/component/option,com_virtuemart/Itemid,1/page,shop.product_details/category_id,29/flypage,shop.flypage/product_id,9/index.php?option=com_virtuemart&Itemid=1&page=shop.product_details&category_id=29&flypage=shop.flypage&product_id=9&vmcchk=1
(this one has a powder available too)

I know this doesn't help, but the place I work (a major high-street store) is a complete joke when it comes to security. No security cameras (which in all of the above situations would be reviewed to see the intruder tampering with the keypad) and the code to the stock room is quite predictable and hasn't ever changed. Basically what I'm saying is that the store or whatever may not be as secure as you'd imagine.

Perhaps good old fashioned surveillance would reveal the sequence?

The forensics people also IIRC have a substance which reacts to some of the proteins in human sweat turning purplish. (if I cared I'd check sites on fingerprint lifting) And of course if you could take it with you then other possibilities open like cyanoacrylate(sp?) fuming, metal vapor deposition, and of course the classic fingerprint powder now available in a variety of colors. You might also want to treat the keypad to point to someone else doing the job. IIRC in the novel 'Atonement' (by Tad Williams IIRC) the protagonist acquired an Uzi by typing in a possible combination from looking at a keypad with 4 of the keys soiled

In a less related idea, would it be possible to "loop" a security system. I know an outdated technique was to cut the power line or telephone line to prevent the security company from being signaled, but that now constant feedback is sent to the company to alert for a system failure. I'd bet a person of sufficient computer and electrical education could use a system to splice the signal, copy it, reproduce it, and loop it to the security company. This would create a "ghost" security system for the company, leaving it blissfully unaware. A wireless transmission, I suppose, could also be copied and emitted. All one would need is a program to perfectly copy and loop the signals from the security terminal. With a ghost established, a person would be free to kill the original system. Of course one would need access to some portion of the line between the building and the company, but that detail could be worked out.

Iris - That is a possible idea. I know that your basic house security system (here at least) only gets "pinged" once a week or so, to see if it is still there. If you are going for a quick in and out job, hit the phone line then get in and out before anyone knows better.

The more pricey security systems get pinged every couple of minutes and have a kind of tamper detector. Thing is though, if you knew that this security system was likely to be pinged every few minutes, all you would need to would be to gain access to an exchange (not hard at all), find the phone number inside the exchange and listen in. Copy the signal, copy the reply, analyse to see if it changes every time it is sent or if it is static and you are ready to impersonate the signal.

The next line up is a dedicated line, and you need some serious expertise to be playing around with that. Good thing that it is only really banks and the such that use them (too expensive).

I vaguely recall seeing a real-crime show in which thieves would rob a grocery store and then use the cash to finance pilfering a nearby jewelry store. they would activate a jamming device preventing the possibility of a wireless call-in feature from the alarm system and cut the power and/or phone line to it. If they heard anyone notice on the police band, they would move on. Otherwise the would take the cream of the stores inventory. These days the police are probably using proprietary networks instead of in the clear radio, and you might want to check for 802.11, 16 or 20 gear. Also any alarm worth it's sheet metal would probably use changing encrypted challenges. Fortunately most people are cheap about security.

The forensics people also IIRC have a substance which reacts to some of the proteins in human sweat turning purplish. (if I cared I'd check sites on fingerprint lifting) (cut)
That stuff is called Ninhydrin, also called triketohydrindene hydrate, 1,2,3-Indantrione monohydrate, 1,2,3-Triketohydrindene hydrate; 1,2,3-Triketohydrindene monohydrate. It reacts with amino-acids, and also NH3 and primary and secondary amines and ammonium salts, to form intensely purple colored complexes. As well as being used by corrupt Pigs for detecting and faking fingerprints, it is also used for determining the positions of amino-acids on the porous paper used for separation of a mixture of amino-acids by paper chromatography, using various organic solvents. The reaction is also used to form the purple dye now called Ruhemann's purple.
See
http://en.wikipedia.org/wiki/Ninhydrin
http://www.chem.ucalgary.ca/courses/351/Carey5th/Ch27/ch27-3-3.html
http://www.crimeandclues.com/ninhydrin.htm
http://www.brynmawr.edu/Acads/Chem/mnerzsto/ninh-1.htm
http://www.redwop.com/download/ninhydrn.pdf
http://www.encyclopedia.com/doc/1O8-ninhydrin.html
http://www.answers.com/topic/ninhydrin
http://www.cbdiai.org/Reagents/nin.html
http://jchemed.chem.wisc.edu/JCESoft/cca/cca5/MAIN/2BIOCHEM/BIOCHEM1/NINHYDRIN/MOVIE.HTM
http://cancerweb.ncl.ac.uk/cgi-bin/omd?ninhydrin+reaction
Restricted articles:
http://www.jbc.org/cgi/reprint/25/2/319.pdf
http://pubs.acs.org/cgi-bin/abstract.cgi/jafcau/2004/52/i03/abs/jf030490p.html

Far cheaper and easier to simply use a UV reactive security pen or DriWipe marker pen. On a codepad it will travel well enough to give you an idea, and a small dab of various colours will let you track the order down.

http://www.boran.com/security/sniff.html#what

So looping a network is possible with a "sniffer" reading the signal and a "spoofer" replicating it.

Great. Now I'm gonna be spending the next couple of years studying computer language and networks. Any one have experience with these techs?

But it'll be worth it, I suppose. It's a lot cleaner than any physical method I know of.

I know a little about computers. I'd probably start with NTSC or PAL (Analog TV signaling) or maybe QAM (American cable), ATSC (American over the air digital TV) or those European standards such as DVB (C is the cable spec, T is the OTA spec and S is the satellite spec) for carriers. Maybe you might want to check out the IEEEs specs section 802 which deals with computer networking. Of course I'm pretty sure the specs you're talking about are called protocols rather than languages.(/my useless, arrogant, ignorant proctoyakking)

NTSC or PAL have nothing to do with computer networks. A normal cat5e wired lan network is easy as hell to tap, strip the cable add connectors and include your hub in between and wire the hub to your pc, loaded with wireshark.

Or split the cable and wire only the receive pins and be undetectable. :)

A analog style modem system would be similar, but I don't know about it.
And for GSM/CDMA mobile uplink, you are fucked if you don't have 20k eur in your back pocket for some frequency analyzers and fpga based crackers.
And those GSM cracker are atm on the experimental stage, at least the civilian ones are. :rolleyes:

A wifi connection is easy, all encryptions are crackable in 15minutes, FBI tested with opensource tools :p
If some MAC address filtering is used on the wifi node, it gets harder.

Hi-Grade alarm systems have both telephone and mobile uplink. In tiger team (a us tv show about pen testers). A system thats pinged every few minutes is hard to spoof and defeat. Especially if they use some protocol of their own.

In my personal experience if an alarm has too many false calls, it will be disconnected for maintenance. Magnetic switches are triggered easily by a strong NIB magnet outside on the other side of the door, a simple microwave transmitter will set off PIR sensors (as will some high power lasers ;-) ) glass breakage sensors will go off at many high frequency sharp intense sounds...

Over a period of time someone could rig the buttons one at a time so that they are much harder to press ( superglue anyone?) what do you bet the buttons that are loose are the more frequently pressed ones?

Also are we forgetting video surveillance? I have a fleet of cameras all small enough to be hidden under anything that might be bolted to a wall and be ignored... how about a fake fire alarm pull station with integrated video right on the keypad? smoke detector? something that moves frequently and isn't tampered with often...

It might also be of use to know that in small municipality's that during thunderstorms one or two officers who are covering calls as they come in, might get dozens and dozens of alarm calls from storm related "issues"

Knowing thy beast is also important, some alarm systems will refuse to arm if one or more sensors don't show a closed and locked state, or will go off immediately. Standard operating procedure in the latter case is to leave the system unarmed and have a tech look at it in the morning (after all, no one's going to break in just that night eh?) Likewise if it's a silent alarm and some kids mangled the phone box (firecrackers) how often does the phone company come and repair a broken phone box on a sunday night?

Here it is Passive network tap (http://hackaday.com/2008/09/14/passive-networking-tap/) a simple project to build.

And in Tiger Team the people ware able to "rob" a jewlery manufacturers safe.
He/they had a rfid system with for door lock and a alarm system with both land and phone uplinks.

Eh, regarding my previous comments, I forgot what kind of security system we're discussing. I seem to recall the idea of a laser triggered exploding thing was discussed in another section some time back. I think the technology could also build a incendiary one on an insulated non combustible base (we don't want to burn down the tree just to get some leaves so to speak.)

I am a bit confused by your post there James. How exactly does "a laser triggered exploding thing (or an incendiary one on an insulated non combustible base)" help you determine the code of a security system?

And in Tiger Team the people ware able to "rob" a jewlery manufacturers safe.
He/they had a rfid system with for door lock and a alarm system with both land and phone uplinks.

I saw a show, reenactment of a true event, where a bunch of theives robbed a jewlery store, with a very good alarm system, by breaking into the laundrymat next dooe, no alarm system, and cutting through the common wall of the building with a sawsall, seems the jewlery store owner thought that since he had all the enterances wired he didn't need motion sensors.

oops, it doesn't (train of thought got derailed). It would however set of thermal sensors (but there sure to be a better way). set up a few and they might disable the alarm ala 'how to steal a million' or PYRO500s post.

All you need do is trigger the alarm enough for it to be disconnected/ignored, a few companies are out there with high power laser pointers that will do well enough to melt plastic not to mention set off PIR sensors... over and over....

I've got a 45mW Green diode laser, but it does nothing to false PIR sensors. Have you tried this? The only effect I've found is with the red ones (670nm @ ~3mW), you can "jam" them sometimes. If you get the beam in the right place, the sensor won't trip unless you turn the beam off. NBK and I discussed this in a thread on beating PIR (http://www.roguesci.org/theforum/showthread.php?t=2674). It was a while back, though!

The SOP of the better alarm companies, certainly with high end clients, is to send a car round to investigate. If the false alarms continue, the car will wait outside and ensure that this type of attack isn't a success.

I wonder what would happen if 20-30 different houses in different areas for that alarm company had false alarms at the same time....

It's nice of people to put those cute stickers on their windows that tell what alarm company they use.

"and in other news, 16 households 'protected' by the Redneck Security Group were robbed today, the company denies responsibilty, 'we sent out our four cars, when all twenty alarm tripped at once' exclaimed Bubba Pete when questioned."
OK, not hapening. I think it'd be hilarious though

Typically in rural suburban areas they notify local law enforcement, in the us if the city you happen to do this in is unincorporated then the county (sherrif) will have to respond... and during thunderstorms (in florida) the cops are innundated with false alarms to the point where they WILL stop responding... I have seen it. Also they all use the same radio systems that you can easily tap into with a decent trunk tracker scanner (make sure to include all the local LEO channels and know their lingo...