Help with DIY install equipment, cellular stand-alone monitoring decision, and interactive features

[EncryptSeeker]

As already mentioned, GE wireless sensors and fobs send messages in plaintext.  If one desires to do so, it is much easier and less expensive to spoof a wireless GE/Interlogix sensor than any of the modern gadgets that implement encryption, even with all their flaws, like the notorious Phillips zigbee lamps from a parallel thread.
 
Here's an example of a GE wireless motion sensor that I put in my basement years ago just to see how long the battery would last (it's been 4 years and sitll going strong). It is sending a heartbeat every hour + some minutes by blindly shooting three 61-bit packets :
 
2016-11-07 16:51:40 0001 be4482 c 115 20   Basement Motion
2016-11-07 16:51:40 0001 be4482 c 115 20   Basement Motion
2016-11-07 16:51:41 0001 be4482 c 115 20   Basement Motion
 
...and  now that motion is detected  transmitting 8 packets:
2016-11-07 20:23:20 0001 be4482 0 914 3c  Basement Motion
2016-11-07 20:23:20 0001 be4482 0 914 3c  Basement Motion
2016-11-07 20:23:20 0001 be4482 0 914 3c  Basement Motion
2016-11-07 20:23:20 0001 be4482 0 914 3c  Basement Motion
2016-11-07 20:23:20 0001 be4482 0 914 3c  Basement Motion
2016-11-07 20:23:21 0001 be4482 0 914 3c  Basement Motion
2016-11-07 20:23:21 0001 be4482 0 914 3c  Basement Motion
2016-11-07 20:23:21 0001 be4482 0 914 3c  Basement Motion

In the above, the timestamp is mine, 0001 is the two start bytes, followed by 3 sensor id bytes, followed by a nibble that contains a state transition count and battery low indication, followed by the actual state message (five inputs, three nibbles), out which the first is violated (observe 9 instead of 1 in the three nibble group), followed by stop bits and a check parity/oddity bits.
 
https://www.google.com/patents/US5761206
 
The messages are received by a cheap ($15) rtl sdr receiver tuned to 319.5Mhz..
 
Presumably, the new elk two way sensor protocol is encrypted, but I do not know how well.  However, all this fancy two way/encrypted stuff does not come for free: messages are bigger, frequency is higher (902-928 Mhz vs 319.5Mhz) to accommodate more bits thus battery life and the range is lower.

Wow, thanks a lot!

 

[Del91574]

Thank you for the advice. I understand wired is better, unfortunately it's not possible for me at this moment (due to a high cost). That's why my option is wireless at this point. Unencrypted wireless vs. encrypted wireless to be exact. Hopefully in the near future when I have the budget I will do wiring.

This makes zero sense. A $5 contact and $20 box of wire vs. $40 for a single device. Only difference is the effort.
 
And while a GE device can be spoofed, if the host system isn't disarmed (keyfob) there's no net gain as the original device would continue to be able to transmit the alarm signal. Only item that would prevent that is flooding the band the device transmits on.

 

[EncryptSeeker]

This makes zero sense. A $5 contact and $20 box of wire vs. $40 for a single device. Only difference is the effort.
 
And while a GE device can be spoofed, if the host system isn't disarmed (keyfob) there's no net gain as the original device would continue to be able to transmit the alarm signal. Only item that would prevent that is flooding the band the device transmits on.

 
Please understand, I'm not as handy as you. I checked online, hiring someone to wire the whole house would cost $2000.

 

[wkearney99]

Please understand, I'm not as handy as you. I checked online, hiring someone to wire the whole house would cost $2000.

 
The rule of three applies.  "Good, fast or cheap... Pick two".
 
You have to decide which of the three you're willing to give up.  Because getting something "secure" (presuming 'good' and 'fast') is definitely not going to come cheap.  Most situations don't "genuinely require" being all that secure.  So the trade off there is "cheap and fast" leaving better security ("good") off the table.  The "fast" part presumably being installation time.  
 
My question would be how effectively any of the systems would be at notifying anyone in the event of wireless flooding/jamming/disruption.

 

[vc1234]

My question would be how effectively any of the systems would be at notifying anyone in the event of wireless flooding/jamming/disruption.

 
The Elk two way claims jamming resistance.  Since I do not own any the two way radio,  I cannot verify the claim, but I find it unlikely.
 
It is true that it is harder to jam a frequency hopping system of which the Elk 2-way is presumably one, but not impossible -- you just need to cover all frequency channels.  It possible, though, to detect jamming in a more sophisticated system such as BLE/Zigbee assuming a heartbeat exchange of some sort is implemented but that would come at the cost of shorter battery life and rarely if ever is implemented in consumer grade battery operated systems, therefore.
 
One still might choose an elk 2way if one is paranoid about traditional wireless sensor transmitters operating in plain text.
 
On a related note,  I am wondering about RRa2 security or lack thereof, but just cannot persuade myself into looking into it since it's working so well. I'd speculate it is plaintext, most likely.

 

[Del91574]

Jamming means your system is already compromised, either intentional or unintentional. Had an install put in by another tech years back (another lifetime) in proximity to a radio tower. Transmitters would drop and the receiver would report jamming....after the sensor was already blocked, so the supervision and detection is a moot point. Encryption only means the data is not open, but still subject to the same caveats of any RF signal.
 
Plain text does not include the sensor type, location, etc. Only a basic ESN and the qualifier of the transmission (loop associated to the ESN).
 
The pick two theory comes into play...but in actuality, paying an experienced electrician is no different (actually cheaper) than buying an individual transmitter, especially if you pay a flat or have an experienced installer on T&M. A bag of 10 contacts and a box or two of cable, $120 in material (tops) and an 8 hour day. So, that puts the overall expense at (HIGH SIDE) $600 for 10 hardwired devices vs. the same in RF transmitters.

 

[cobra]

The Visonic systems have jamming detection also. While that is nice, I think the detection time is on the order of 1 hour, because that is around the heartbeat time on the wireless sensors.

One option for the OP is always to go wired for some and wireless for other sensors, so you can mix and match and not spend all of your $2000 on wiring up front.

 

[vc1234]

Plain text does not include the sensor type, location, etc. Only a basic ESN and the qualifier of the transmission (loop associated to the ESN).

The plain text indeed does not include location.  However, the sensor id, the one printed on the label, consists of two parts: 5 nibble id proper and one nibble device type(see the patent reference). So, the first hex digit(nibble) of the sensor id is actually its type. Motivated by your message I looked at my friend's wireless sensors:  all his fobs start with an 'F', all his motion sensors start with a '4' (as well as mine), window contacts with an 'A', garage heat detectors with a '6'.  So, it's pretty safe to conclude that intercepting a fob id  would identify it as such.
 
The nibble has to be bit reversed (MSB first) to get 'true' device type,  but it does not matter in the fob case anyway.

 

[Del91574]

And this goes back to the days before GE was in the game. Dates back to the old ITI days and the device type was also included as that is how the system knew how to learn in the device itself. The protocol and devices date back at least 30 (!) years.
 
In the specifics of a product, such as Honeywell (old Ademco) the sensor type is not included with the raw data. 64 bits in length, 24 are the ESN and then 16 are the CRC. The transmitter type is not included with the data.

 

[HomeSecurityList]

I'm considering a shift from our legacy alarm service. Would it be worthy of using all IFTTT functions that I come across online?

 

[wkearney99]

IFTTT as lousy latency.  It's clever stuff, I'll grant you.  But you're totally at the mercy of however fast/slow/reliable/unreliable the internet links are between you and the cloud services.  Which is to say, not something I'd consider acceptable for alarm/security applications.  As an add-on to a monitored service?  Yeah, that'd be nice.  But not as an alternative to one.