Now that I’ve upgraded from the Qolsys IQ1 to the IQ2+ panel, deciding what to do about encryption.
I do have a few S-Line sensors and I’m replacing a few of the older non encrypted sensors for key areas such as the doors.
The key question is why do I care about encryption for all of the other locations.
What type of replay attack could be possible that I care about?
As an example … if I have 20+ windows … all non-encrypted Qolsys sensors … and someone tries to break-in through a window, wouldn’t the sensor still send the unencrypted “open” signal to the panel, and no matter what anyone did the panel would still see the trigger.
Just trying to justify why I would want to replace any of the window sensors. This is not a financial question, purely technical.
I’m definitely changing out the door sensors to S-Line, and I’m thinking that I should change out the motion sensors to S-Line as well, because someone could track all movement in the house with unencrypted motion sensors, but why would I replace all the window sensors? What could happen?
And forget about the financials, this is purely a security question. I’m not sure how unencrypted window sensors can cause a security exposure, but very willing to be educated!
Also, when a S-Line sensor enrolls for the first time and then encrypts all signals going forward, does it then never send any unencrypted signals ever? I’m asking because I thought that the Qolsys sensors were all 1-way, so how does the sensor know that it’s a panel capable of encryption? Does it always send both unencrypted and encrypted, or switch to encrypted only for panels that support encryption.
Encrypting the data transfer between sensor and panel with S-Line sensors means that only the panel will be able to read the status of the sensor transmissions as it has the proper encryption key.
Think of it as the difference between plain text and encrypted text. Someone with the right rf listening equipment could listen to unencrypted sensor transmissions and know the status of doors/windows, and this would give the ability to spoof the signal, repeating the captured transmission, making the panel think the sensor is in one state when it is in another. This is of course more rare than brute force entry, but it is a concern, and a weakness of unencrypted systems.
Encrypted sensors are objectively more secure than unencrypted sensors, and Power G sensors are objectively more secure than S-Line with their added frequency hopping.
An encryption code is synced with the IQ Panel 2 at the time of enrollment. As I understand it, the panel confirms this with the sensor radio. If it is enrolling with a panel that does not support encryption and does not sync this encryption key, it functions as an unencrypted sensor. If enrolled with a Qolsys IQ Panel 2, it only functions as an encrypted sensor.
So it seems like what you’re saying is that once an S-Line sensor enrolls as an S-Line sensor (encrypted), it never sends anything unencrypted, which is what I would hope. I wasn’t sure how this was possible if the sensors were totally 1-way, but maybe they are 2-way at enrollment?
My concern was whether the sensor would send both non-encrypted and encrypted for compatibility.
The more that I think about this, this can’t be true, because then how does the IQ1 and IQ2+ co-exist? I never de-enrolled (deleted) the sensors from the old panel. Should I delete from the old panel, to stop the unencrypted transmissions?
Also, still interested in how switching a window sensor from unencrypted to encrypted makes it more secure when armed. It seems like once it triggers (“open”), there’s nothing a thief could do to stop that signal other than jamming the frequency, which has nothing to do with encryption. And if they replayed a “close” it still would have triggered the alarm.
I’m more interested in this topic for the motion sensors. Once I switch to S-Line motion sensors, trying to verify that the motion sensor will never send an unencrypted signal, thus no one can track movement in the house.
An individual could spoof the signal to cause false alarm events, or more likely a concern with regard to your question, send a number of rapid close signals from that sensor id, which can result in opening the window or door without it’s actual transmission reaching the panel.
My concern was whether the sensor would send both non-encrypted and encrypted for compatibility.
The more that I think about this, this can’t be true, because then how does the IQ1 and IQ2+ co-exist? I never de-enrolled (deleted) the sensors from the old panel. Should I delete from the old panel, to stop the unencrypted transmissions?
I understand the concern, as far as I understand from Qolsys, the sensor signals one or the other based on what it is learned into. I am sending Qolsys a message to confirm the mechanism for how the panel and sensor both determine encrypted vs unencrypted. (I’ll also verify if they are learned into both IQ and IQ panel 2, is it intended that both encrypted and unencrypted function) I will follow up here with further clarification from the manufacturer.
This is a really good question. Thinking about it and digging into it beyond the manuals, there is really no way a one way communication sensor would be able to toggle transmission without a local switch of some kind to control it. The tech support individual replying hasn’t stated definitively yet, but the sensor would be broadcasting in both formats always. Apologies for the confusion.
The whole point in this case would be that when learned into the IQ Panel 2, you are selecting the format the panel is listening to. This eliminates the possibility of repeating the transmissions to undermine the panel security. The panel simply doesn’t listen to unencrypted transmissions from that sensor ID.
Thanks Jason. Yep, that’s what I thought, just wanted to verify.
I did just swap out the key fob tonight to S-Line. That was a no brainer.
Not yet sure what I’m going to do with some of the other sensors. I may just leave most as unencrypted for now.
There were two items: 1) communication to the panel, and 2) eavesdropping on the activity in the house.
It seems like S-Line solves #1, but not #2, which was what I was trying to verify. This is for S-Line only. PowerG is always encrypted, thus no issue there.
The only other sensor that I’d love to upgrade is the IQ Pin Pad, which my wife uses quite often. I could upgrade to an IQ Remote panel but that’s such overkill for what we need. Hopefully they’ll have an S-Line Pin Pad some day.
If you hear anything else, would be interested. Thanks again.
I’d like to chime in on this particular question because that’s the entire reason I bought an IQ 2 panel in the first place.
My thoughts are: If you are to pay for a security system, wouldn’t you want to ensure that your equipment is actually protected? I mean the “bump key” of RF signals these days is all about SDR and some free software to do replay attacks to gain entry. It’s plug and play easy to do since I’ve not tried it myself but it is doable with cheap hardware and free software and time sitting out in front of your house recording all the RF signals. To what extent would someone want to do this is up to the person who wants in bad enough.
I don’t have anything of value except my family members. I pay a monthly fee to a monitoring response company who would call the police in case of unwanted entry. If I am to pay every month, I’d also want to be sure my equipment wasn’t hackable; everything is hackable but it would take much more effort with these S-Line sensors and the even more robust PowerG sensors provide a level of security that is much better than ZERO encryption.
So i decided to swap out all sensors (door/windows/motions/glass break) for S-Line and PowerG sensors. This is not a cheap up front cost for me but it is an initial investment that will hopefully last a few years at the very least before another advanced ‘bump key’ method is proven to work easily.
all the security systems that are wireless you should really think twice about getting some sort of encryption. I personally couldn’t sleep at night and/or being away knowing that my system is armed but easily penetrated by someone who has the means (a $20+ SDR device) and time on their hands to record all the open RF calls these un-encrypted sensors call out.
I have not seen in real life (only read online and actual youtube videos of the entire process - how easy it really is to do) or have done this myself. I would rather believe it is easily done than to just ignore it and continue paying monthly alarm dues for something that gives me false sense of security. Just my two cents!
PS - those powerG sensors have frequency hopping, 128bit AES encryption, much more robust than even the S-Line sensors.
My thoughts are: If you are to pay for a security system, wouldn’t you want to ensure that your equipment is actually protected? I mean the “bump key” of RF signals these days is all about SDR and some free software to do replay attacks to gain entry. It’s plug and play easy to do since I’ve not tried it myself but it is doable with cheap hardware and free software and time sitting out in front of your house recording all the RF signals. To what extent would someone want to do this is up to the person who wants in bad enough.
It’s a big reason why we chose to focus on the IQ Panel 2+ over other panels at this time. Common opportunity crimes are not going to employ this kind of tactic typically, but it is a weakness that unencrypted systems have which can be addressed with the IQ Panel 2+. (2GIG is releasing new encrypted versions of their sensors and panels)
