Most of the folks using the GE Simon XT for their home security systems are amazed that they can use their Android, iPhone, or Blackberry to remotely lock their homes. I was curious as to what was actually being passed. I loaded my OpenWRT router with tcpdump and did some basic dumps on a br0 interface to see what all was being passed. A few quick points:
- The phones use a single address to communicate with: 22.214.171.124
- This resolves to alarm.com, but communicates via the IP address rather then domain name. This causes certificate conflicts as the cert is tied to alarm.com Not a big deal, but it does open up the ability to MitM a little easier
- All communications to and from is via HTTPS
- Alarm.com is in Ashburn VA! Local folks
I would post the *.pcap, but they are as exciting as a HTTP request through SSL can be. I didn’t go the route of setting up a private CA and doing sslsniff. This was just a quick verification I wasn’t handing my home over to script kiddies.
Next I took a look at the storage on the Android phone. Most of the files associated to the app can be found in /data/data/com.alarm.alarmmobile.android. The directory printout:
# ls -la
drwxr-x–x 1 app_108 app_108 2048 Mar 18 03:26 .
drwxrwx–x 1 system system 2048 Mar 18 13:22 ..
drwxrwx–x 1 app_108 app_108 2048 Mar 15 18:43 cache
drwxrwx–x 1 app_108 app_108 2048 Mar 15 19:29 databases
drwxrwx–x 1 app_108 app_108 2048 Mar 15 18:42 files
drwxr-xr-x 1 system system 2048 Mar 18 03:26 lib
drwxrwx–x 1 app_108 app_108 2048 Mar 18 13:51 shared_prefs
It appears the app stores the authentication with an AUTH token as seen in
<int name=”SESSION_INFO_CUSTOMER_ID_KEY” value=”***” />
Next I moved into the databases directory and took a look at the contents. webview.db hosted the majority of the information:
All in all the application looks pretty secure. The token is the weak-link. Given some more time I might try and see what calls are exchanged from the phone to their web service.