Blog

How To Defeat a Security Alarm: Crash and Smash Attack

One of the reasons I love being a security professional is the never ending chess game we get to play with criminals. We invent a new security measure and they try to figure out how to defeat it. They invent a new security system attack and we try to figure out how to stop them and/or catch them in the act. The “Crash and Smash” attack is one commonly used by burglars to defeat security alarms. Here’s how it works.

The burglar kicks in an entry door. Entry doors are doors that the security alarm allows you to use when you come home. Rather than sounding the alarm right away, when you open an entry door the alarm starts beeping and counting down for 30, 45 or 60 seconds giving you time to walk to your keypad and disarm the alarm system. Unfortunately your security alarm can’t tell the difference between a burglar kicking in the door and you walking in as usual, so it treats the burglar just like you and waits 30 to 60 seconds before the alarm goes off. Residential doors are surprisingly easy to kick in unless you have a reinforced door frame.
The burglar uses that 30 to 60 second entry delay to quickly search your house for the alarm panel. This isn’t always easy, but it’s very doable. As a security alarm professional when I am doing a home security assessment I can usually find the main alarm panel in the first or second place I look, which is often necessary because many homeowners don’t know where their alarm panel is. First I check the basement and if it’s not in the basement then I check the closets. If you think 30 to 60 seconds is too short to find your alarm panel think again. Try this – time yourself coming in the front door and running to your alarm panel. Chances are you will get there in 10 seconds or less. That leaves you at least 20 seconds to destroy the alarm panel.
The burglar destroys the alarm panel before the 30 to 60 second entry delay countdown runs out. Security alarms don’t call to alert the police until after this entry delay countdown has run out and the alarm siren is going off. If the burglar successfully destroys or disables the alarm system before that 30 to 60 second entry delay countdown is up then the alarm will not call and alert the police! At this point your security alarm is useless. Is your alarm panel in a locked metal box? It doesn’t matter! All they have to do is tear the metal box off the wall or simply cut the wires coming out of the metal box that go to the phone line. Even if you have a wireless cellular GSM based security alarm there are still wires connecting the alarm to the cell phone communicator. Even if the cell phone communicator is locked inside the metal box they can still destroy the wireless antenna, which due to the laws of physics can not be inside the metal box or it would not be able to communicate with the cell phone tower.

That’s how a crash and smash attack works. The crash is when the burglar kicks in the entry door. The smash is when the burglar smashes or disables the alarm panel before it calls out for help. The result is the burglar has rendered your fancy security alarm useless and can spend all the time he wants in your house because the cops haven’t been called.

The good news is Alarm.com has developed a clever method to detect this form of attack called “Crash and Smash Protection”. Rather than waiting for the entry delay countdown to finish, Alarm.com crash and smash protection sends out a signal immediately as soon as the entry door is opened saying “an entry door has just been opened, stand by for for a disarm confirmation”. If the Alarm.com security system doesn’t follow up by sending a disarm confirmation signal within a few minutes then Alarm.com assumes a burglar has destroyed your alarm panel and issues a crash and smash alarm signal to the central station who will then follow the normal burglary alarm protocol and dispatch the police if necessary. The video below illustrates how this works.

Alarm.com’s crash and smash protection is relatively new and most burglars aren’t aware of it yet. Most alarm systems don’t have it. ADT doesn’t have crash and smash protection. That’s right, if you have an ADT security alarm then you do not have crash and smash protection. Therefore many burglars faced with an Alarm.com system will assume they have successfully disabled your alarm by smashing it when in reality the police have been notified of the crash and smash alarm and are on their way.

Eventually burglars may invent a new attack to defeat Alarm.com’s crash and smash protection but we don’t see it happening in the near future. You can have the upper hand by using Alarm.com with crash and smash protection instead of outdated systems like ADT which are vulnerable to a simple crash and smash attack using nothing more than swift kick to an entry door and a baseball bat to the alarm panel. So goes another round in the never-ending chess game between criminal and security professional. It’s your move bad guys!

suretyCAM is your provider of Alarm.com security alarms with crash and smash protection in Columbus OH, central Ohio and the surrounding areas including Cincinnati and Cleveland. Call us toll free at 855-787-3891 to learn more.

Categories: Ryan Boder, Security and Automation

Tags: alarm, Alarm.com, break-in, burglar, crash and smash, criminal, defeat, intruder, security

About the Author:

Ryan Boder founded suretyCAM with a single goal – to shake up the security industry and show customers that it can be done differently, that it can be done better. The security industry needs a shot in the arm. Ryan brings a fresh perspective that is based on common sense as well as advanced engineering. His background as a software, electrical and computer engineer developing top secret military systems has given him the ideal technical foundation on which to build the next generation of security and automation services. suretyCAM is not a sales organization, it is a security engineering firm owned and managed by engineers. Our mission is to help you protect yourself by providing you with the tools and the knowledge to do so. Ryan’s experience in home security includes designing and installing custom security systems for the high-end residences of the rich and famous. Millionaires and even billionaires have trusted Ryan to design their home security systems and now he’s applying those same concepts to your home. Receiving a B.S. degree in Electrical and Computer Engineering, from Carnegie Mellon University and a M.S. degree in Computer Engineering, from Ohio State University, Ryan’s work has been featured in the United States Army and Navy systems as well as Israeli, French, South Korean and Italian defense systems. Ryan’s areas of expertise are security and automation systems, the cohesive integration of heterogeneous devices, QoS in wireless networks, instrumentation radar and motion control, distributed system design, real-time operating systems, reliable embedded systems, discrete event simulators, Internet and web based software, and project management. Contact Ryan at Ryan.Boder@suretyCAM.com or 855-787-3891 x 500.

Discussion

47 Comments
0 Trackbacks

John February 21, 2012

Ryan writes: “Alarm.com crash and smash protection sends out a signal immediately as soon as the entry door is opened”

What is “immediately”? 5-10 seconds? If the control panel and GSM unit are located in the keypad right by the front door, as is the case with these wireless alarm systems, they can be smashed before the alarm able to contact central station.

I find lots of marketing claims made by these wireless type systems that don’t stand up to the most basic scrutiny, such as locating the control panel inside the keypad at the front door is a supremely stupid idea.

From what I gather, the control panel (steel box) should be located in the attic, ensuring a minute or more passes before it can be reached.
(reply)
- Ryan Boder February 22, 2012
  
  Hi John, thanks for your comment. No, it does not take 5 to 10 seconds for the control panel to send the message to Alarm.com. I’ve tested it personally and I’ve always measured 1 to 4 seconds. It does take a few more seconds afterward for Alarm.com to send the confirmation back to the panel but that’s irrelevant since the signal already went through.
  
  You are correct, the control panel should not be placed next to the front door. That’s not where I would install it and that’s not where 2GIG recommends installing it. It should be located centrally in the house in a location that is not visible from an outside a window. Often we even install them in the master bedroom and then put a secondary touch screen by the front door, or people just use their phones to disarm before they enter so no keypad is needed by the door.
  
  You’re right, the longer it takes for the intruder to get to the control panel the better, but putting the control panel in a metal box does absolutely nothing to help the situation because all an intruder has to do is cut the wires coming out of the metal box and they’ve accomplished exactly the same thing as smashing the panel. Either the phone line or the wires from the GSM communicator or the antenna will be sticking out of the metal box and they are all just as vulnerable as an all-in-one system. The metal box only gives you a false sense of security. That’s a big part of the reason why all-in-one systems are so common now because putting the panel in a metal box doesn’t stand up to the most basic scrutiny.
  
  Best Regards, Ryan
  (reply)
  - John February 22, 2012
    
    Thanks for the reply Ryan.
    
    I like your idea of placing the primary 2GIG keypad in an upstairs bedroom, instead of by the front door, as is typical. This should really be the standard installation approach, but perhaps it’s not mentioned to the consumer, because it would then mean explaining that the entire “control panel” is located in the keypad. I know that makes me uncomfortable, regardless of any safety measures the 2GIG system may attempt to provide.
    
    Using the phone to disarm and having the entry door on a zero delay is also a creative approach, and something to consider (though it may be inconvenient).
    
    As for the traditional steel box control panel, as mentioned, the installation location is key, and I think the attic would be the most time consuming location for a criminal to reach (easily a minute or more in most houses). It’s extremely unlikely they would make it up to the attic, locate the box, and cut the wires in time.
    
    Additionally, alarm manufacturers should place the control panel and battery-powered GSM transmitter into a reinforced fiberglass box, instead of a steel box that blocks the antennae, so that the alarm signal would ALWAYS make it out out to central station. Such a box would withstand sledge hammer blows, yet still not block the GSM signal.
    (reply)
    - Ryan Boder February 23, 2012
      
      Using a fiberglass box instead of metal is an interesting idea. Then the GSM communicator could be physically protected. I don’t know why none of the manufacturers have done that, but I’ll ask around. Of course, even if you used a fiberglass box a smart intruder could bring a their own metal box or even aluminum foil and cover the fiberglass box to prevent the cell phone call.
      (reply)
  - Sean August 15, 2012
    
    Locating this type of hardware is not recommended due to attic humidity and extreme temperatures. We locate our panels in different locations just to keep the criminals guessing.
    (reply)
  - flocker man February 18, 2013
    
    so can I just cut the wires from the metal box and kill the system
    (reply)
    - Ryan Boder February 18, 2013
      
      Cutting the wires coming out of the box will disable the system, just like smashing an all-on-one panel will disable it. The key is you need your system to send an alarm signal to the central station before it’s disabled. That’s what crash and smash protection accomplishes. There are other ways to accomplish the same thing, such as supervising the box with a motion detector.
      (reply)
- Jeff November 5, 2012
  
  According to ADT their system MAY not give an alarm code, but it DOES give a tampering code if the system is in a countdown and it tampered with. ADT takes tampering codes the same as an emergency code according to their customer service. While it may be semantics, the crash and smash should still trigger an alarm-in fact, more quickly than the typical alarm.
  (reply)
  - Ryan Boder November 6, 2012
    
    Hi Jeff,
    
    If the communicator on an ADT system is destroyed in a crash-and-smash attack then there is no way for the panel to send out the tamper signal. What you’re describing is only true if the intruder tampers with the system without actually destroying the communicator. However, that would not be a crash-and-smash attack – that would just be a crash-and-tamper attack. Any old alarm system can handle that.
    
    With Alarm.com crash-and-smash protection the initial signal is sent out immediately when the entry door is opened so even if the communicator is completely destroyed seconds later Alarm.com will still detect the break-in.
    
    Best Regards,
    Ryan
    (reply)
John February 21, 2012

Ryan writes: “many burglars faced with an Alarm.com system will assume they have successfully disabled your alarm by smashing it”

This alone is a problem. A burglar should not be emboldened to enter and smash a keypad/control panel. Even if the control panel/keypad is able to transmit the signal before being smashed, the crook still has 30 seconds before central station determines the password was not entered, then makes a call to the homeowner, then finally 3-5 minutes later the police are called.

So the alarm has “worked” and was not defeated entirely, but the crook had 3-5 minutes to steal things and is long gone.
(reply)
- Ryan Boder February 22, 2012
  
  Hi again John, you raise a lot of good points and are a critical thinker like me. I appreciate that very much.
  
  Why would the burglar be emboldened to enter and smash the panel any more than with a traditional system? Crash and smash attacks are not a recent development or necessarily related to wireless systems, crash and smash attacks are just as possible with a traditional system in a metal box by simply cutting the wires coming out of the box, as described in my other comment. Crash and smash protection is a solution to this problem developed by Alarm.com that would apply just as well to a wired system. The burglar shouldn’t know what kind of system is installed or where the main control panel is anyway.
  
  At the option of the home owner, the central station can call the police first when a crash and smash event occurs since that’s not likely to be a false alarm. What you’re doing with these questions is exactly why I love this industry, it’s a chess game between us and the bad guys. Keep it up and if you have any suggestions or questions please post them for others to benefit from.
  
  Best Regards, Ryan
  (reply)
  - John February 22, 2012
    
    The difference is if a shady repair man observes an all-in-one panel while in the home on Monday, they will believe they can return on Tuesday, kick in the front door and smash the keypad quickly enough, and the alarm will be disabled.
    
    Moving the primary keypad upstairs as you suggested will mostly address the problem, but how many installers are making such a recommendation?
    
    Please help me with this scenario:
    
    1) A crook kicks open the front door.
    
    2) The system successfully notifies central station that a door is opened and to expect a disarm code soon.
    
    3) Crook smashes keypad control panel.
    
    4a) How much time will pass before central station determines that the disarm code has not been entered, and an alarm condition is underway? This strikes me as a key weakness.
    
    Another important question, when is the siren disabled? The tiny siren in the keypad is not a siren, but assuming a real siren has been installed, when will that trigger, and what event can silence it?
    (reply)
    - Ryan Boder February 23, 2012
      
      I don’t know how many installers are making the recommendation to install the main control panel in the master bedroom, but we are. One difficulty we run into doing that with the 2GIG panels is that the main control panel won’t let you turn off the LED lights around the Home and Emergency buttons so those lights are on in your bedroom at night. They’re not too bright but we have had customers complain about that. Sometimes we install the main panel in the master bedroom closet so the lights won’t bother them. The TS1 secondary touch screen keypad doesn’t have this problem, just the main panel. I’ve been complaining to 2GIG about this issue for a while now and I expect it to be corrected soon.
      
      The amount of time it takes to determine a crash and smash has occurred is the just the entry delay (30 seconds). Then Alarm.com waits whatever time you have programmed in the dialer delay before calling the central station (15 seconds). So it would take 45 seconds before the call to the central station is initiated. It may actually be a couple extra seconds on top of that to avoid error. However, the time it takes for the police to come eclipses that 47 seconds.
      
      If you’re using a hard wired siren, then smashing the panel or cutting the wires will disable that siren. If you’re using a wireless (Z-Wave) siren then it will continue sounding even after the panel is smashed, you would have to smash the siren itself to disable it. Of course in any of these cases the siren won’t sound until the entry delay is up and if the panel is smashed by then it won’t sound at all.
      
      Different people have different security requirements and it sounds like yours are high. Another method we use to prevent crash and smash attacks all together is by reinforcing the entry door so it can’t be kicked in. Have you see our Strikemaster II Pro door frame reinforcement?
      
      http://suretycam.com/2011/08/30/strikemaster-ii-pro-cost-effective-security/
      (reply)
  - Dilaney October 8, 2012
    
    The burglar is “emboldened to enter and smash the panel (self-contained alarm system)” because of its physical appearance and size. You can very easily tell by looking at an alarm system’s keypad which is simply a keypad and which is large enough to contain the communicator and back-up battery.
    
    All burglars are not as stupid as most people believe. Therefore, when you design and install an alarm system, you should always assume that the potential burglar has as much knowledge of the security system as the professional technician who is installing it.
    
    Twenty years ago there was little knowledge of alarm systems and how they worked. That’s not the case today, especially with internet sites promoting criminal activities and providing information on-line such as how to make a “bump-key”.
    (reply)
    - Ryan Boder October 19, 2012
      
      Hi Dilaney,
      
      I agree burglars are getting smarter and we’ll always be working to stay a few steps ahead of them. It’s arguable that all-in-one units embolden burglars but a smart burglar would also know that with a traditional keypad system they can kick in the entry door and have 30 seconds find the main panel and either destroy it or simply cut the wires between the panel and the communicator. The keypad or all-in-one unit shouldn’t be visible from outside anyway. The solution isn’t to disregard all-in-one units, it’s to think of the security system as a complete system and design the entire system to protect against vulnerabilities. Crash and smash protection is a great tool we can utilize when designing a secure home system and a secure system can certainly be designed with an all-in-one unit but care must be taken as with any system.
      
      Best Regards,
      Ryan
      (reply)
Lanita May 19, 2012

So what’s your conclusion John?
(reply)
Steve August 24, 2012

Wow. I was a victim of a Crash and Smash . but now iv got a top of the line security . its an app on my phone it sends you a emergency text or notification stating your alarm went off and i also have security cameras which i can see when alarm is triggered or thermal detection is good way to catch burglars. its a bit expensiver. what i recommend is a dog too, or rig your smoke or CM alarm to your security, dont go for ADT and other systems. they are b.s and dont work.
(reply)
- Ryan Boder October 21, 2012
  
  Hi Steve,
  
  I agree! Try suretyCAM Alarm.com with crash and smash protection.
  
  Best Regards,
  Ryan
  (reply)
Dilaney October 7, 2012

I applaud your efforts on providing information about alarm systems and how they actually work. It’s a refreshing change from other websites.

While you are correct in your statement that “different people have different security requirements”, I’m the type who believes that NO ONE needs the “security” provided by an all-in-one self-contained keypad alarm system which uses an unsupervised telephone line to communicate to the monitoring station.

This is a piece of junk product which shouldn’t be sold WITHOUT extensive warnings – better would be to remove them from shelves entirely.

“Crash-and-Smash” technology was “developed” in the sole interest of reinforcing the rather obvious weakness with placing the alarm’s communicator inside the keypad where it is exposed for attack at the front door. So we now have a pre-alert signal being transmitted when the door contact is first opened (not at the end of the entry delay) and the tramsmission is made by cellular instead of telephone.

From a strictly SECURITY point of view, there is no logical reason for exposing the most vital part of the alarm system (communicator) at the front door, even if it is cellular.

At least you are explaining to your customers that they should re-locate the communicator keypad and install another keypad at the front door. If you listen to your competitors, they’re all bragging how everything is completely solved by “Crash-and-Smash” and that only the best alarm systems use this “technology”.

What they aren’t telling their customers are the actual LIMITATIONS to “Crash-and-Smash” – which can ONLY work if the alarm system is armed – AND if the door contact is opened first.

What happens if the burglar breaks a glass side-light and then smashes the keypad? What if he cuts a hole in the front door to enter and the door contact is never opened BEFORE the keypad is “Smashed”?

The best security systems hide the control panel’s communicator, preferably inside a locked room. Motion detector which don’t have entry delays must be tripped FIRST before the intruder can even approach the control panel’s hidden location. The motion detectors which help to secure the alarm communicator MUST also be active when the homeowners are inside sleeping with the alarm system armed in STAY mode.

The BEST alarm systems communicate wirelessly to the monitoring station, either through cellular or long-range radio. I prefer networked radio which has advantages over cellular such as not being dependant on a single cell tower. Multiple communication pathways to the monitoring station are available by using all of the monitoring station’s clients’ installed radios as “towers”.

More products designed to jam cellular signals are surfacing on the market, which is why I only use cellular if the client is outside of radio range to the monitoring station.

Finally, the technology that will ensure notification of a destroyed alarm communicator under ANY circumstances is “supervised heart-beats”. Once the heart-beats stop, the monitoring station is aware that something may be “up”, regardless of whether or not the alarm system is ARMED (as is the case with “Crash-and-Smash”).

While placing the alarm communicator inside the attic [as suggested by another commenter] is not recommended due to the harsh environment, hiding the communicator on an upstairs floor is a better alternative than the basement. Your suggestion of the master bedroom closet is valid as the burglar would have to go through more levels (and floors) of detection before reaching the communicator. A motion detector inside the master bedroom is a required component of the alarm system, both to supervise the control panel inside the closet and also because a burglar is sure to “visit” the master bedroom..

When designing a security system, the ONLY motion detectors which should follow an entry delay are those in direct line-of-sight to a keypad. Therefore, if someone decides to program a ridiculously long entry delay of 60-seconds on the front door contact, it won’t matter because motion detectors will be tripped and provide an instant alarm once the burglar enters the interior living space.

I love your suggestion of reinforcing the front door. Keep up the EXCELLENT work!
(reply)
- Ryan Boder October 19, 2012
  
  Hi Dilaney,
  
  Wow good post! A lot of good points! I differ from you a little in that I think cellular all-in-one units are actually very useful security systems, the security designer just needs to be aware of their vulnerabilities and account for them. You’re right that crash and smash protection only works when the system is armed but I don’t see the significance of that point – alarm systems in general only work when the system is armed. It doesn’t matter where the communicator is, if the system isn’t armed it doesn’t do much at all to protect the home. If someone does break in via a window or other means then the strategically placed motion detectors and glass break sensors should get them before they smash the panel and those would send immediate alarms with no entry delay so crash and smash protection isn’t applicable in that situation. Same applies if a hole is cut on the front door, motion detectors get them and send an immediate alarm. Heart beats do detect a smashed panel but they are limited by the frequency of the heart beat. All the panels I’m aware of use heart beats with a minimum interval of about 5 minutes and they don’t trigger an alarm unless the receiver misses 2 heart beats in a row so nothing would be detected for 5 to 10 minutes at best. You might try thinking about crash and smash protection as an improvement on heart-beat technology in the specific case of a crash and smash attack because it’s the same concept but it improves the detection time from 5-10 minutes down to 1-2 minutes. Keep in mind that crash and smash protection is in addition to heart-beat technology, the Alarm.com systems with crash and smash protection also utilize heart-beat technology. If you really care about security then hide the main panel with the communicator in your “safe room” and pay for a secondary keypad by the front door but even a cellular all-in-one unit by the front door with crash and smash protection is still a lot better than nothing at all – and a lot better than a land line alarm system. We’ve seen customer’s land line systems fail due to telephone line cuts but I have yet to see a crash and smash system get defected by a burglar. Those differences aside, I absolutely agree with you on most of your points, keep up the good work!
  
  Best Regards,
  Ryan
  (reply)
  - Dilaney October 19, 2012
    
    Hi Ryan,
    
    Thanks for your reply.
    
    Let’s imagine a worst case scenario such as a home invasion when the homeowners are at home during the day with their alarm system disarmed. The front door is kicked in by thugs and the all-in-one self-contained keypad at the front door is “Smashed”.
    
    The alarm.com “Crash-and-Smash” feature obviously will not work in this example. The bigger question is whether or not any additional panic buttons of the alarm system (located in other rooms or wireless models) will work if the homeowners can get to them because the alarm’s communicator has just been “Smashed”.
    
    When you stated that it “doesn’t matter where the communicator is, if the system isn’t armed it doesn’t do much at all to protect the home”, you’ve neglected 24-hour zones such as smoke detectors and panic buttons.
    
    In this example, which is extremely unlikely to occur, the all-in-one keypad at the front door is a bad idea (which we both agree on). “Crash-and-Smash” provides no security for the homeowners in this case.
    
    BUT – - it this poorly installed system was backed up with supervised heartbeats, the monitoring station would be making a call in approximately 5 to 10 minutes, as you have correctly pointed out. Without the heartbeats, the homeowners are strictly on their own.
    
    Heartbeats will work regardless of whether the panel is armed or not. Any type of “Crash-and-Smash” detection requires that at least some devices must be armed. A communicator inside a locked storage room could have a motion detector inside the storage room armed on a separate partition from the home, providing 24-hour “Crash-and-Smash” detection for the communicator.
    
    The MOST important part of your reply concerning self-contained alarm systems is that “the security designer just needs to be aware of their vulnerabilities and account for them”.
    
    These units are being shipped to clients for self-installation by a lot of competitor alarm companies. The client (homeowner) now becomes the “security designer” and has absolutely zero knowledge of the weaknesses and vulnerabilities of “Crash-and-Smash”.
    
    Most homeowners will still install the self-contained keypad at the front door, but then they add a motion detector to “look at the keypad”, as they may think this provides a back-up. The only problem is that the motion detector doesn’t work in STAY mode, when they’re at home – - when they really need it to work!
    
    Who besides you and I are recommending (quite correctly) to readers that they should hide the main self-contained control panel unit and to purchase a secondary keypad to install at the front door?
    
    Once you relocate the main unit to an interior area of the home, such as the master bedroom closet as you suggested, you automatically achieve “Crash-and-Smash” detection from all of the interior motion detectors which are armed and activated as the intruder “trips them” BEFORE he finds the main control panel.
    
    Competent security designers and professional alarm installers have been providing “Crash-and-Smash” detection for their clients by hiding the main control panel for many, many years before the term became part of our vernacular.
    
    In this regard, ANY alarm system can be set-up to provide “Crash-and-Smash” detection – it’s not exclusive to alarm.com.
    
    If installers (who may be homeowners) don’t understand EXACTLY how alarm.com’s “Crash-and-Smash” detection actually works, and don’t take into account its limitations, it may not work at all.
    
    I do agree with you entirely that cellular all-in-one units could be a very useful security system – but since you and I are ALWAYS going to relocate and hide the main control unit, what was the point of this “design”? The “design” is leading people to believe that they can safely install the keypad/communicator at the front door.
    
    The fact that you relocate the self-contained main control panel should point out and reinforce to your clients and readers where your true priorities lie – with their safety.
    
    Unfortunately, not all alarm companies have this level of concern towards their clients, which is why I applaud your efforts.
    
    Stay well!
    
    Dilaney
    (reply)
    - Ryan Boder October 21, 2012
      
      Hi Dilaney,
      
      You’re right, panic buttons won’t work if the communicator is destroyed. However, in the case that the owner is home when the break-in occurs I recommend that they don’t use a panic button anyway, I recommend that they use their cell phone to call 911. I don’t use a lot of panic buttons in residential designs for that very reason. Why use a panic button to signal the central station so they can call the police for you? Just call the 911 directly and reduce the response time. I’m not clear on why 24 hour fire detectors would matter in the case of crash and smash attacks but you’re right about that too.
      
      All Alarm.com systems are supervised with heartbeats so I think we are in agreement that Alarm.com is not weak here.
      
      I completely disagree that hiding the communicator or locating it centrally automatically achieves crash and smash protection. At best the entry delay is 30 seconds. 30 seconds is a long time, long enough to get anywhere in the house, locate the communicator and disable it. In 30 seconds the intruder can check the basement, the master bedroom and every closet in the house. Take a typical ADT system, for example, that doesn’t have crash and smash protection… All I have to do is kick in the door, find the control panel box and disable the communicator within 30 seconds – the system has been defeated. Now consider an Alarm.com system with crash and smash protection… Even if the communicator is right out in the open on the first floor, crash and smash protection still works. As soon as the front door is kicked in a signal is sent to Alarm.com to start the crash and smash count down at their end. Now even if you smash the communicator with a few seconds Alarm.com has already been notified and is waiting for the disarm confirmation signal which, when not received, will trigger a crash and smash event within a couple minutes – the system has not been defeated.
      
      I absolutely agree that hiding the communicator is better than not hiding the communicator and I don’t recommend that people put it on the first floor right out in the open. However, I think an Alarm.com all-on-one unit with crash and smash protection is better than nothing at all. I also think it’s better than a traditional system with no crash and smash protection but a hidden communicator, which is where it seems we disagree. I think we definitely agree that a system with a hidden communicator and crash and smash protection is the best system of all. However, as with anything, homeowners have to make a decision whether the additional cost of the best system is worth it to them. The cost savings of an all-in-one unit installation are significant and the homeowner should be informed by their security designer of the trade-offs so they can make an educated decision on what’s best for them.
      
      I applaud the level of detail at which you think about this stuff. Do you work in the security industry? If not, maybe you should, you’d be good at it.
      
      Best Regards,
      Ryan
      (reply)
      - Dilaney October 22, 2012
        
        Hi again Ryan,
        
        I didn’t say “Crash-and-Smash detection” was “automatic” by just hiding the communicator. I wrote that it becomes “automatic” PROVIDED that you have motion detectors supervising the hidden communicator which do NOT follow the entry delay and which are tripped first, BEFORE the burglar finds the control panel.
        
        When someone is told that Alarm System “A” has “Crash-and-Smash” detection but that Alarm System “B” doesn’t, what they immediately believe (without it actually being out-right said) is that Alarm System “B” is somehow an inferior product BECAUSE it lacks “Crash-and-Smash” detection.
        
        What they aren’t told, or able to understand, is that Alarm System “B” COULD be set-up to provide “Crash-and-Smash” detection, but that it MUST be installed and programmed in a very specific way.
        
        Understanding how alarms actually work, as well as discussing tactics that criminals may use in attempting to defeat security systems, is essential for consumers to understand in order to determine which alarm company is providing a better service.
        
        There really are no excuses today for a bad alarm system design or installation other than incompetence or complete disregard for the clients’ security by the alarm installing company.
        
        You’ve already pointed out to your readers how most of the “competition” is still “pumping out” very weak alarm installations on a daily basis. This doesn’t have to be the case.
        
        These same alarm competitors could IMMEDIATELY provide better security for their clients [with no change in their actual alarm equipment and relatively little additional labor costs] with the simple installation change of hiding the communicator and then programming motion detectors which are supervising the communicator to be ACTIVE during an entry delay. Celullar communicators for alarm transmissions instead of telephone lines also wouldn’t hurt.
        
        But they’re NOT.
        
        What does this say about the “other guys” when compared to your company which is taking an alarm.com cellular system [which is VERY secure right out-of-the-box] and then actually IMPROVING it by relocating the communicator away from the front door?
        
        When I tried to discuss this on other alarm company sites which also have blogs as you do, they didn’t publish my comments! So not only do these “other guys” NOT care about their clients’ security, when someone writes in with a few embarrassing questions, they SUPPRESS the information WITHOUT changing their equipment, misleading publicity or their installation methods!
        
        Yes, I am in the security industry and just as you are, I’m fed up with how some alarm companies continue to provide questionable installations and/or product and mislead their clients into believing that they have purchased “security”.
        
        Thanks for your continued efforts in exposing what you and I both know to be the “dirty little secrets” about the alarm industry. If consumers have more knowledge about what constitutes a professional alarm system installation, they’ll be able to tell when they’re being taken for a ride.
        
        From one professional to another, keep up the great work!
        
        Dilaney
        
        P.S. You and I are security designers who inform our clients about the various security options available to them so that they can make an informed decision. The rest are “alarm salespeople” who are pushing product, whether it completely meets the security needs of their clients or NOT. There’s a BIG difference.
      - Ryan Boder October 24, 2012
        
        Oh my mistake, I somehow overlooked what you said about having an immediate motion sensor guarding the panel. Yes, I would consider that to be better than Alarm.com’s crash and smash protection because it would send the alarm signal in 30 seconds after the door kick-in as opposed to 2 minutes with crash and smash protection. Do you ever have trouble finding a location to put the communicator where it can be supervised by an immediate motion detector without causing false alarms in stay mode because the homeowner is walking around? I’m not aware of a zone type that would keep the motion detector active during entry delay but have it inactive in stay mode. Does this exist? If so, which panel and what’s the zone type?
        
        Thanks,
        Ryan
  - Dilaney October 23, 2012
    
    Hi Ryan,
    
    You responded to me with: “Same applies if a hole is cut on the front door, motion detectors get them [burglar] and send an immediate alarm”.
    
    However, in order for a motion detector to “get them”, several things must be carefully considered:
    
    1 – There MUST be a motion detector “pointed at” the front door communicator keypad. Most installers assume that everything is completely covered by the “Crash-and-Smash” technology built into the keypad and therefore use a motion detector further INSIDE the home, covering more interior space but not supervising the communicator keypad. If there is no motion detector supervising the keypad, a hole cut into the door allows access to it.
    2 – The alarm system MUST be armed in AWAY mode. If there is a motion detector “pointed at the keypad”, then this motion detector is usually inactive in STAY mode when the house is occupied. Otherwise, the homeowners must be instructed how to re-arm certain motion detectors [such as the one at the front door] while they are inside sleeping.
    3 – An additional means of disarming the alarm system from the interior by the homeowners, such as a second keypad in the master bedroom or Smartphone app is required, since an active motion detector is being used to supervise the front door’s communicator keypad [while the homeowners are inside sleeping].
    
    There are a LOT of points to take into consideration when designing a securtiy system, which the average homeowner [and some installers] cannot even begin to comprehend!
    
    Yet today “alarm systems” are being sold as “lick-and-stick kits in-a-box” everywhere for self-installation!
    
    Education is the key, and your readers should now understand and appreciate the HUGE difference in security that is provided by you relocating the main communicator keypad.
    
    All the best!
    (reply)
    - Ryan Boder October 24, 2012
      
      I agree and I’m impressed. Very good points. Which company do you work for? (if you don’t mind me asking)
      (reply)
      - Dilaney October 24, 2012
        
        I own a small “Mom and Pop” alarm company in Montreal, Quebec (Canada).
        
        DSC (Digital Security Control) panels have a zone defined as “Option 32 – Instant Stay/Away”. This zone will be bypassed in STAY mode, but will provide an INSTANT alarm in AWAY mode during the entry delay.
        
        I don’t have issues with clients setting off motion detectors which supervise the panel since this is properly explained to them beforehand. Usually, this type of installation takes advantage of a small, rarely used and locked utility closet which the homeowners don’t go into often to begin with.
        
        Any alarm system can only work as long as it remains functional. By moving the communicator upstairs into the master bedroom closet, as you do, it increases the odds that an alarm will be transmitted by several motion detectors and/or door contacts on the lower floors before the burglar actually finds the equipment to destroy it.
        
        Quality of alarm installation is a very, very important consideration when choosing an alarm service provider, which consumers typically only find out about AFTER the fact, if they don’t ask the right questions or are only looking at the lowest prices.
      - Ryan Boder October 26, 2012
        
        If you ever feel like moving to Columbus, OH, USA, you have a job offer!
rive October 19, 2012

This is how I would do it. Put a touch pad by front door, put the main panel in another part of house in an area protected by a infared motion with no delay.

Even if they use the 30-45 seconds to locate main panel, the motion will catch them before they can actually smash the main panel, and alarm it instantly
(reply)
- Dilaney October 22, 2012
  
  Hi Rive,
  
  Thanks for backing up my previous comment.
  
  Older alarm panels had a problematic security design weakness in that interior motion detectors “followed” the front door’s entry delay. This meant that once a burglar FIRST kicked down the front door which triggered the entry delay, ALL of the interior motion detectors strategically placed around the home would be INACTIVE during the time allotted for the entry delay.
  
  If the time programmed for the entry delay was 30 seconds, the thief had 30 seconds to locate and destroy the alarm communicator AFTER kicking down the front door.
  
  This is no longer true with today’s alarm panels. Motion detectors can now be programmed to provide an immediate and instantaneous alarm – even if the front door contact has been kicked in FIRST.
  
  Of course, this set-up depends upon the alarm installer actually understanding how to design and install the security system properly and then program the motion detectors accordingly. Some installers still “don’t get it”.
  
  The mistake that I see some installers continue to make today is that they’ll install the main communicator in the basement where any motions detectors that could be used to supervise the alarm panel have been deactived in STAY mode by the homeowners who are inside the house.
  
  Ryan does understand alarm system design and truly does care about his clients’ security since he has adopted a standard installation practice of relocating the main communicator/keypad away from the front door and placing it upstairs inside the master bedroom closet. This clearly sets Ryan apart from most of the “competition”.
  (reply)
Jeff November 5, 2012

…and actually, I don’t think that moving the keypad is a true protection (as per the discussion after the article). At least with the two keypads I’ve had over the years, the sound eminates from the keypad-the beeping to alert you that you have 30 seconds to disarm the system. That makes a pretty good location system.
(reply)
- Ryan Boder November 6, 2012
  
  Hi Jeff,
  
  The point is that by not placing the main panel right next to the entry door, it would take time for the intruder to locate the panel even if it is beeping. By that time the initial crash-and-smash protection signal has already been sent out, so even if they do destroy the panel they are caught.
  
  Best Regards,
  Ryan
  (reply)
Guy January 6, 2013

Ryan: Very informative article and even more informative conversation happening here through the comments. Appreciate your time and effort to verbalize your thoughts concerning security. Much appreciated!

Dilaney: I am looking for a radio monitoring system for my existing alarm system. You seem to have the same passion for security as I do (with a little bit more knowledge than me). Since you are based in Montreal as well. Could you please get in contact with me? I’d like an estimate and a rundown on the technology on how it can be done. I hand assembled and meticulously installed my alarm system using many techniques that were discussed here, _BUT_ I don’t trust my phone line. People say I’m paranoid, but looking at the entry point of my house, cutting it and disabling my system is the easiest thing to do.

Thanks,

Guy – frosterg !at@ gmail.com
(reply)
- Ryan Boder January 21, 2013
  
  Hi Guy, thanks for the comments! FYI when we are switching a land line system to cellular we often use a DSC 3G3070 which your existing alarm can communicate with via it’s land line dialer.
  
  http://www.dsc.com/index.php?n=Products&o=view&id=1401
  (reply)
- Dilaney February 11, 2013
  
  Hi Guy,
  
  I seem to be having trouble with your email address. Please contact me at:
  
  dilaney@videotron.ca
  
  Thanks!
  (reply)
Mike January 20, 2013

Hello all, I find the back and forth over which panel and which location is better a little amusing, 99.9 percent of all systems installed use the reed switch which is over 70 years old and can easily be defeated with $10.00 worth of equipment. If you really want to get fancy you can buy a stun gun and a cell jammer and render any home security system useless.

Reed switch defeat with a defeat magnet (use a compass to locate installed magnet)
Stun gun creates a lightning strike to blow up a panel and or fuse the contacts together.
Wire cutter to cut phone line and or cable line.
Cell jammer to jam any radio signal.

So with less than $500 worth of equipment anyone can defeat any home system.

Yes I am in the industry for over 25 and all in one systems are worthless at providing real security. I am also a National Industrial Security Systems expert / Department of Defense.

There many other techniques which I will not publish, but all of the ones I have described above are common knowledge and can also be found on youtube.
(reply)
- Ryan Boder January 21, 2013
  
  Hi Mike,
  
  You are certainly right about defeating reed switches as well as your other methods of attacking a home security alarm, but I don’t think your assertion that all-in-one systems are worthless is a reasonable conclusion. It doesn’t even make sense…
  
  1) None of the techniques you described have anything to do with “all in one systems” vs traditional “panel in a can systems”. In fact, the stun gun attack you described which works on traditional systems doesn’t work on all-in-one systems because they tend to use wireless sensors and aren’t electrically connected to the main panel so all you would do is fry one sensor, not the whole system. The other 3 attacks apply to all systems, not just all-in-one systems.
  
  2) Just because reed switches can be defeated doesn’t mean they are useless. Even if they serve no security purpose against an intruder, they still serve to trigger the 30 second entry delay for the homeowner and the interior motion detectors still provide security if they are defeated. If you defeat the reed switch you’ll just get detected by the motion detectors inside the house. Are you familiar with Magnasphere sensors? http://www.magnasphere.com/ They can be used in place of reed switches with any alarm if you prefer.
  
  3) “Worthless” all-in-one systems are still deterring intruders every day and catching those burglars who aren’t smart enough to defeat them, which is most of them. If one has enough valuables to entice a security expert like yourself to attempt a break-in then perhaps they should invest in a higher end security system. All-in-one systems with reed switches and motion detectors are a good value for the average homeowner.
  
  Best Regards,
  Ryan
  (reply)
- Dilaney February 11, 2013
  
  Hi Mike,
  
  The point of our postings was to show how that the “typical burglar” can get past and defeat a poorly installed alarm system without the need for any of the expensive “tools” which you’ve described.
  
  You’ve neglected information from my previous posts:
  
  • A cellular jammer works on cellular signals, not radio frequencies. Our networked radio communicators are not defeated by a cellular jammer. They have multiple pathways to reach the monitoring station, so if one is disrupted, they seek an alternative route.
  • Supervised heartbeats provide notification 24/7 of destroyed alarm equipment. This ensures that if the alarm equipment is destroyed (even by the cleaning staff while the alarm system is disarmed) that the monitoring station will be aware within 6 minutes of the attack.
  
  Most so-called “professional security systems” that I see by my competition are very poorly installed and I am easily able to defeat them, BEFORE they create any sort of alarm. The homeowners that I have to explain this to are obviously very upset that they paid money for “an alarm system” that I can get past and disable without requiring any special tools.
  
  I have not yet seen a sophisticated alarm system attack of the nature which you have described. But as I’ve pointed out, a radio communicator with supervised heartbeats will provide notification of a stun-gun attack by a smart crook with $500.00 of techno gear.
  (reply)
- rive April 27, 2013
  
  No.
  
  The 2gig systems also have an option to enable detection of rf jamming and cause a trouble (much like tamper causes trouble) (Q65 (1))
  
  If a 345mhz jammer is used this will immediately put the panel into a trouble state and signal CS (if it doesn’t outright alarm the system, there seems to be much confusion regarding this aspect)
  
  CS can be directed to treat a jamming trouble as a dispatchable initiating signal
  (reply)
ObiQuiet February 23, 2013

Interesting discussion! Question: What is the typical transmit time for the initial crash & smash signal? 2s? 10s?
(reply)
- Ryan Boder February 25, 2013
  
  It’s at least as long as the entry delay with some extra time to allow for signal delays.
  (reply)
ObiQuiet February 26, 2013

Hmm, maybe I wasn’t clear in my question… What I wanted to know was the time that it takes between event #1 and the completion of event #2 from the scenario posted above:

“1) A crook kicks open the front door.
2) The system successfully notifies central station that a door is opened and to expect a disarm code soon.
3) Crook smashes keypad control panel.
4) Central station determines that the disarm code has not been entered, ”

(Not the time it takes between #2 and #4.)
Thanks again!
(reply)
- Ryan Boder February 26, 2013
  
  That would depend on the cell tower and signal strength, but 2 seconds is a good estimate for the normal case. 10 seconds is probably possible but I’d think only when the cell tower connection is very bad. When we’ve tested this, albeit with good a good cell signal, it’s been no more than 1 or 2 seconds.
  (reply)
Bug March 22, 2013

Even if the alarm system still works, the delay from getting the police dispatched it at least 2 minutes. With all of your technology or not. Sophisticated or unsophisticated. Factor in travel time for law enforcement. One is rarely caught in a house. Here’s my thoughts. In any alarm situation a burg is in and out in less than 5 minutes. typically 2 minutes. Use any alarm company and any system because it won’t matter…he’s gone in minutes. The fear of what if drives him out. Here’s what works pretty close to 100%.

You don’t need cellular back up, or alarm.com. Put a sticky note on the keypad with “kids code has been programmed it’s 4567″. Leave it right on the keypad. The burg wil think you’re an idiot and of course use it to disarm. He’s just typed in the duress code. A duress dispatch is highest priority, much higher over a burg so your monitoring station will respond to it faster and higher priority for police so they will respond faster…a lot faster than burg dispatches. We have caught four perps in one year doing this. Four out of four for my company. Don’t waste your money on alarm.com.
(reply)
- Ryan Boder March 25, 2013
  
  Hi Bug,
  
  You have an interesting idea there but I have a few questions. 1) What if he cuts the phone line before breaking in and there is no cell backup? 2) What if the burglar doesn’t fall for it but smashes the panel instead? 3) What if the customer wants instant notifications on their phone, or other Alarm.com benefits?
  
  Our central station responds very quickly to burg and duress, not slowly like most do.
  (reply)
LowTech April 17, 2013

After reading most of the comments, it appears to me that the whole solution to the Crash and Smash scenario is to get rid of the exit / entry delay completely and have all alarm systems Armed/Disarmed by Keyfobs from outside of Homes/Businesses. For some Businesses, it might be a bit more difficult to implement when you have a “large” number of individuals with the ability to Arm/Disarm the System or when you have Cleaning Crews that need access to the premises after hours. We use Keyfobs at our residence and we have an Ademco VISTA 20P System, with one delay Exit/Entry Front Door and the Panel is very visible in the Utility room of a single level residence (Plan to conceal in a wooden cabinet).

After reading the above comments, I’m inclined to get rid of the delay on this door altogether, although all home burglaries I have seen in our City, the burglars have used the doors/windows at the rear of the property. The Front Door is very close to the Street (very visible) and you have to go through a secondary locked door before you are completely inside the residence.

For an Ademco Panel, what other methods are available to prevent Crash & Smash for a Panel located in an easy accessible room?
(reply)
- Ryan Boder April 17, 2013
  
  Hi LowTech,
  
  You’re right, disabling the entry delay all together and disarming from outside is absolutely the most secure way to do it. However, using keyfobs creates a security risk because if someone steals your keyfob then they can disarm your system without knowing your code. The most secure way to do it is to use an interactive system like Alarm.com and disarm from outside with the app. Make sure the app requires you to punch in a code so that way you’re still requiring a code but there’s no entry delay on the doors.
  
  One way to solve your problem is to protect the panel with a motion detector that’s programmed as an immediate or perimeter sensor. Or put the panel in a closet or cabinet with a contact on the door that’s programmed as immediate or perimeter. Just make sure there’s no way to reach the panel or the communication path without tripping that sensor first, and use a communication method that’s fast – i.e. use cellular or IP, not land line phone.
  
  Best Regards,
  Ryan
  (reply)

Subscribe to Comments

Add a Comment

4275 East Main St. Columbus, OH 43213

Blog

How To Defeat a Security Alarm: Crash and Smash Attack

Related Posts

Add a Comment

Request Call Back