Sometimes it takes a security scare to help improve your overall security posture. Case in point: Over the holidays, I learned that our alarm system — one of the most widely used home security systems in America — contains a default code that disables the alarm. Although entering this code simultaneously alerts the police that an intruder is in the house, it also could give thieves just enough time to get away with your valuables without alerting the neighbors.
Over the holidays, I lost my keychain. On said chain was a very expensive key fob for unlocking and starting our car, the keys to our front door, and a remote control that arms and disarms the alarm system. For several days, the wife and I searched frantically and repeatedly for the keys. Needless to say, I didn’t leave the house the whole time. In the hopes of perhaps disabling the alarm keyfob myself, I downloaded the user manual for my alarm system (a Safewatch Pro 3000), but I could not figure out a way to complete the process.
After of the fourth day of failing to locate the missing keys, we decided it was time to call a locksmith and ADT, our alarm company. The ADT technician arrived promptly and was extremely fast, courteous and helpful. But he said he couldn’t remove the fob without plugging in an external keyboard that he had on hand.
As he worked, I asked him about a feature of the alarm system that I’d read about in the manual: A duress code. Simply put, a duress code is a secondary, covert signal designed to be entered on the alarm keypad in the event that an attacker or robber ambushes you at home and forces you to disarm the system. A duress code will appear to disarm the system, but it will also send a silent panic alert to the ADT monitoring station that a potentially hostile intruder has entered the home.
I asked the technician how difficult it would be to set up a duress code for my system. He informed me that there was already one programmed into my unit, and that ADT technicians routinely set all systems like mine with the same default duress code: 2-5-8-0, the four digits that run straight down the middle of the keypad.
My temporary shock was interrupted by a phone call, and before I knew it the technician was done and heading to his next appointment. Later that evening, several Internet searches confirmed the technician’s statement. Thankfully, ADT helped me change the code to one of my choosing, but it took some trial and error via ADT’s phone support staff. The ADT support lady told me that my alarm panel indeed was supposed to be configured by the technician with a duress code of 2-5-8-0.
A duress code is an excellent idea, but default codes are almost always bad news. I was never told about this feature when the technician installed the system, and it is undocumented in the user manual. If you have a home security system, it might be a good idea to ask your alarm company if your system has a default duress code.
As luck would have it, we did ultimately find the lost key set — wedged deep between the seats in our car — but only after we’d already nullified two out of the three keys.
Glad you found your keys. Been there and done that. We went over and over the apartment and cars and just couldn’t find them. The key ring also contained work keys for a bank I worked for at the time. Not a good thing. I finally found them a month or so later in a toolbox that I only use occasionally. I had been working on the kid’s bikes and dropped them in the toolbox without noticing it. What a relief to finally found them.
I love the idea of a duress code and how it works. I had no idea that it was available, though I guess it makes sense.
But you appear to contradict yourself in the article. You asked the tech about a feature you’d read about in the user manual but you later say that it’s undocumented in the manual. Is it just mentioned but the process to set it isn’t documented?
Maybe I should be more explicit: The fact that it was policy to set the code at 2580 on those units was not documented.
This is a feature that would not be document in the owners user manual. It would be in the Technicians installion manual and in the technicians programming manual which are not given to the customer.
Yes, those manuals should not be given to the customer, but the customer should be told about the duress code “feature” in their alarm system, and it *should* be in the owner’s manual.
(There’s no good reason for it to not be.)
And the customer *should* be told about it.
Which is Brian’s point.
Those manuals should be available to the customer. “Security through obscurity is not security”. See also linesman’s sets and standardised master keys available on eBay.
Just a comment re the latest e-mail on the duress codes.
In your last few e-mails (probably for the past couple of weeks or so) I’ve noticed that where you say “Please use the link above to continue reading this posting”, there is no link above.
Not a major problem since by clicking on your website link below the “Best regards” which does still appear as a link it usually leads to the same place. The “manage your subscription” link also still appears at the bottom of the e-mails as usual. But there must be some glitch that’s deleting the “link above”. For example, in the “Duress” e-mail, all I see at the top above the text are the following 2 lines, neither of which is a link:
Krebs on Security has posted a new item.
Does Your Alarm Have a Default Duress Code? (Author: BrianKrebs)
I use Gmail by the way. Tried both Firefox and IE8 and it’s the same.
Just though I’d pass this on.
Regards and Happy New Year. Glad you found your keys.
Hi Ken. There was a glitch with an update to the plugin that handles daily digests. It should now be fixed. Thanks for your patience.
It’s not fixed. There is no link for “Please use the link above to continue reading this posting.”
Max, I can’t fix already sent emails. It will be fixed in the next emailed notice.
To be honest most systems do not have a duress code factory set. If you looks at the DSC lind for instance the distress code is a feature taht has to be enabled and a code chosen. ADT has obviously had this enabled by default or set from the menufacturer. When the Tech was showing you how to use your system, this hsould have told you this code was there for emergency use in case an intruder forced you to turn it off which it will do while silently alerting the monoriting station and them alerting the police. With regards to the key fob, Most systems allow the monitoring staion to disable a key fob by taking out it’s ESN# thru programming. This is not something you will find in a user manual for a home owner as it shoudl be done by the staion or a technician. Once the ESN is taking out that FOB will not do any functions on your system or anyone elses. If you locate your FOB you can always call your alarm co or station and they can upload your system and redo your FOB or have a technican come out and re program it into the system. Next time Brian just call into ADT and let them know you have lost or misplaced and ask them to disable it and they shoudl be able to, if they need to send a tech out they can do that as well. Most Techs will ask if you want a distress code put in and inform you what this code is for and what’s its function is. Most alarm companies will also stick in a maintenance code as well for servicing that the customer also does not know is there and is strictly used for them to be able to test and service you system without knowing your master code. While they can see what your master code is depending on the keypad type, they dont really like or want to know it. If they have to service something more often than not they will get you to change your master code to something like 1234 so they can do what they need to and then once they are finished ask you to re-program the master code to what the owner had before ( once again without them knowing. Most user mauals have the basic information for the customer to teach them use of their system, trouble shooting (basic) and some customer type programming features ( door chime on/off etc) the detailed progrmming options and installer information is kept by the installer and returned to the company more often than not and then destroyed.
oops typos, sorry folks..
The security company I use, install DSC systems and on every system I have had installed in my stores or home, the Duress code is already enabled and set to default 2-5-8-0. The installation technician demonstrates this to the customer and explains that those numbers were chosen because they are straight down the middle.
They are not in the user manual because the existence of the duress code is supposed to be a secret not known to would be robbers who force a keyholder to unlock the premises and turn off the alarm for them.
I agree that using a default duress code is not smart (especially now I know that the whole industry is using the same default!). But if I were a thief, I would much rather take the chance of letting the alarm ring – most people assume it is a false alarm, as it will buy him a little extra time since the security company usually attempts to contact the business first, to see if an employee set it off by accident, and will then try to get hold of a keyholder, leading to a delay before they call the police. A duress alarm on the other hand will tell the control center to immediately contact police and the responding officer may be only a few blocks away.
A default duress code is not such a bad idea. Even if some bad guy goes in and uses it, it will send out a duress alarm to the alarm company.
It should not be ignored by the alarm co., nor is someone who is not the customer likely to talk their way out of it, since the presumption is the customer is under duress.
You should be able to reset the system with your own correct code.
The focus should really be on how vulnerable a lost key fob is. A little lower tech and more annoyance might be better in this case.
While the Keyfob being lost it really isnt too worriesome. If you ever find yourself in a situation like Brians, you should contact your alarm company or the monitoing station and inform them you have lost a keyfob. They can then get you to arm and disarm your system if you have another keyfob. The station can then see what key fob sent the arm disarm signal ( this way they know which one is still in your posession and which is missing by what they see in their audit trail ) The alarm co or staion can then upload your system and disable the lost or missing keyfob, and rendering it useless as it is not going to work anyomre by removing it’s esn#. If for some reason they cant do this thru and upload they will send a technician out to this which takes maybe 5 or 10 minutes or less even. A lost keyfob isnt a worry, if you find it later you can always call in and let them know you have located and they can follow the same prcdures and re-activate to your system. So to be honest it isnt really a concern as long as you notify your alarm co or staion of the missing keyfob and have them deactivate it.
Good you found your keys! But i am wondering if it is a good idea to let “everybody” know what kind of alarm system you use?
There are tons of that model of system out there. Every system has its own users codes for it picked by the homeowner. So if your cousin bob has this same system and you try bob’s code on Brian’s system it doesnt mean it would work. That being said there are lots of different options homeowners can have on their systems. Door contacts, window contacts, motion detectors, glass break detectors, window bars and screens smokee detectors, heat detectors, rate of rise detectors, panic buttons, flood detectors etc etc etc. So to be honest not every system is a cookie cutter, a home owner can have pretty much it customized to what they would like to protect and it to do. You can have a system that is integrated with lighting controls, theromstat controls, a/v control driveway alert controls, gate controls. You can even have it auto arm and disarm at certain times if you’d like. The features are endless and even more so for commercial uses. So just because you see the model you really dont know what Brian has in his house protection wise to detect an intrusion.
Revealing details of your alarm system isn’t always a bad idea. A friend of mine used to live in a rather bad neighbourhood and made no secret of the fact that her alarm system consisted of two pythons, an alligator, a rattlesnake, some scorpions, a black mamba, and a few other things you wouldn’t want to run into.
The drug dealers in her neighbourhood complained that they felt unsafe…
If there’s anyone around to listen, geese make for a very good alarm system. They also have enough brains to keep false alarms down over some technical solutions. And they trim your lawn for you… when they’re not taking dumps on it.
I understand what you are saying, Christian, but that’s how we learn. And Brian is very good at informing us. His post may save someone else.
It’s quite likely Brian has a sign in front of his home telling everyone what kind of alarm he has. It discourages amateur burglars.
Well, I am not about to reveal all of my secrets. But let’s just say I believe in layered security in the offline space just as I do online. 🙂
The other layer is a very large, angry dog.
Lost key story: Went to lakeside cabin with some family members for weekend of R&R. We have a 4-wheeler we keep at the property. Couldn’t locate the keys anywhere, they were not in the one or two spots we would hide them when the property was vacant. About 7 years later my cousin and I decided to scuba dive in the lake. About 30 or 40 yards off the dock we found a rusty tackle box, still full of fishing gear. We brought it on board our boat and realized it was one of our family members who is a regular at the property, inside the tackle box were the missing keys to the 4-wheeler! We called him on his cell to share the news. He assumes that once he arrived at the property with us 7 years earlier he must have put them in his tackle box but couldn’t imagine why, the tackle box had fallen off the john boat during that trip 7 years earlier but nobody suspected the keys were inside! He was found guilty of misplacing keys, took 7 years but the truth can never hide forever! Too bad the 4-wheeler didn’t survive those 7 years, it was eventually stolen…without the keys!
Hmm.. Maybe I’m not thinking clearly as I just woke up but I don’t really see this as a big deal. If your alarm is disabled and the police are informed you’re in distress at the same time, I’m not sure this is something thieves would want to try. “Let’s disable the alarm while simultaneously letting the police know we’re here and make them think the homeowner is being kidnapped. And then we’ll see how fast we can move stuff out the door while a swat team is descending on us.” Sounds pretty risky to me.
Granted, they should let you reprogram the distress signal with your own code. And maybe that was your point.
Police take 20 minutes minimum to arrive in my experience, so the burglar could just snatch stuff and leave without making a sound, alerting neighbors, etc.
Any alarm company that puts in a standard constant maintenance code, or duress code, or any other kind of back door in MY alarm should be subject to criminal prosecution.
Just tell them that you killed the intruders and see how fast they turn up at your house 😉
In my and my wife’s dealings over many years with our house’s alarm-monitoring co. (FWIW, not ADT), we’ve often found that some technicians are more helpful than others in telling us about features and aspects of the alarm panel as well as of the monitoring units — my wife likes me being with her when we schedule a technician’s visit because, between the two of us, we ask lots of complementary questions and usually gain some knowledge we didn’t previously have (the most-recent examples relate to new/replacement monitoring devices: their sensitivity [settable via a jumper or lack thereof] and their field of vision [for one, we wanted to block its seeing immediately below]). Insofar as our system’s “duress code” is concerned, we set it to a code of our choosing when we enabled the system soon after purchasing the house — I don’t know if the system had a default (stands to reason it did), but the manual we received only noted the possibility of setting and using such a code, not its default.
Wow, what weird timing– I’ve had my ADT system for a few years and just last week it went off while the whole family was out. We had to turn around, drive back and meet the police who swept the perimeter and luckily, it was a false alarm.
I was told about the “dial-down-the-middle” distress code when the unit was installed; however, since then, I’ve seen the code in other articles and places. I imagine more and more thieves have learned of this and I’d really like to not have my head blown off if that’s what it comes to (the thief recognizing what I’m doing by dialing down the middle). I agree, there should be some way to change the distress code from the default, the same way you can change the master code.
Depending on which zone alarmed, you may want to follow up with the alarm co. re the detector for that zone (or, instead, wait to see if the “false alarm” recurs). If it’s a detector designed to trigger on movement of warm-blooded creatures, consider the possibility of a pet or an unwanted creature (e.g. a mouse) setting the detector off or of a “bug” (literally or figuratively) in the detector warranting its replacement….
Contact your monitoring station or alarm co and ask them if the distress code is like Brians or if your distress code feature is enabled, some companies do not enable this feature. If you find you have the same code, ask them to please change it to one you desire ( make sure it is not your current master code or another user code on your system, you wouldnt want to get aunt Ginny held at gun point by the police when she came over to water the plants cause you turned her code to turn off the alarm into the distress code! ) If they dont have this feature enabled and you would like it enabled they can do this for you. Just remember this feature is taken very seriously by the monitoring station and the police and is considered a high risk calll, you will see the police show up and they will be taking this very very seriously response wise. In a situation where a distress code is sent the alarm monitoring station will send the police out and not call in to the homeowner to see what is happeing like they would if say you set the alarm off by accident and couldnt call into the monotoring staition in time to let them know its a false alarm. So only use the distress code if it is necessary
The alaram company can bring up your systems audit trail and see what time the first zone was tripped and /or any additional time along with how mnay times it was tripped. Depending on the device and what not they can see on their end what occured and when and how mnay times and then figure out with you if there was something that could hav e caused it. If you arent sure they can get a technicain to come out and run a test and see if he can see why the zone tripped. Sometime depending on the device tripped it could be a faulty device, it could be something enviromental. You would be suprised at some of the little things that can trip a sensor. The Technican should be able to determine a cause with some investigation work and mitigate it for you so it doesnt occur again, it’s in the customers best intrest as well as the alarm companys to eliminate any false alarms so they do not occur again.
About 10 years ago I had an alarm installed in my company’s offices. After the tech was done programming it, I bombarded him with questions about managing the system. He eventually got frustrated and gave me the master code and told me not to tell his employer. He also confessed it was the same master code for all installations. I don’t know if that was true per installer, per region, or a company-wide procedure, but I used it often to add and delete users, reprogram zones, etc–after changing the master code.
Now if the master code could be used to deactivate the alarm after entering the premises, it would be one serious vulnerability; however, as I recall, the master code was only useful to enter the programming mode for the panel, limiting the scope of possible badness. But if you had 30 seconds of unobserved access to a panel at some company or residence and its master code hadn’t been changed, you could add a bogus user or change an existing user’s code so you could break in later. Or deactivate a zone and enter the premises within its coverage zone.
In short, agree with your point that default codes are almost always bad news. Some are worse than others.
This would still come back to the company and they would be looking at who ever held the master code. The master code is used to program user code and remove user codes on systems ( sometimes companies will have the alarm co program these for them sometimes the user who hold the master code does this) That being said, every code that is put in by the system goes on a list to the monitoring station so they know that person is an authorised user. This is done for each person who has a code for the alarm. If you put in a code and the station had no information on the user of that code, they would simply tell you what user# came in and disarmed the system with the date and time and if they re-armed it. So if the company got cleaned out they would be telling the company and the police that the system was turned off by a user # at the company. The police in turn would be looking at this as more of an inside job, because someone put this code in the system, knew how to program it in and new how to arm and disarm the system…So while this might look feasable it going to be deemed suspicous by the police ad alarm company and insurance company who will want to investigate
If the master code is still the default, everyone “holds” it and you forfeit accountability. You can no longer trust that the person disarming the system is an authorized user.
Are you arguing that default master codes are not a serious security threat?
Usually most systems the master code is a default code that is programmed to a set number. Most alarm companies will have you change the defaut code because it is a factory set one for example 9999. The installer will normally ask you to change the default master code to something of your choosing. The master code is used then to set the other codes for the system. Most comanies and their Techs will point blank tell you to NOT have users use the same code. Different systems can have mnay users codes these can range from30 codes for a basic system all the way into the 1000’s+ for more commercial systems. No one should use the same code, if you do this you risk someone seeing it or knowing of it. If someone breaks into your house and turns off your system, they are going to see in the audit trail that code was used and will ask who had access to it. If there is multiple users, then you will need to inform the police and your insurance company will ask the same and confirmation from the list at the station. You then risk a rate hike in your insurance or even cacellation if the insurance company is off the belief you are not doing enough to prevent theft on your property. As for the tech that said no, I would contact your sercuirty alaram co and speak with the installion or service manager and let them know of this situation where the tech would not allow you to change it. If there is some reason such as it is a hard coded into the system, then ok I can see why no change would be allowed. Other than that you should be able to change it to something you and your wife will know, it is common for the custmer to pick the code that they feel is best suited for them, definetly call the company and inquire about that.
Agree with everything you say; however, it misses the point: this company (well-known, nationwide) changes the default code on all installations to the same number and does not commonly share it with the customer. As I recall, the rationale was that managing the panel is too complicated for customers, and the alarm company want to maintain control. My experience is from a business installation; I don’t know if the process is the same for residential. Also, bear in mind this was 10 years ago. If the process has changed since then–and it sounds like you’re an insider to the premises alarm industry, DavidM, and are suggesting that it has–that’s positive progress.
Our system has an automatic duress code that is one digit higher than your disarm code. For duress to work you can’t have a code that ends with 9. Seems like an elegant solution to preset or default codes.
Do you all keep your important keys together on one keychain?
When I was learning to drive, my parents taught me to never keep the house key and car key on the same keychain! If you lose the car key, someone then has control of your car, and the car will have you registration info, which has your home address… and they KNOW you are not home. To this day, my car key is in my right pocket, my house key is in my left.
Was anyone else taught this way?
A duress code that is not clearly explained to the owner upon installation is a seriously stupid idea. Clearly Brian had no idea one existed. That plus the fact that the code is consistent is a problem.
Not that it matters that much. Most of these alarm systems can be bypassed in various ways by sufficiently savvy criminals. The ones used in corporate buildings that are networked can even be remotely accessed by hackers. There have been a couple infosec conference talks on the subject. The poor security design is unbelievable.
By the way, ex-SEAL Richard Marcinko used to describe how his team would bypass alarms. Just throw rocks at the fence or let loose rabbits inside the fence repeatedly until the guards turn it off!
I imagine it would be feasible for a house burglar to do much the same thing. Wait until you’re out, trigger the alarm, leave, come back, repeat. Do it every few hours until it’s turned off or the cops or security company decides it’s “just another false alarm.”
I understand this is a major problem with banks – numerous false alarms which means most police departments call first before sending a car – which gives the bank robber more time to escape.
your talking about a permieter intrusion and the situation your describing doesnt talk about interior protection. When your talking about commercial and industrial protection systems if there is perimeter protection it is usally followed by a interior protection system. Good security knows the differance between false and non false events, and most will have a plan in cases that is followed to highten the interior security due to a said compromise of the perimeter security. Look at area 51 example its a wide open space, you wouldnt think there is a lot there except signs, some cameras, the odd fence and roving patrols now and again. Its the security you dont see that is there as a back up to trigger in the event with a breach of the perimeter security. Some companies industrial, goverment and otherwise take their facilities security quite seriously
With regard to the banks, banks dont have a lot of false alarms, their systems are fairly expensive and they have a lot of different security features that you will not see in a residental or even a commercial institution. Theives dont really break into banks, there isnt anything to steal unless your going for the vault or other info. But you would be hard pressed to get access as they have that physically secured fairly well. Most theives are fater cash and usuallly hit the ATM’s themselves but even that is risky as there are safuards for certain scenarios in place, granted some unorthdox method have been donce to get at the cash an ATM holds, but the bak knows this as well and only keeps a certian amount in it at night as they know the patterns of how much a ATM will dole out in a certain period given the pattern over day, weeks months, holidays etc. Banks have their own agreements that are specialized with the alarm co’s, monitoring stations police agencies and security teams and telcos to have a more prioritized response than what you see at your average buisness.
Actually I was referring to actual during business hours bank robberies, not break ins at night.
Obviously just shutting down the alarms isn’t sufficient. But do you remember the movie “The Bank Job”, based on a true story? The bank in that case had an alarm system that was defective, triggering due to subway rumble. They shut it down for two weeks to replace it. That’s when the robbers tunneled under the bank, then burned their way with thermal lances into the safe deposit box vault.
I suspect there are circumstances in existing banks where the original alarm issue could be spoofed, possibly by electromagnetic means – assuming you could find bank robbers smart enough, which is unlikely.
Make the source of the issue hard enough to find – and how many electronic problems are such already? – and I suspect you could get a troublesome impediment to a successful robbery conveniently removed.
Nice. It’s funny to see this because I said the same thing about the same guy reviewing a security tech yesterday. (Symbiotes for embedded systems) They had so many good ideas in there until I got to the part about how it didn’t currently prevent stack, heap or return-to-libc attack. However, the attacker would have to pull data out of the system for further compromise, maybe crashing it, and are more likely to get noticed.
I said, “yeah Dick Marcinko would just crash it till the users thought it was unreliable, then hack it when their back was turned.” I told them to pass on that tech until it detected, you know, the main attacks the bad guys use. (rolls eyes)
Great minds think alike, Nick… 🙂
Regarding banking, I think the two best instances are:
1. The Swedish cash grab where they put a suitcase with the word “bomb” (but no bomb) next to the police chopper and got away. Talk about a low cost solution to beating expensive equipment.
2. My all time favorite is the Craigslist robber who got everyone to show up “for a job” in “uniform” at the bank. He robs the place, cops start grabbing random job hunters, and the thief gets away on an innertube (!). Priceless.
I’m a little disturbed at your posting the code in the clear. I think it would have been better to indicate that there is a default code and that folks should investigate getting it changed.
Now anyone reading this article knows how to disable just about any ADT system since I suspect that most folks with one don’t read your blog.
But what makes you think miscreants wouldn’t just go look it up. Actually they’re probably more likely to know it already seeing as they have an active interest in bypassing it.
If the distress code is used it turns off the alarm, but the distress code will trigger an alarm at the monitoring station and they are going to dispatch the police, so while the alarm is turned off you are going to have a police presence show up at a distress code triggered event is taken quite seriously
Can’t a potential thief just cut the alarm system off by physically cutting the telephone or cable connection and achieve the same thing as entering a duress code – possibly with the advantage of not even sending the monitoring service a notification that there is a threat to the property owner?
Or does it use the cell network as well?
Just thought about it and realised that other places maybe don’t have .AU’s obsession with not burying cables and they’re likely buried – correct me if I’m wrong.
they could try this but depending how the system is set up it could trip the alarm system. I wont go into deatils about this there are safeguards in place so if a telephone line is cut or the power is cut that the back up safeguards kick in. Alarm systems can also communicate thru a cellular or radio back up and over the internet. So while this can be attempted it doesnt mean the monitoring station isnt going to dipatch the police
It depends upon the security system and/or budget. Some installations only use POTS lines, others will also have cell.
A cellular backup was an option for our alarm system.
Pots is really old and isnt utilized much anymore, back 20or 30 years ago it was used a lot, nowadays there are much more efficent way to do this. Cellular back ups are commonin all installions. Now clients can go thru cellular, radio, internet gps, and satellite for communication to a monitoring station. It really has changed a lot
Security systems that I’ve interacted with over the past 20 years that used POTS lines checked in with the alarm company every 5 minutes when the system was armed. Failure to contact the alarm company on a scheduled connection would initiate a dial-back to the connected number, and a non-answer would cause the alarm company to contact the appropriate individuals within the site’s organization to determine whether there was a known reason for the outage.
While I don’t expect that all systems worked this way, I thought I should point out that alarm systems have come a long way since the 1970s. Large corporations used leased lines to connect the alarm system to the phone companies, but for normal businesses a POTS line was far cheaper and still relatively secure.
we had a security system in our old house. the tech allowed us to input our own duress code. one that my wife and i both memorized.
at our new house we asked to put the same one in and the tech said “no way. if someone broke into your house and had a gun to your head you wouldnt remember it and you would turn it off using the regular alarm code. so use the 2580. ”
he wouldnt let us change it at all!!
I guess being forced to use the default code is ok…unless the intruder is also aware of the default code, and when he sees you enter it, he shoots you for ratting him out.
Sorry if this has already been addressed, but the duress code on most alarm systems is treated as very high priority, and elicits a prompt response from police since it usually means that there is an armed intruder in an occupied home and the residents are essentially being held hostage. I can’t imagine a robber willingly entering the code.
As a side note, my parents learned about the duress code when they unknowingly chose it as their regular unlock code. It took the police showing up to the house three times during the install for the installer to figure out what was happening.
The idea is a “grab and dash” burglar is only concerned about the immediate response from neighbors wondering why the Jones’ alarm is still on. Unless there’s an officer just down the street, a thief most likely has more than enough time to grab laptops and a quick check of the prime locations for valuables.
2580 seems like such an obvious code for people to choose. If you don’t know it’s the default duress code and the intruder does, you’re going to have problems if he asks for the alarm code and won’t believe you when you try to convince him it’s really 2580.
The misplacement of the keys sounds like the onslaught of 50 something disease.
4 digit codes need to be put to rest.
Convenience always comes at a cost.
Default, static credentials in products are a long-standing security problem. They defeat the whole purpose of requiring the authentication. If there is a default, it should be a random one selected per device. This could probably be done for under a $1 per unit at manufacturing. If they’re interested, I’ll help one of the vendors with this for a very reasonable consulting fee.
It get’s slightly more complicated if you want to keep a database of them. The security of the database becomes an issue. I’d restrict access to select computers on the network and force the traffic to be encrypted. The database should have a limit on how much access it can have at any given time (use a front end). The people with access give the techs the code over the phone if (a) they’re scheduled to do a job there and (b) make a record they did this. The various logs can be reconciled semi-automatically using this data to identify potential insider and outsider attacks.
(Of course, use all the other commercial best practices for INFOSEC. I’m mainly just focusing on the basics for keeping a database grab from happening.)
My old rule back in the 90’s about all of this was to always assume there was a default code. Hence, any code there is, change it. If it’s a PIN, don’t take the default. If it already has a password, change it. And so on. From there, restrict access and monitor behavior up to the point where the risk justifies it.
Can’t tell you how many times I’ve lost my key fob. I recently got an app for my smartphone that allows me to disarm my alarm system right from my phone, so this way when i do lose my key fob, I can just access the alarm system right through my cell phone. God bless technology lol.