Two vulnerabilies; one confirmed, and one unconfirmed.

The first is little known and unconfirmed, and the hacker who discovered it wishes to remain anonymous. This exploit applies to the Vivint SKY control panel

Quote Originally Posted by Anonymous
"There's a port that is serving a maintenance website with no credentials. You can turn on SSH from there. Also on that page you can get the root password from the source html. Then you can SSH to the system as root, and you've got full access to the OS.

I exfilled the whole filesystem and have been poking through it - looks like all the useful information is in a few sqlite tables, it's possible to do, well, just about everything from this access, as you could imagine..."
Another confirmed vulnerability was recently discovered and exploited in Honeywell, DSC/ADT, and 2GIG/Vivint panels (which also includes the new Vivint Sky Control which uses the same communication protocol)

This vulnerability was found by researcher Logan Lamb who was scheduled to reveal his findings at Black Hat and DEFCON Aug, 2014.

The vulnerability results in the panels being fully compromised as all sensors send open air unencrypted communications between sensors and fobs, keypads which can be intercepted (using a $10 SDR), and spoofed back to the panels using a $299 more advanced SDR, which allows an intruder to create false alarms remotely from outside the home, and/or simply disable the panels' ability to communicate with sensors also from outside the home, allowing unrestricted access to the premises like they were never even there.


Apparently, the Researcher Logan Lamb was threatened, and pressure was brought to bear to prevent him from revealing the information. He subsequently withdrew from both BlackHat and DEFCON. BUT it was too late to prevent his research from being released via the "Conference CD"

For more info on this, see:

How it is done (Lamb's research/conference CD):
For more info, discussions, see: SuretydIY Discussion Board

HackRF One SDR (is an example of an easy to get, inexpensive SDR that can be used to exploit the noted vulnerabilities):

Other retail sources: