Vulnerability in Risco Lightsys protocol encryption

During a routine pen-test of an alarm receiving centre, a piece of software was found that was used to remotely configure Risco alarms.

This software communicates with alarm panels, sometimes over IP, sometimes over a mobile network. One of these panels is the Lightsys panel, which seems fairly common in the UK.

The encryption used by this protocol is token at best, and not suitable for securing communication across an untrusted network.

The protocol generates a psuedo-random sequence of numbers using a basic function. This is then XORed with the message to encrypt or decrypt.

Each panel has a “seed” that changes the encryption slightly. Because we have a partially known plaintext, you don’t need to know the seed to decrypt messages – it can just be determined. The seed tended to be the same across many panels.

A further proof of concept was developed that can send and receive commands with alarms, leading to a denial-of-service condition. I am not disclosing this as it can cause harm and is not the root cause of the problem.

This was reported to Risco on 7th August. As of yet, they have not indicated if they wish to fix this issue.


  • Don’t roll your own encryption
  • If you have a key, make sure it has enough length to actually improve security

3 thoughts on “Vulnerability in Risco Lightsys protocol encryption

  1. Permalink  ⋅ Reply


    June 8, 2018 at 4:55pm

    Hi ! Interesting article… I’m trying to access to my risco panel with a serial connection and decrypt data… Can you say me if your method is still applicable ? I tried but none…

    • Permalink  ⋅ Reply


      June 13, 2018 at 8:46am

      Sorry – really not sure! I didn’t really look at the serial side.

      • Permalink  ⋅ Reply


        June 13, 2018 at 8:49am

        Oh, serial or ip connection, the same… this article still works on the ip connection ?

Leave a Reply

Your email will not be published. Name and Email fields are required.

This site uses Akismet to reduce spam. Learn how your comment data is processed.