A security monitoring system

Technical field

The present invention relates to a security monitoring system for monitoring premises, a security monitoring system keypad, and a method of operating a security monitoring system.

Background

Security monitoring systems for monitoring premises and in particular to provide a secure perimeter or secure perimeter portion, often referred to as alarm systems, typically provide a means for detecting the presence and/or actions of people at the premises, and reacting to detected events. Commonly such systems include sensors to detect the opening and closing of doors and windows, movement detectors to monitor spaces (both within and outside buildings) for signs of movement, microphones to detect sounds such as breaking glass, and image sensors to capture still or moving images of monitored zones. Such systems may be self-contained, with alarm indicators such as sirens and flashing lights that may be activated in the event of an alarm condition being detected. Such installations typically include a control unit (which may also be termed a central unit), generally mains powered, that is coupled to the sensors, detectors, cameras, etc. (“nodes”), and which processes received notifications and determines a response. The central unit may be linked to the various nodes by wires, but increasingly is instead linked wirelessly, rather than by wires, since this facilitates installation and may also provide some safeguards against sensors/detectors effectively being disabled by disconnecting them from the central unit. Similarly, for ease of installation and to improve security, the nodes of such systems typically include an autonomous power source, such as a battery power supply, rather than being mains powered.

As an alternative to purely self-contained systems, a security monitoring system may include an installation at a premises, domestic or commercial, that is linked to a Central Monitoring Station (CMS) where, typically, human operators manage the responses required by different alarm and notification types. In such centrally monitored systems, the central unit at the premises installation typically processes notifications received from the nodes in the installation, and notifies the Central Monitoring Station of only some of these, depending upon the settings of the system and the nature of the detected events. In such a configuration, the central unit at the installation is effectively acting as a gateway between the nodes and the Central Monitoring Station. Again, in such installations the central unit may be linked by wires, or wirelessly, to the various nodes of the installation, and these nodes will typically be battery rather than mains powered.

In both these types of systems, the central unit is typically responsible for arming and disarming the system but may not be located close to an entrance door. When the house owner returns to the monitored premises where the monitoring system is in an armed state, the system must be disarmed fairly quickly, for example within 30 seconds of opening the door. If the central unit is not located close to the entrance door, it may be difficult for the owner to reach the central unit and enter the disarm code - which may typically be 4 to 6 characters or digits, in time. This obviously poses an even greater challenge for the elderly or infirm. For this reason it is known to provide a unit close to the entrance door by means of which the owner can disarm the system. Such a unit, which may be termed a disarm node (although, given that the unit can also arm as well, it could equally well be termed a control node or control device), may be provided inside the protected premises close to each main entrance, but in other installations only the single main entrance will be provided with a disarm node. The disarm node will typically be fixed, for example to a wall or other surface within the premises, close to the relevant entrance to the building or protected space. Some installations may be so configured that the system can only be armed or disarmed by means of a disarm node, the central unit possibly not even including a keypad or NFC functionality.

It is also known to provide a disarm node outside the perimeter protected by the security monitoring system, for example attached to an exterior wall of the premises, or provided in a lobby, hall, or other common area of the condominium or apartment block that contains the protected premises. Such a disarm node, which may be referred to as an external or “outdoor” disarm node, or more generally as an outdoor or external keypad, enables the security monitoring system to be disarmed from outside the secured perimeter of the protected premises. Typically, security monitoring system installations (hereinafter simply “installations”) that include such an outdoor or external keypad will also include an internal disarm node. Such an external keypad may permit both arming and disarming of the security monitoring system.

Typically such an external keypad is provided adjacent a principal entrance of the protected premises, for example the front door of a house, or the entrance door of a flat or apartment, but additionally or alternatively such an external keypad may be provided at a secondary entrance such as the back door of a house, or at a door leading in from a garage. Thus, typically, such an external keypad is adjacent to an entrance door which may be considered to be associated with the external keypad. If the associated door is provided with an electrically or electronically controlled lock (hereinafter, a “smart lock”), the external keypad may also be configured to enable the smart lock to be unlocked from the keypad, and optionally may also be configured to enable the smart lock to be locked from the keypad. With such an arrangement it becomes possible for someone to disarm the security monitoring system, and unlock and open a door or the protected premises, thereby gaining access to a protected space within the premises, simply by entering the relevant PIN or passcode. That is, it is no longer necessary to be in possession of both a key to a perimeter door and a passcode for the security monitoring system to enter the protected premises without triggering an alarm. While this is clearly convenient in many ways, it makes it more important than ever that the system passcode(s) or PIN(s) be protected and kept from the hands of bad actors.

One of the problems that arises with installing a keypad outside the protected perimeter of an installation is that it may become possible for bad actors to observe or spy on the activities of authorised users who enter passcodes/PINs at the external keypad, either directly by being in the vicinity of the external keypad, or indirectly by having positioned a video camera in the vicinity of the external keypad. Additionally, many users, because of the difficulty of remembering new PINs and passcodes, use the same PIN or passcode for years on end. The consequent consistent use of the same digit subset may result in the keypad keys for the relevant digits becoming noticeably more worn than the keys whose digits do not form part of the PIN or passcode. In many cases, the system PIN may be just 4 digits, so that no more than 4 keys of 9 or 10 digit keys show wear. If a bad actor can see wear on only 4 digit keys, he or she has a much easier task in trying all the possible 4 digit combinations necessary to uncover the allocated PIN.

Hence, although the provision of an external keypad has advantages, the security risks seemingly inherent in their use means that in many situations their use is unacceptable, so that either no disarm arrangement is provided, or an alternative and more costly or complex approach is deployed - such as facial or biometric recognition, etc. The cost and complexity of such alternative approaches restrict their application to only a subset of possible installations - and in particular effectively preclude their use for modest domestic installations.

There therefore exists a need to a way to enable the use of external keypads in security monitoring installations while reducing security risks associated with their use. Summary

According to a first aspect, there is provided a security monitoring system keypad device for arming/disarming a security monitoring system, the keypad including a set of physical actuators to code a plurality of digits, each actuator coding at least a first and a second of the plurality of digits, wherein each actuator is configured to code the first digit upon receiving a first number of actuations, and to code the second digit upon receiving a second different number of actuations. Such a keypad makes it more difficult for observers to see the identity of the digits entered, and hence improves security. Such a keypad also makes it harder for a bad actor to identify from an inspection of the surface of the actuators of the keypad which digits are used - that is, unlike conventional keypads where each digit has its own actuator, typically with indicia labelling the different actuators, wear on an actuator may be caused by actuating the actuator for any of the digits that it codes - so that inspection of signs of wear does not indicate a one to one correspondence with the digits entered.

Optionally, the security monitoring system keypad device is configured to: receive a status change request in the form of user activation of one of the set of actuators; in response to receiving the status change request, prompt the input via the physical actuators of a code sequence comprising a plurality of digits; transmit the status change request and the code sequence to a controller of the security monitoring system; and in the event that confirmation of a successful change of status is received from the controller of the security monitoring system provide audible and/or visual feedback of the successful change of status; in the event that an indication is received from the controller of the security monitoring system that the requested change of status has not been achieved, provide audible and/or visual feedback of the failure of the status change request. In this way, a user can be guided through a status change process to achieve a desired outcome even in the event of one or more initial failures. Optionally, the device is configured to transmit the status change request to the controller of the security monitoring system before prompting the input via the physical actuators of the code sequence. In this way, the controller of the security monitoring system is made aware immediately of the status change request, prior to commencement of the digit entry process. Optionally, the device is configured only to prompt the input via the physical actuators of the code sequence after having received acknowledgement, from the controller of the security monitoring system, of the status change request. In this way, the controller of the security monitoring system can be known to be ready to receive the entered digits before the user is prompted to enter them - reducing the chance that the controller is unavailable during digit entry and hence reducing the risk that the user will have to wait for a prolonged period for a response from the controller (as indicated for example by actuation of visual indicators of the keypad device) during entry of the digit sequence - something which might otherwise frustrate the user or cause the user to abandon their attempt to change the status of the system

Preferably, the security monitoring system keypad device is configured, in response to receiving from the controller of the security monitoring system an indication that the transmitted code sequence was unacceptable, to provide audible and/or visual feedback of a code sequence deficiency and to prompt re- entry of the code sequence via the physical actuators. In this way the user is made aware of the need to re-enter the code sequence.

Optionally, the set of physical actuators are configured to code at least the digits 1 to 9, and the set consists of no more than 5 physical actuators. In this way, passcodes can be constructed with significant digit diversity, and the overall size of the keypad device can be reduced.

Optionally, the set of physical actuators are configured to code the digits 0 to 9, and the set consists of 5 physical actuators. In this way, each actuator can be arranged to code two digits, helping to reduce the risk of passcode detection by observation or physical inspection of the surface of the actuators.

Optionally, the set of physical actuators are configured to code the digits 1 to 9, and the set consists of 3 physical actuators. In this way, the overall size of the face of the keypad may be reduced, and the risk of passcode detection by observation or physical inspection of the surface of the actuators is further reduced.

Preferably, one of the physical actuators is also allocated to disarming the security monitoring system. In this way, no separate disarm button needs to be provided, and the risk of passcode detection by observation or physical inspection of the surface of the actuators is further reduced. Preferably, another one of the physical actuators is also allocated to arming the security monitoring system. In this way, no separate arm button needs to be provided, and the risk of passcode detection by observation or physical inspection of the surface of the actuators is further reduced.

Optionally, another of the physical actuators is also allocated to arming the security monitoring system into an armed away state, and yet another of the physical actuators is also allocated to arming the security monitoring system into an armed at home state. In this way, the keypad may be used to put the security monitoring system into both an armed at home state and an armed away state, without the need to add a further actuator, and the risk of passcode detection by observation or physical inspection of the surface of the actuators is further reduced.

Optionally, the security monitoring system keypad device further comprises a video camera configured to capture images of a user of the keypad. In this way, the security of the security monitoring system may be improved. The keypad device may be configured (or controlled by the controller of the security monitoring system) to activate the video camera when any of the actuators of the keypad is activated, to capture images of whoever is at the keypad, and these images may be stored at the keypad or more preferably automatically forwarded to the controller of the security monitoring system - for possible onward transmission to a central monitoring station. A keypad provided with a video camera may also perform the function of a video doorbell - and images from the video camera can be forwarded to an authorised user of the system when a bell push (which may also be one of the actuators used to code digits) is activated. A bidirectional audio interface may also be provided so that an authorised user and a visitor using the video doorbell functionality may converse.

The security monitoring system keypad device may further comprise a first transceiver to receive control signals from a controller of the security monitoring system and to transmit to the controller signals consequent on activation of physical actuators of the keypad; and a second transceiver for the transmission to the controller of images captured by the video camera, the second transceiver having a larger transmission bandwidth than the first transceiver. In this way, a low bandwidth transceiver with low power consumption can be used to handle most communications with the controller of the security monitoring system, reducing everyday power consumption, and yet video signals, or frames, with high resolution and high frame rate may be transmitted when needed using the second transceiver - which may, for example, be a Wi-Fi transceiver. In this way, battery life can be prolonged while still enabling useful video delivery rapidly to support timely interventions by personnel in , or summoned by, the central monitoring station.

Preferably, the security monitoring system keypad device supports disarming of the security monitoring system as part of a hands free entry process, the keypad being configured to generate wake on radio signals for use in waking a hands free entry device. In this way, authorised users can more quickly gain access to the protected premises, with perhaps just a single button/actuator activation. This is particularly useful to users carrying infants or parcels, and to the elderly or infirm who may have to use canes or other supports.

According to a second aspect, there is provided a security monitoring system to secure at least part of a perimeter of premises, the premises including a door giving access to a protected interior space of the premises, the system comprising: a system controller within the protected interior space; and outside the perimeter a keypad device for disarming the security monitoring system, the keypad device including: a set of physical actuators to code a plurality of digits, each actuator coding at least a first and a second of the plurality of digits, wherein each actuator is configured to code the first digit upon receiving a first number of actuations, and to code the second digit upon receiving a second different number of actuations; and a first transceiver to receive control signals from the system controller of the security monitoring system and to transmit to the system controller signals consequent on activation of physical actuators of the keypad. The security of such a system may be enhanced by the provision of a keypad device in which individual actuators code more than one digit.

Preferably, in the security monitoring system an electronically controllable lock is provided for the door, the lock being controllable by the system controller, and the keypad device is configured, upon activation of a specific actuator of the set of physical actuators to transmit an unlock command to the system controller to activate the lock to unlock. In systems provided with an electronically controllable lock, authorised entry is facilitated in this way. This is particularly useful to users carrying infants or parcels, and to the elderly or infirm who may have to use canes or other supports.

Optionally, in the security monitoring system the system controller is configured only to activate the lock to unlock when the system is in a disarmed state. In this way the risk of an alarm being triggered inadvertently by an authorised user is reduced.

Optionally, the keypad device is also configured to transmit an arm command to the system controller to cause the system controller to arm the security monitoring system. In this way, an authorised user can arm the system after having left the premises - enabling her, for example, to collect her bicycle from the back garden say, which is also monitored by the security monitoring system, before arming the system.

Optionally, the system controller is configured only to arm the security monitoring system, in response to receiving an arm command from the keypad device, on the condition that the door is closed and the lock is locked. In this way the risk of an alarm being triggered inadvertently by an authorised user is reduced.

Optionally, the keypad device is also configured upon activation of a specific actuator of the set of physical actuators to transmit a lock command to the system controller to activate the lock to lock. In this way, a user may securely lock premises, or certain doors of premises, from the keypad without needing also to arm the system.

Preferably, the security monitoring system supports a hands free entry process for disarming the security monitoring system, the keypad being configured to generate wake on radio signals for use in waking a hands free entry device. In this way, authorised users can more quickly gain access to the protected premises, with perhaps just a single button/actuator activation. This is particularly useful to users carrying infants or parcels, and to the elderly or infirm who may have to use canes or other supports.

According to a third aspect, there is provided a method performed by a security monitoring system keypad device for arming/disarming a security monitoring system, the keypad including a set of physical actuators to code a plurality of digits, each actuator coding at least a first and a second of the plurality of digits, wherein each actuator is configured to code the first digit upon receiving a first number of actuations, and to code the second digit upon receiving a second different number of actuations; the method comprising: receiving a status change request in the form of user activation of one of the set of actuators; prompt the input via the physical actuators of a code sequence comprising a plurality of digits; transmitting the status change request and the code sequence to a controller of the security monitoring system; and providing, in the event that confirmation of a successful change of status is received from the controller of the security monitoring system, audible and/or visual feedback of the successful change of status; providing, in the event that an indication is received from the controller of the security monitoring system that the requested change of status has not been achieved, audible and/or visual feedback of the failure of the status change request.

Optionally, the method further comprises transmitting the status change request to the controller of the security monitoring system before prompting the input via the physical actuators of the code sequence. Optionally, the method further comprises only prompting the input via the physical actuators of the code sequence after receiving acknowledgement, from the controller of the security monitoring system, of the status change request.

Optionally, the method further comprises, in response to receiving from the controller of the security monitoring system an indication that the transmitted code sequence was unacceptable, providing audible and/or visual feedback of a code sequence deficiency, and prompting re-entry of the code sequence via the physical actuators.

According to a fourth aspect there is provided a method of disarming a security monitoring system securing at least part of a perimeter of premises, the premises including a door giving access to a protected interior space of the premises, the system including: a central unit for controlling, arming and disarming the security monitoring system, and having a radio frequency transceiver; a keypad device for disarming the system, the keypad device having a user interface to receive a user input to change the status of the system, and at least one radio frequency transceiver, the keypad device being located outside the protected interior space; wherein the user interface includes a set of physical actuators to code a plurality of digits, each actuator coding at least a first and a second of the plurality of digits, each actuator being configured to code the first digit upon receiving a first number of actuations, and to code the second digit upon receiving a second different number of actuations; and a portable authentication device to permit hands-free disarming of the security monitoring system, the portable authentication device including a radio transceiver and having a portable authentication device identity that is registered with the central unit; the method comprising: (i) using one of the keypad device’s one or more transceivers to: transmit, in consequence of a user input, at the user interface, of a disarm request, a disarm request message to the central unit; (ii) using one of the keypad device’s one or more transceivers to transmit, using a short- range transmission mode, a wake up message including a status change event identifier; (iii) using the portable authentication device’s transceiver to transmit, in response to receipt of the wake up message, a response message including the status change event identifier and the portable authentication device identity; (iv) checking, using the central unit, in response to receiving the response message from the portable authentication device, whether the status change event identifier is for a current status change event, and whether the portable authentication device identifier is for a portable authentication device registered with the central unit; and (v) if the two checks both give positive results, disarming the system. The use of a status event identifier, which changes with every status change event, enables the system controller to prevent successful replay attacks in which a villain uses a recording of an earlier successful disarm event in an attempt to disarm the system and gain access to the protected premises.

Optionally in the method of the fourth aspect, the system includes an electrically controlled lock which is lockable to lock the door to prevent the door being opened from outside, and which can be unlocked to enable the door to be opened from outside, and the method includes at step (v), if the disarm request includes a request to unlock the electronic lock, using the central unit’s transceiver to transmit a signal, after disarming the system, to cause the electronic lock to be unlocked.

Optionally, the method of the fourth aspect further comprises: generating the status change event identifier in the central unit in response to receipt of the status change message from the keypad device; and transmitting, using the central unit’s transceiver, the generated status change event identifier to the keypad device.

Optionally, the method of the fourth aspect further comprises: generating the status change event identifier in the keypad device in response to receipt of the user’s disarm request; transmitting, using the keypad device’s transceiver the generated status change event identifier to the central unit.

Optionally, the method of the fourth aspect further comprises: in the event that the requested status change is implemented, transmitting, using the central unit’s transceiver, a status change confirmation message.

Brief Description Of The Drawings

Embodiments of the invention will now be described, by way of example only, with reference to the accompanying drawings, in which:

Figure 1 is a schematic drawing showing a front elevation of stylised building with an external space which is monitored by a security monitoring system according to an embodiment of the invention;

Figure 2 is a schematic part plan view of premises protected by a security monitoring system, together with other elements of the system; Figure 3 is a schematic drawing showing features of elements of a security monitoring system according to embodiments of the invention;

Figure 4 shows schematically a front elevation, and a corresponding partial cross section, of an exemplary security monitoring system keypad according to an aspect of the invention;

Figure 5 shows front elevations of some alternative configurations of a security monitoring system keypad;

Figure 6 shows various views of another alternative embodiment of a security monitoring system keypad;

Figure 7 is a timing diagram showing the sequence of events and actions that characterise a method to achieve hands-free disarming of the system;

Figure 8 is a sequence diagram illustrating a process for arming a security monitoring system according to an embodiment of the invention; and

Figure 9A and 9B are schematic drawings illustrating a process for disarming a security monitoring system according to an embodiment of the invention, and unlocking a smart lock, using a keypad which is provided outside the zone or building protected by the system.

Detailed Description

Before describing the new keypad, we will first provide some context by describing an example of a security monitoring system in which the new keypad may be used.

Figure 1 shows a view of the front of a premises 100 protected by a security monitoring system according to an aspect of the present invention. The premises, here in the form of a house, have an exterior door, here front door, 102. The door gives access to a protected interior space. The security monitoring system secures at least part of a perimeter to the premises (100), and the door constitutes an exterior closure 102 in the secure perimeter giving access to a protected interior space 200 of the premises. A lock 104 on the exterior door is optionally electrically controlled so that it can be locked and unlocked remotely. To the side of the door, on the fagade of the house, is an external keypad 110 with which a user can disarm (and optionally also arm) the security monitoring system, and optionally lock and unlock the lock 104. If the external keypad 110 does not include a doorbell function (i.e. if it doesn’t include what is in effect a bell push), then a video doorbell is preferably also provided (as indicated as item 112), and preferably integrated into the security monitoring system - so that, for example, at least video and images from the camera of the video doorbell are transmitted to the controller of the security monitoring system, so that they may be onward shared with a central monitoring station- and preferably bell push information is also shared with the controller of the security monitoring system.

Figure 2 is a schematic part plan view of a premises 100 protected by security monitoring system according to an aspect of the invention, together with other elements of the system, corresponding generally to the premises of Figure 1. The front door 102, here with an electrically controlled (or “smart”) lock 104, leads into the protected interior space 200 of the premises. Each of the windows 202, and the front and rear doors 102 and 204 is fitted with a sensor 206 to detect when they are opened. Each of the sensors 206 includes a radio transceiver to report events to a controller, or central unit, 208 of the security monitoring system. If one of the sensors 206 is triggered when the system is armed, a signal is sent to the central unit 208 which in turn may signal an alarm event to a central monitoring station 210. The central unit 208 is connected to the central monitoring station 210 via the Internet 212, either via a wired or a wireless connection.

Also wirelessly coupled to the central unit 208 are the external keypad 110, and electrically controlled lock 104, together with the video doorbell 112 if present. These items, and the sensors 206, are preferably coupled to the central unit 208 using transceivers operating in the industrial scientific and medical (ISM) bandwidths, for example a sub- gigahertz bandwidth such as 868 MHz, and the communications are encrypted preferably using shared secret keys. The security monitoring system may also include other sensors within the protected interior space, such as an interior video camera 214 and associated movement detector 216 (which again may be integral with the camera 214), and each of the interior doors 218 may also be provided with a sensor 206 to detect the opening/closing of the door. Also shown is an optional external video camera 240 which is preferably arranged to observe the fagade of the building, in particular the entrance door and windows, and the forecourt or area in front of the fagade. When the premises are an apartment or condominium, such an external video camera is similarly preferably arranged to observe the entrance door and the spaces around and in front of the entrance door, both private (if any) and common areas such as lobbies, corridors, or gardens or grounds. Turning now to Figure 3, this illustrates schematically the main components of some of the various components of a security monitoring system according to embodiments of the invention. The controller or central unit 208 includes a processor 400 with an associated memory 410 which stores, among other things, identities for the key fobs that are registered to the system, identities for the detectors (e.g. PIRs and/or magnetic contact devices) and disarm nodes of the system together with an association between each disarm node and the detector for the entrance closest to the relevant disarm node. These identities and associations are stored in a database 415 within the memory 410. The central unit includes at least one RF transceiver 420, with associated antenna 422, for communication with the various nodes and sensors of the monitoring system. Typically, there will be a second transceiver 430 as shown , also with an associated antenna 432, for communication with the central monitoring station 210, as a backup or alternative to a wired data connection to the Internet via a network interface 440. The antennas of the various transceivers will typically all be internal to the central unit. The processor 400 is connected to, and controls, the memory 410, transceivers 420, 430 and the network interface 440. The central unit generally draws power from the domestic power supply ( generally referred to as a mains power supply) which feeds a power supply 450 within or associated with the central unit 208. The central unit also includes a backup autonomous power supply, such as a battery power supply, which automatically becomes operational in the event that the external power supply fails. The internal autonomous power supply is based on rechargeable cells 460 that are kept continuously topped up by the power supply 450. The central unit 208 may also include a user interface 425, including a display 426, a keypad or keyboard 427, a loudspeaker 428, and a microphone 429. The keypad or keyboard may be a provided by making the display a touch-sensitive display, or as a unit distinct from the display. The central unit may be arranged to accept through the keypad or keyboard a code or codes to arm and disarm the system. The central unit may also include a near field communication (NFC) antenna and a corresponding NFC chip or equivalent circuitry which can be used, for example, to detect the presence of a “disarm dongle” provided to the user of the system and which is capable of communicating with the central unit using Near Field Communication.

The external keypad 106 (which may be referred to as a disarm node) includes a processor 470 with an associated memory 480 that stores an ID of the external keypad. The external keypad also includes a user interface 485 comprising a keypad assembly 510, indicators, e.g. LEDs, 500. A transceiver 520, with an associated antenna 522 (which will typically be internal, rather than external as illustrated), is controlled by the processor 470, and is used for communicating with the central unit 208 and the key fob 300. The external keypad includes an autonomous power supply, e.g. battery power supply, 525, and in general this will be the only power supply as typically it is preferred not to have to connect external keypad to the mains power supply. A loudspeaker 530 may be provided so that audible messages and instructions can be given to a user at the disarm node. These audible messages an instructions may be automated ones, generated by the central unit or by the external keypad itself, but additionally the loudspeaker 530 can be used to relay messages from a central monitoring station 210. For example, the loudspeaker may be used to provide a disarm success or failure message, and to provide a prompt for the user to enter credentials (e.g. passcode) in the event that an attempt at hands free disarm (to be described later) has failed. Conveniently, the external keypad may also include a microphone 535 to permit a user at the external keypad to hold a conversation with a human operative in, for example, a central monitoring station 210, or even with the emergency services - for example if patched through by the central monitoring station. Preferably, the external keypad 270 is secured to the building or other fixed property protected by the security monitoring system, for example attached to an external wall at a height convenient for user operation - for example fixed at a height between 1 metre and 1.5 metres from the floor. Although not shown in Figure 3, the external keypad may also include a video camera, and a bell push (which may be provided as part of the keypad, or separately), so that the external keypad can also function as a video doorbell. In this case, the external keypad preferably includes another transmitter or transceiver, in addition to the previously mentioned low-bandwidth ISM device, for use when transmitting images and or video to the central unit (which will generally only be when instructed so to do by the central unit). The additional transmitter/transceiver should support the transmission of high resolution images and high resolution video with an acceptably high frame rate - so that useful images/video can be supplied quickly via the central unit to the central monitoring station (and optionally also supplied to authorised users via an appropriate app for example), and typically a Wi-Fi transceiver will be supplied for this purpose (the central unit also having an appropriate W-Fi transceiver for reception of such images and video. In the case that the external keypad device includes video doorbell functionality, it is preferably provided with a wired electricity feed (for example derived from a mains electricity supply) in addition to a (back-up) battery power supply.

The system may be so arranged that an external keypad can only be used for disarming the system from an armed state, or may be arranged to permit the system to be armed (e.g. to either a part-armed or fully-armed state) and disarmed from an external keypad. Like the central unit, the external keypad may also include a Near Field Communication antenna and chip 472 to enable a disarm dongle, such as an NFC-enabled fob, to be used to disarm the system by bringing the dongle within a few centimetres of the disarm node. The external keypad is preferably configured to encrypt its radio transmissions, and to decrypt received signals, so that secure communications with the control unit 208 are possible. The encryption may be based on a secret shared between the control unit 208 and the external keypad 270.

A portable authentication device or keyfob 300 which may be used to effect hands free entry to premises protected by an armed security monitoring system includes a processor 600, with an associated memory 605 that stores an identifier for the portable authentication device, a transceiver 610, and a battery 615 that provides power to the processor and the transceiver. Transceiver 610, which has an associated antenna 612, may be a wake on radio transceiver. The use of a wake on radio transceiver typically enables a reduction in the amount of power consumed by the portable authentication device, thereby further extending the life of the battery of the portable authentication device. Alternatively, the transceiver may be a conventional polling transceiver designed for low power consumption. Such a polling transceiver, when in a resting state, periodically powers up just the front end of its receiver circuit to listen (poll) for beacon signals. If a beacon signal is detected, possibly subject to some power level minimum, the rest of the receiver circuit is energised to receive transmissions. Such a polling transceiver may listen for no more than about 10 ms, e.g. for 2 ms unless a beacon signal is detected. The frequency with which the transceiver carries out polling is a compromise between battery life and responsiveness. A period between poling events of 1 to 2 seconds will typically give satisfactory responsiveness with acceptable battery life. Typically the system will be configured to enable the poling period to be set, and changed, via an RF configuration command from the central unit. The transceiver, of whatever kind, is controlled by the processor and enables radio communication with the central unit 208 and the disarm node 270. The portable authentication device includes a motion sensor 650, configured to sense motion of the portable authentication device and to provide an output to the processor 600, to which it is operatively connected, based on sensed motion of the portable authentication device. The processor is configured to determine whether the portable authentication device is stationary or in motion, based on the output of the motion sensor. The motion sensor is typically an accelerometer, for example a 2 or 3-axis accelerometer, although other kinds of motion sensor may be used. Typically the motion sensor will have intelligent motion-based power management so that power consumption is minimised in the event that motion is not detected for a certain period of time. When the motion detector detects no motion, the processor may be configured to generate a running count of the time since the portable authentication device was last in motion. The portable authentication device may be configured to shut down the portable authentication device’s transceiver in the event that the portable authentication device is deemed to be stationary. The transceiver may then only be re energised in the event that motion is once again detected.

The portable authentication device may be deemed to be stationary if the motion sensor senses no motion at the time the instruction is received. Alternatively, the portable authentication device may be deemed to be stationary if the motion sensor has sensed no motion of the portable authentication device during a predetermined period preceding the time when the instruction is received.

The portable authentication device may also include one or more buttons 620 which a user can use to issue commands or responses. The portable authentication device may also include one or more visual indicators 625, for example one or more LEDs, to indicate a status, to confirm a button press, or the like. For example, a single multi-coloured indicator, such as an LED, may be used to provide multiple different indications while keeping component count low and enabling the fob dimensions to be made compact. The portable authentication device is preferably configured to encrypt its radio transmissions, and to decrypt received signals, so that secure communications with the central unit are possible. The encryption may for example be based on a secret shared between the central unit and the portable authentication device.

Figure 4A shows a front elevation of an exemplary security monitoring system keypad 106according to an aspect of the invention. The keypad 106 includes a keypad assembly including a set of physical actuators 441 , 442, 443, 444, and 445, to code a plurality of characters, each actuator coding at least a first and the second of the plurality of characters. The keypad is so configured that an actuator upon receiving a first number of actuations codes a first character, and upon receiving a second different number of actuations codes a second character. In the example illustrated, each actuator or button, 441 - 445, codes two digits, a first digit when a single actuation (“single tap”) is received, and a second digit when a double actuation (“double tap”) is received. Hence, in this example, button 441 codes the digit 1 when a single tap is received, and codes the digit 2 when a double tap is received. Similarly, button 442 codes the digits 3 and 4, button 443 codes the digits 5 and 6, button 444 codes the digits 7 and 8, and button 445 codes the digits 9 and zero. Although in this example characters are coded using actuations consisting of a single tap or a double tap, the keypad’s controller may be programmed to accept a combination of actuations other than a single tap and a double tap in coding the first and second characters. For example, a first character may be coded using a double tap, and the second character may be coded using a treble tap. Also, as will be illustrated later, each actuator or button may code more than one character. Preferably, the keypad’s processor 470 is configured to recognise a multi-tap based on the interval(s) between successive taps. For example, a double tap may be recognised by sequential activations received less than 0.5 seconds apart, although in practice a double tap may be input with sequential activations received less than 0.35 seconds apart, and generally in the range 0.15 to 0.3 seconds apart. However, in order to support the needs of elderly or infirm persons, the keypad’s processor 470 may be configured to provide an extended digit input window of more than 0.5 seconds, for example 600ms, 650ms, 700ms, or 750 ms, within which any inputs are treated as inputs of a single digit. Thus, from the first actuator operation, the extended digit entry window runs and if there is a second actuation of the first actuator within the window it is treated as a double tap (and likewise for a detected triple tap, etc. where the keypad accepts multi taps beyond double taps). If the keypad is set up to work just with single and double taps, three taps within an extended digit input window is treated as an error. The provision of optical, and optionally also audible feedback, should enable a user to understand the nature of the error. Clearly, specific voiced announcements may be used to explain the nature of the error and to guide the user to enter digits correctly. But, in practice, the use of indicator lights as previously described - e.g. with all or several actuators flashing red or showing red as soon as an error is detected, can be extremely effective in guiding the correct behaviour.

Optionally, the keypad’s processor 470 is configured to treat sequential actuations that are received less than 0.1 seconds apart as a single actuation - i.e. the processor may perform a debouncing operation.

Conveniently, the security monitoring system keypad 106 may be configured to perform one or more training sequences (for example when first installed) in which each authorised user is required to enter through the keypad each of the characters coded by the keypad. In this way, the keypad processor 470 can be trained to recognise and distinguish between, for example single tap and double tap entries.

If there is only a single authorised user, the keypad’s processor may be able to determine during training a relatively narrow window within which the user executes a multi-tap (e.g. double tap) input. The processor 470 may be configured to thereafter apply this window in determining whether the authorised user has made a multi-tap input, or whether possibly the input has been made by someone else. If the processor 470 determines that the multi-tap input may have been made by somebody who is not authorised, it may communicate with the central unit of the security monitoring system causing the central unit to activate any external video camera and possibly to alert the central monitoring station - including feeding images from the external video camera to the central monitoring station. The system may then use the audio interface of the external keypad to challenge the person entering the code at the external keypad, for example requiring the person to provide a keyword (e.g. swordfish), or the system may simply not disarm the security monitoring system and not unlock any associated lock - so that the person would be required to use a key or token to unlock the door, and then disarm the security monitoring system at a disarm node inside the premises.

The processor 470 is preferably, when there are multiple authorised users, configured to and adapt its acceptance window for multi-tap inputs to accommodate the range of behaviours exhibited by the group of authorised users.

The processor 470 may also be configured to adapt to changes in the character of the actuation inputs of authorised users, particularly in the case where there is only a single authorised user, because once a user becomes familiar with the multi-tap input process, there multi-tap inputs are likely to become more consistent.

In addition to coding the characters, e.g. digits, of a pulse code or PIN, the actuators or buttons of the keypad 106 are also preferably allocated other functions. For example, as shown a button (here 441) may be allocated to the function of disarming the security monitoring system, another (here 442) may be allocated to the function of fully arming (“armed away”) the security monitoring system another (here 443) may be allocated to the function of arming the security monitoring system to secure the perimeter of the premises (“armed at home”).

If the system includes an electronic or smart lock, such as 104, associated with the keypad 106, then the function of disarming the security monitoring system may also include unlocking the relevant lock, and the arming functions may also include locking the relevant lock. An additional actuator/button (here 444) may also be allocated the function of simply locking the linked lock but not changing the status of the security monitoring system.

Optionally, and as shown, an actuator/button may also serve as a bell push activating either an independent ringer inside the premises or a ringer or bell associated with the security monitoring system.

Optionally, but preferably, indicia are provided adjacent each button/actuator, 451-455, to indicate the characters which are coded by the relevant button/actuator. So, for example, if the keypad 106 codes the digits 0-9, indicia for two digits may be provided adjacent each button/actuator as shown. Additionally or alternatively, indicia could be provided for alphabetic or other characters, could be provided, but in practice users may be expected to prefer to rely on PINs based on digits rather than anything more complicated.

Figure 4B is a schematic vertical cross-section through the exemplary security monitoring system keypad of figure 4A along the line A - A. The actuators or buttons 441 - 445 are part of the keypad assembly shown generally as 451. Any suitable keypad technology may be used, although preferably the keypad technology selected should be silent or near silent operation so that it is not possible to hear the difference between a single and a multi-tap input. It is also preferred to use the keypad technology which provides clear tactile feedback to the user, because of the desire to avoid audible feedback. Finally, because the keypad 106 is to be mounted outside the protected premises and hence may experience extremely adverse weather conditions such as rain, frost, an intense direct sunlight, the keypad assembly should be weatherproof and the keypad technology suitable for providing a long design life even under such adverse conditions. Suitable technologies include capacitive and Hall-effect, as well as full-travel membrane keypads and dome-switch keypads (particularly dome-switches with metal domes provided that these are configured to be substantially silent in operation). Hall- effect keypads are particularly preferred, at least if engineered to provide clear tactile feedback, because of their high reliability and their ability to maintain an immunity to extreme environments. Because of our preference for the use of a battery power supply as primary power supply, and because we are interested in achieving battery life measured in years, the use of a touch screen display as a means of providing the function of a keypad (without the presence of a physical keypad) is unattractive. Also, the fact that the keypad is mounted outside the perimeter protected by the security monitoring system means that the toughness and durability of the external keypad are very important. Touch screens are likely to be too prone to failure due to vandalism, as well as potentially being unable to cope with extreme weather conditions for extended periods. For these, and other reasons, it is very much preferred to use a physical keypad technology rather than a touch screen based interface.

The keypad assembly 451 will typically, as shown, include a PCB or other suitable substrate onto which the electronics (processor 470, transceiver 520, memory 480, etc.) of the keypad can be mounted. Alternatively, the electronics may be mounted on a separate PCB or other suitable substrate. The audio interface 453, and the battery power supply 454, of the keypad device 106 are also enclosed in an external housing of the device. Because of the desire to avoid audible feedback when the actuators of the keypad are operated, it is useful to provide some sort of visual feedback during the process of authenticating with a PIN or pass code. For example, an optical indicator such as an LED, may be provided for each character of the PIN or pass code that is to be entered - e.g. four LEDs (or 4 groups of LEDs) may be provided when the PIN or pass code is four characters, and six LEDs (or 6 groups of LEDs) may be provided when the PIN or pass code is six characters. These may be used, for example, to give feedback during the entry of the characters that make up the PIN or pass code: while waiting for the entry of the first character a first LED may pulse white, changing to solid white when a character has been successfully inputted. The next LED may then pulse white, changing to solid white when a character has been successfully inputted, and so on until the characters entered matches the number of characters in the PIN or pass code. If the character sequence entered was incorrect, the LEDs (or groups of LEDs) may then display red. Conversely, if the character sequence entered was correct, the LEDs (or group of LEDs) may then display green. Preferably, the LEDs comprise RGB LEDs, although individual LEDs of the relevant colours may of course be provided as an alternative.

In addition, visual status indicators may be provided, preferably one to the side of each button or actuator, and these may pulsate while the devices “thinking” - that is waiting for authentication or carrying out an action, and showing a solid light when the action has been carried out. Preferably, such a visual status indicators are white or some other neutral colour - such as blue.

Preferably, because it is going to be located outside the secure perimeter of the premises, the security monitoring system keypad 106 does not indicate the status of the alarm system. Also, the keypad 106 is preferably a non — wake up device, which means that a user needs to wake it up with a button press every time that she wants to interact with it. Also preferably, as will be described later, the keypad 106 supports authentication for hands free entry to a user who is carrying a registered key fob 300.

Figure 5 shows front elevations of some alternative configurations of a security monitoring system keypad 106. In figure 5A, a 3-button keypad is provided, with each button coding three digits. For example, button 541 codes 1 with a single tap, 2 with a double tap, and 3 with a triple tap. As shown, button 541 is also used to provide a disarm instruction, button 542 is used to provide an armed away instruction, and button 543 is used to provide an armed at home function. As previously mentioned, the security monitoring system keypad 106 may also function as a video doorbell, and such a configuration is illustrated in figure 5B which includes both a bell push 544 and also a video camera whose lenses represented as element 550. If the external keypad is provided with video doorbell functionality it preferably includes not just an ISM transceiver for communication with the central unit of the system as previously described, but also a wide bandwidth transmitter (which may be provided in the form of a transceiver, even though its primary or sole role may be as a transmitter) such as a Wi-Fi transmitter which is used for transmitting images and/or video when commanded to do this by the central unit. In this way, the external keypad can be configured to consume minimal power for RF communications with the central unit, using the narrow band ISM transceiver, but still be able to send high resolution images and stream high resolution video at an acceptably high frame rate when necessary. In this way, the external keypad may still rely solely on battery power yet maintain acceptable battery life. Of course, the external keypad may be provided with a wired power feed, for example derived from a mains electricity supply, with battery back-up, whether or not it includes video doorbell functionality: if the external keypad with video doorbell functionality is replacing an existing doorbell it may of course be able to use an existing wired power supply. But even with a wired power supply, the provision of a battery power supply as back up enables authorised users to be able to disarm the security monitoring system, and unlock any associated lock (assuming that it too includes a battery power supply) even in the event of failure of the mains power supply.

Figure 6 shows another alternative embodiment of a security monitoring system keypad 106. Figure 6A is a perspective view of a keypad having five actuators/buttons, 641 - 645, which correspond to the actuators/bonds, 441 - 445, of the figure 4 embodiment. It will be noted that the actuators 641 and 642, which are respectively the system disarm and system arm (arm away, whereas actuator 643 is the arm at home control) are arranged immediately adjacent each other, and are differently shaped compared to the other actuators - to help users remember their functions/identities.

Figure 6B shows a front elevation of the same device. Figure 6C is a plan view of the device of Figures 6A and 6B, showing a cover release screw which is used to release the cover from the sub-assembly of the device so that the battery power supply can be changed. Figure 6D is a view of the mounting face of the device, showing two screw holes 647 and 648 by means of which the device may be secured to a support surface such as a wall. Typical dimensions of a device configured as shown in Figure 6 are between 100 and 150 mm high, e.g. 125 to 135mm high, between 35 and 50 mm wide - e.g. between 40 and 45mm wide, and between 25 and 35 mm deep, e.g. 30 mm deep. An anti-tamper arrangement is preferably included so that an alarm alert is sent to the central unit in the event that an attempt is made to remove the cover when the system is armed. Likewise, the keypad preferably also includes an anti-tamper sensor to send an alarm event to the central unit in the event that an attempt is made to remove the device from the surface upon which it mounted when the system is in an armed condition.

Figure 7 is a timing diagram showing the sequence of events and actions of the various elements of the security system that characterise a method, according to an embodiment of the invention, of controlling a security monitoring system to achieve hands-free disarming of the system using an external keypad. The diagram concerns the operations of the central unit 208, the external keypad 106, and the portable authentication device 300.

The method start at 700 with the external keypad 106 sensing an event, the activation of a button or other actuation of the external keypad 106, and responding to this by using its RF transceiver to transmit a user activation message to the central unit 208. This user activation message, which includes the external keypad’s ID, is received at a transceiver of the central unit 208.

The central unit includes the ID code for the external keypad from which it received the user activation message at 700 in a message which it transmits, at 702, to the external keypad 106 to cause the external keypad to activate, at 703, an indicator, an LED 500 for example, or to make a sound through loudspeaker 530, to indicate to the person at the external keypad 106 that the system is armed. The message also causes the external keypad to transmit, at 704, a beacon signal or a polling signal to wake the transceiver in any portable authentication device 300 within the vicinity of the targeted external keypad, and includes a special identifier to be included in the beacon signal or polling signal, and details of any packet countdown to be used. The special identifier will typically be a random or pseudo random number whose value changes at each use. The portable authentication device 300 listens for beacon signals on one or more channels whose parameters are known to each of the portable authentication devices - for example by having been pre-programmed, but more preferably having been communicated to the or each of the portable authentication device when that portable authentication device first registered with the central unit (although of course the central unit could periodically update these parameters through an exchange of messages with the portable authentication device (s). The characteristics of beacon or polling signal transmitted by the external keypad are chosen to make the effective range of the beacon signal small - preferably of the order of a few metres, e.g. no more than 5 metres or less, e.g. 2 metres, for detection by a portable authentication device, so that it will only be effective in waking a portable authentication device in the immediate vicinity of the external keypad. These characteristics will be discussed in more detail later.

The transceiver 610 of a portable authentication device 300 that is within a few metres of the external keypad receives the beacon signal and wakes up. The transceiver 610 receives and decodes the beacon signal, retrieving the special identifier. The controller of the portable authentication device then causes the transceiver 610 of the portable authentication device to transmit, at 706, a message including the portable authentication device ID and the special identifier to the central unit 208. The central unit checks that the special identifier is valid (meaning that it is one issued within the current period of the hands-free disarm beacon valid timer) and also checks to see whether the portable authentication device ID corresponds to one registered with the central unit. If both of these checks are passed, the central unit at 707, will disarm the system. The central unit may also at this stage send 708 a further message to the external keypad to cause the external keypad to provide a notification of the fact that the system has been disarmed - for example, the external keypad may activate an appropriate indicator light 500 and/or provide a “disarm success” sound or announcement through the loudspeaker 530. The central unit may also send a further message to the portable authentication device to cause the portable authentication device to generate a signal indicating successful disarming of the system - for example, by illuminating an indicator on the portable authentication device or to activate a haptic element to give a characteristic physical feedback signal.

As will be described later, the disarm request message sent by the portable authentication device to the central unit may also include a report on the RSSI levels of messages received by the portable authentication device 300 from the external keypad, and the central unit may use the information about measured RSSI levels in such a report in determining whether or not to trust the received disarm request - i.e. whether to disregard the disarm request as invalid on the basis that it is likely to have come from a rogue actor (outside the usual range of the external keypad) rather than from an authorised user within range of the external keypad.

It will be noted that the disarm credentials are not checked at the external keypad - with the external keypad sending a “success” message, if appropriate to the central unit, but rather that the entered credentials are transmitted from the external keypad to the central unit where they are checked. If the system includes an electrically controlled or “smart” lock on the door associated with the relevant external keypad, the central unit identifies the associated lock using the external keypad’s ID contained in the received user activation message, and retrieves from the database 415 the ID of the smart lock that is associated with the identified external keypad. Then, when there is disarm success, the central unit transmits an unlock command to the relevant lock (including the smart lock’s ID in the relevant transmission, so that the relevant smart lock knows that it is being addressed .

The system may be set up in such a way that, if the external keypad detects an input at its user interface 485, of if a near field communication (NFC) sensor 472 in the external keypad detects the presence of an appropriate NFC tag (disarm dongle), the transmission of the disarm beacon by the external keypad is halted or forestalled. In which cases the system is disarmed by the central unit if the appropriate disarm credentials are provided at the external keypad through its buttons/actuators or by means of a registered NFC tag (that is, a tag that has previously been registered with the central unit).

In an alternative embodiment, the keypad may start a hands-free disarm timer on user activation at step 700. If the external keypad does not receive a disarm success message from the central unit before expiry of the hands-free disarm timer, the external keypad provides an audible and/or visual warning to the effect that hands-free disarm has failed and that the system must be disarmed in some other way - e.g. by entering a PIN or passcode, or using a registered NFC tag, to avoid the system going to an alarm state.

Preferably, RF communication between the central unit and the nodes and sensors of security monitoring systems according to embodiments of the invention use the industrial, scientific, and medical (ISM) radio bands, such as in Europe the 868MHz band. Within the 868 MHz band are several sub-bands dedicated to “non-specific SRD” which are of interest. For the beacon/polling signal that is used by the external keypad to activate nearby portable authentication devices we are actually interested in engineering short range communication, . Portable authentication devices 300 according to embodiments of the invention may be configured to listen for instructions related to hands free disarm only on a particular channel or channels, with given frequency and given modulation, but to listen to another channel or channels on a different frequency and possibly with different modulation for other kinds of instructions. In general, security monitoring systems according to embodiments of the invention will not be configured to transmit only what are in effect disarm messages (such as that transmitted at 704) to portable authentication devices, but will also be configured to send other types of messages to portable authentication devices. In systems that do only send portable authentication devices disarm messages, a portable authentication device just needs to recognise a received message as a disarm (e.g. type 704) message and respond with the disarm transmission identifier and the portable authentication device ID. But in systems where there are additional message types, message types will typically fall into two classes: targeted messages that are targeted at a subset of one or more of all the registered portable authentication device s, that include one or more portable authentication device IDs, and in respect of which a reaction is sought only from the portable authentication device (s) having an ID included in the message; and group or general messages, in respect of which a reaction is sought from any portable authentication device that receives the message - and which therefore do not need to include a portable authentication device ID (and which hence will generally not include any portable authentication device ID). For example, a central unit may be configured to instruct the portable authentication device involved in a hands free disarm event to provide a disarm success indicator on a successful disarm event. Such an instruction will preferably include the ID of the portable authentication device that transmitted the disarm request to the central unit (the portable authentication device ID having been included in that disarm request).

Messages may be sent to portable authentication devices at least from the central unit (of which, in some systems, there may be more than one) and external keypads. Where there are multiple message types, they may be labelled Disarm Message (e.g. type 704), Group, and Targeted - labels which can be considered to be class flags. If finer granularity is required, a further level of flags may be provided - so that a message type is indicated by a primary flag (Disarm Message, Group, or Targeted), and (at least for Group and Targeted) a secondary flag that indicates the specific message type within the class. Alternatively, a single level of flags may be provided, with typically multiple flags for each of the Group and Targeted classes.

Within the 868/869 MHz band in Europe, the sub-band between 869.7 and 870Mhz is interesting for use when transmitting beaconing signals from the external keypads because it provides a relatively wide channel, the beacon channel, which allows the use of a high data rate, e.g. 250 kbit/s, which is helpful in reducing the effective range of the beacon signal. The effective radiated power ceiling of 5mW also poses no significant constraint for this application. Achieving effective battery life of nodes and sensors in alarm and monitoring systems is a constant concern, because battery failure disables the relevant node or sensor, which can lead to loss of security, and battery replacement may involve a site visit by the system supplier- which is expensive and inconvenient. For a portable authentication device, loss of battery power means that the portable authentication device stops working, which is inconvenient for the user, and the cause of the failure may not be apparent to the user so that the user may require a site visit to identify and fix the problem. Consequently, we are interested in reducing power consumption in all of the battery powered components of the system, including the portable authentication device. For this reason the use of a wake on radio receiver in the portable authentication device is attractive, although acceptable battery life can also be obtained using a more conventional radio receiver that periodically wakes to listen (poll) for beacon signals.

One way of reducing portable authentication device power consumption during the wake up process is for the portable authentication device to use 2-stage detection. A first detection stage of the transceiver of the fob (portable authentication device) may be used to perform a first step which involves checking an RSSI level. For example, the transceiver in the portable authentication device may periodically perform a brief RSSI check polling the beacon channel, using just the RF front end of the transceiver, for example for a first period of less than a few milliseconds, preferably a fraction of a millisecond, e.g. around 0.5 milliseconds and then revert to its rest state if the sensed RSSI level is below some pre-set threshold. If the sensed RSSI level is above threshold, the portable authentication device listens for a brief period for a synch word from the external keypad - for example for a second period of a few milliseconds , for example for less than 10 milliseconds, e.g. 5ms. If no synch word is detected, the transceiver reverts to its rest state. But if a synch word is detected, the transceiver starts the full radio receiver which remains powered up, for example for a third period of between say 8 to 16ms, for example 10ms, to receive the full WoR packet. Each packet will typically last of the order of 220ps, and the external keypad may transmit for 2 to 4 seconds, e.g. for 3 seconds - meaning that the portable authentication device should be able to receive 20 to 30 packets. Clearly, the choice of duration for the various periods is a trade-off between power consumption, user experience and accuracy - but the timings given represent a reasonable compromise as a starting point to be adjusted as necessary.

RSSI detection can be achieved by activating just front end components of the transceiver, avoiding the need to power up all of the transceiver. If the detected RSSI level is below a threshold, the portable authentication device determines that there is unlikely to be valid data available and halts its RSSI check until the next cycle. The cycle period determines the length of time for which the external keypad needs to transmit its beacon and also sets a lower bound on how quickly hands-free disarm is likely to occur on average. The portable authentication device wake up interval, which is controlled by a clock in the portable authentication device, will typically be chosen based on the duration of the external keypad beacon. For example, if the external keypad transmits its beacon for 2 seconds, then a portable authentication device wake up interval of one second would provide a good likelihood that a portable authentication device within range of a broadcasting external keypad would be able to wake and retrieve the necessary information from the beacon signal. A portable authentication device wake up of interval (period between poling events) of 2 seconds will often be frequent enough when the external keypad is configured to transmit its beacon signal for 3 seconds. The portable authentication device wake up interval can conveniently be set at between a quarter and two thirds of the beacon duration. By having the portable authentication device check the RSSI for a very brief period, for example a few milliseconds, at each polling event, good battery life can generally be obtained. A shorter relative cycle time is not technically problematic, but it is likely to use proportionally more battery power and hence shorten battery life commensurately. The cycle time could be more than one half of the beacon duration, provided the system enables the portable authentication device to capture the beacon quickly after wake up, so that the necessary special ID can be recovered by the portable authentication device.

The external keypad transmits a beacon signal, on the beacon channel, which includes the special codeword received from the central unit for this hands free disarm event. Typically, the beacon signal will be made up of a sequence of packets, each beginning with a preamble, followed by a synch word, then an identifier which may be the special ID from the central unit. Preferably, each packet includes a countdown value, the countdown value decreasing by one in each subsequent packet (to zero in the final packet of the sequence) and indicating the number of packets until the end of the sequence of packets. The system will typically be configured to cause the external keypad to transmit only one beacon sequence, with a single series of countdown values.

The beacon signal is recognised as such by the portable authentication device, because it is the only message of that kind with the relevant format in that channel, causing the portable authentication device to transmit a response including the special codeword (id).

By including sequence information in the beacon from the external keypad, it becomes possible for the portable authentication device to determine when the beacon transmission will end. Using this information, the portable authentication device can delay transmitting its response to the central unit until after the external keypad has finished transmitting - so that it is easier for the central unit to detect the response from the portable authentication device without local interference. This means that portable authentication device transmit power can be kept low, prolonging the life of the portable authentication device’s battery, while still enabling the central unit to receive the portable authentication device’s response. In addition, when the portable authentication device captures beacon packets, it can calculate how long it will be before the sequence ends. If the captured packets are early in the sequence, the portable authentication device can “snooze” or power down while waiting for the sequence to end, and then wake again in order to transmit its response to the central unit just after the sequence ends.

The portable authentication device will listen to multiple packets to be able to use statistics to get a reliable RSSI figure.

In order to reduce the effective range of the radio beacon, it is transmitted from the external keypad at a low power (e.g. -20dBm or less)with a high data rate (for example, 250kbps or more, say 400 kbps ) and with a low modulation index, to give an effective range of no more than about 5 metres? We limit out power from the external keypad to limit range. To make it harder to receive from a greater distance we have a high modulation and low modulation index. However the main reason is not the poor link budget but the speed. The higher the bitrate the more packets can be used for estimation. Sensitivity is in the range of around -90dBm at this settings and we try to be in line of sight, then the distance from the transmitter is given as the fading of the channel with distance, using Friis formula

Encryption, for example based on shared keys, is preferably used for all transmissions from and to the central unit in each of the embodiments of the invention

As mentioned previously, a further option to improve security, which may be used with any or all of the preceding options to further enhance the security of the system, is for the portable authentication device to include in the response message sent to the central unit details of the results of RSSI determinations made by the portable authentication device. In particular, the external keypad may be configured to send a series of wake up messages upon being prompted by the central unit to send a disarm instruction, including a disarm transmission identifier, to the portable authentication device. And the portable authentication device may be configured to determine the RSSI level of each of the messages of the series that are received from the external keypad. The portable authentication device may be configured to include in the disarm request sent to the central unit a report based on the determined RSSI levels. For example, the portable authentication device may be configured to send a summary of the RSSI levels measured, such as the number of messages/packets measured or measured above a certain level, maximum RSSI level, etc. Inclusion of the RSSI data can be used by the system to reduce the susceptibility of the system to “relay attacks” of the type used to fool passive entry systems (PES) of cars. The portable authentication device would report RSSI values as, for example, max/min values, and an average, and the central unit may hold factory pre-set values for a “real” disarm, and/or these may be supplemented or replaced with real world values obtained during commissioning/testing of the system.

Figure 8 is a simplified flowchart illustrating conditions, actions, and reactions in the arming of the security monitoring system using the keypad device 106. At 800, the security monitoring system is unarmed and the keypad device 106 is dormant. At 802 the arm mode button, e.g. 441 , 541 , or 641 , is pressed. In consequence, at 804 the keypad device wakes up and enters an authorisation mode. Authorisation may be achieved using a hands free entry process involving a keypad 300, as described with reference to figure 3, as will be described in more detail later. Authorisation may also be achieved by bringing a token into close proximity (e.g. a few centimetres or less) with the keypad device, the token and the keypad device communicating using NFC, provided the token is registered with the central unit of the security monitoring system. In each of the two preceding cases the user does not have to physically enter a PIN or pass code at the keypad device 106.

Authorisation may also be achieved by entering a PIN or pass code at the keypad device. With the keypad device 106 woken following the pressing of the arm mode button, the first of the PIN/pass code LEDs flashes white to prompt the user to enter a character, e.g. a digit. The user makes the appropriate single or multi-tap input on the relevant key (e.g. 441 - 445). On recognising the input of a character, the processor of the keypad changes the display status so that the first LED now provides a steady white light, and the next of the PIN/pass code LEDs flashes white to prompt the user to enter the next character, e.g. next digit, of the PIN/pass code. The user then responds by entering the next character. Upon successful recognition of the entry of a character, the processor of the keypad changes the status of the second PIN/passcode LED to provide a steady white light, and activates the third PIN/pass code LED to flash white. This process continues until the number of characters recognised as being entered matches the number of characters required for a PIN/pass code. If, at any stage entry of a character is not recognised, the relevant PIN/pass code LED switches from flashing white to flashing red.

For reasons of security, the processor of the keypad device does not provide feedback during entry of a PIN/pass code as to whether a character entered is correct for any recorded PIN/pass code. Indeed, the keypad device may be configured to send the entered character string to the central unit of the security monitoring system for the central unit to check entered character string with or each PIN/pass code recorded for authorised users - any such communication between the keypad device and the central unit of course being encrypted. An alternative, which is less preferred, is for the keypad device to include an encrypted record of the registered PIN(s)/pass code(s) for local comparison with character sequences entered at the keypad device. If the comparison of the entered character sequence reveals that it does not match a recorded sequence, the processor of the keypad device causes, at 806, the PIN/pass code LEDs all to show red, and optionally to flash, to provide feedback to the user that they need to re-enter their PI N/pass code. Additionally, the processor of the keypad device may also be configured to voice a pre-recorded announcement to the effect that the entered code is incorrect. The process of the keypad device, possibly under the instruction of the central unit of the system, may be configured in the event of three authorisation failures to cease to respond to the activation of actuators/buttons on the keypad device for a period of at least five minutes. The system may also be configured to raise an alert with the central monitoring station in the event of such a sequence of failures.

Conversely, if the entered character sequence matches a recorded authorised character sequence of the system then checks at 810 that the door associated with the external keypad device 106 is closed. This may be done using the usual door open detector which typically relies on the presence or displacement of a magnet with respect to a sensor of some kind. If the check at 810 reveals that the door is not properly closed, the central unit informs the keypad device 106 causing the keypad processor to provide the user with feedback by flashing one or more LEDs red, and optionally by playing a pre-recorded announcement to the effect that the door has not yet been properly closed and that the security monitoring system cannot be armed until the door is properly closed. If the door is then subsequently closed properly, the process begins again at 800.

If the check at 810 is passed, the processor of the central unit then checks at 812 to see whether there is an EN error , such as a window being detected as open If such an error is detected, the keypad processor once again provides 814 an LED alert, this time Amber 716. The user is given the chance to confirm the alert (e.g. confirm that it is desired to arm the system with the window open at 818 and to continue with the arming process.

If the installation includes an electrically controlled (“smart”) lock the central unit then sends at 720 a command to the relevant lock to move from an unlocked to a locked position. The central unit then checks the status of the lock to ensure that it is actually locked - for example if there is an obstruction, or a misalignment of the bolt of the lock with its counterpart, the lock may be prevented from locking. If the check reveals that the lock hasn’t locked properly, the central unit again sends a command to the keypad device causing the processor of the keypad device to provide at 822 LED error feedback (red).

At 824, the central unit then attempts to arm the system, and then checks to see whether arming has been achieved. If arming has been achieved, the central unit sends a success message to the keypad device, causing the processor of the keypad device to provide at 826 feedback of successful arming, e.g. by causing LEDs briefly to display solid green. Conversely, if the attempt to arm was unsuccessful, for example because a window has been left open, the central unit again instructs the keypad device to provide error feedback preferably both through flashing LEDs red, and also by playing a pre-recorded announcement to the effect that arming has failed because an open window has been detected (other causes of a failure to arm is the detection of movement inside the monitored premises when an attempt has been made to arm into the armed away state - and, again, preferably an appropriate pre-recorded announcement is played over the audio interface of the keypad device.

Figures 9A and 9B illustrate schematically the use of an external keypad to disarm a security monitoring system and unlock an electronically controlled lock of a door that gives access to the monitored space of building. The external keypad may also enable a user to lock an electronically controlled lock of an access door with or without arming the system. For this use, the external keypad includes a selector or actuator arrangement, e.g. a button or other actuator, to enable a user to initiate an event. For example, the disarm node could include an actuator or button to enable a user to unlock the electronically controlled lock of a door and disarming the monitoring system from an armed state, another actuator or button for locking the lock of the door, and another actuator or button for arming the system or for locking the lock of the door and arming the system. Preferably, if the keypad is used to arm the security monitoring system it also causes all of the electronically controlled locks of external entrances to the protected premises to lock. Whereas, when the keypad is used to disarm the system, it preferably only causes the unlocking of the lock of the entrance with which the keypad is associated - which will generally be the lock of the entrance door nearest to the keypad - e.g. the front entrance door, when the keypad is provided adjacent that entrance, rather than unlocking locks on multiple entrance doors.

Such electronically controlled locks would typically include an RF receiver, e.g. an RF transceiver, to receive control messages to lock and unlock the lock, and would typically also include means to decrypt encrypted messages received by the receiver.

The keypad actuators could be provided in the form of a keypad or as individual “buttons”, as previously described, optionally using capacitance sensing technology rather than as mechanical switches - but preferably not in the form of a touch panel display.

In a first variant, illustrated schematically in Figure 9A, the external keypad would react to operation of one of the actuators (event #1) by using its RF transceiver to send (event #2) a change status request message to the central unit, including the details of the change requested, together with the disarm node ID. The central node would transmit (event #3) a response including the external keypad ID together with a unique event identifier (e.g. a random number), which changes for every event, and which is effective to cause the external keypad to start a wake on radio process. The response from the central unit could include a command for the external keypad, or the system could be arranged so that the external keypad responds to receiving a message from the central unit that includes a unique event identifier together with the external keypad’s ID by starting the wake on radio process. The external keypad receiving such a response, including its own ID, would use its RF transceiver to transmit wake on radio signals (event #4), including the unique event identifier. A portable authentication device receiving the wake on radio signals would wake and transmit (event #5) a signal including its own ID, and the unique event identifier. Preferably, the user portable authentication device is also configured to perform RSSI measurement on wake up messages received from the external keypad and to include information on these RSSI measurements in the message sent to the central unit. The use of unique event identifiers is effective to prevent successful replay attacks.

In use, according to a second variant, illustrated schematically in Figure 9B, an external keypad would react to operation of one of the actuators/buttons (event #1) by starting a “wake on radio” process (event #3) effectively to search for any user portable authentication device within range ( within 5 metres or less, e.g. within 1 or 2 metres) of the disarm node by transmitting wake up messages generally as previously described with reference to Figure 7. The wake up message includes a unique event ID (e.g. a random number) which serves the same function as the unique event ID that the central unit has previously been described as generating with reference to Figure 7.

In addition, the external keypad would also transmit (event#2) a report to the central unit indicating the selector that was activated - i.e. informing the central unit of the user’s request (e.g. unlock and disarm or just disarm). The report from the external keypad also includes the external keypad identifier and the unique event ID. A user portable authentication device such as device 300 receiving such a wake up message responds by transmitting (event #4) a message to the central unit, including the unique event ID and its own ID. Preferably, the user portable authentication device is also configured to perform RSSI measurement on wake up messages received from the external keypad and to include information on these RSSI measurements in the message sent to the central unit - as the central unit may use such measurements in distinguishing between disarm attempts legitimately made at the external keypad and other, bogus attempts, where signals are relayed from a bad actor close to a legitimate user’s key fob remote from the keypad, and a second bad actor adjacent the keypad.

With both the first and second variants of this external keypad variant the sequence of operations continues as follows. The central unit, on receiving the message from the user’s portable authentication device checks to determine whether portable authentication device ID included in the message is one registered with the central unit, and also whether the event ID matches that of a “current” event (as opposed to a replay of an earlier event - presented as part of a replay attack). If the message received from the user portable authentication device includes RSSI information, the central unit will also take this into account in deciding whether the status change request is a valid one (or a bogus one that is the result of a relay attack). If the central unit is determined to be valid, then the central unit actions the request by, for example sending an unlock command to the relevant door lock (event #6 in Figure 9A, event #5 in Figure 9B) and disarming the security monitoring system, or by sending a lock command to the relevant door lock and arming the system. In addition, the central unit may be configured to send a status change notification to the disarm node(event #6 in Figure 9A, event #5 in Figure 9B), including the disarm node ID, so that the disarm node can indicate the change of status visibly and or audibly.

Also, if the user portable authentication device includes a haptic device, the central unit may transmit an instruction to the portable authentication device to cause the portable authentication device to activate the haptic device to indicate completion of the requested action. A portable authentication device having one or more visual indicators, e.g. one or more LEDs, may also be triggered to provide a visual indication of completion of a requested action.

A portable authentication device 300 having a haptic element may also be configured to provide haptic feedback on receipt of a wake up message from a disarm node such as an external keypad 106 (preferably a different mode of feedback from that for successful completion of a requested action), so that a user knows that the portable authentication device has been “found” by the disarm node. The central unit may optionally transmit an action request “failure” message, including the external keypad ID, that the external keypad can use to provide feedback of failure to complete a requested action. The central unit can also send a failure message, including the portable authentication device ID, that the portable authentication device can use to provide feedback of failure to complete a requested action.

If the security monitoring system having an external keypad outside the monitored building or monitored zone is one which is connected to a central monitoring station, it can be useful for the registered owner of the security monitoring system to be informed of failed requests to change status. In particular, where an action request is made by operation of an event selector, and no authorised portable authentication device is found - or signals are received from a non- authorised source, details of the event may be reported by the central unit to the central monitoring station. The central monitoring station can act on such reports, by for example, sending human operatives to survey the premises, but may also send such reports to the registered owner. For example, the registered user may have a smartphone “app” which may be arranged receive notifications from the central monitoring station. The central monitoring station may be arranged to provide real time or near real time notification of failed action requests. Such a system may be further enhanced by providing notifications to the app of action requests and their results both for success and for failure, by configuring the central unit to report all such action requests and their results to the central monitoring unit.

In addition to supporting hands free disarming, the external keypad as described may also be used to perform “hands free” arming, in which an authorised key fob is used to “authenticate” a user in place of the a passcode entered at the keypad or the presentation to the keypad of an authorised NFC token. In each case, arming may be commenced by activation of an actuator, such as actuator 442, 542, or 642. If arming with a code, the user is prompted by LEDs or voice prompt to enter the code at the keypad. If arming with an NFC token, the user brings the NFC token into close proximity (i.e. NFC range) with the external keypad, or touches the external keypad, and the keypad reads or prompts the delivery of the ID of the NFC token, and then forwards the token ID to the central unit for the central unit to make a decision about arming based on recognition of the presented token ID.

In the case of arming with an authorised key fob or other hands free entry device, once arming has been commenced by activation of an actuator, such as actuator 442, 542, or 642, the external keypad works with the central unit and the hands free entry device to perform a method generally as set out in, and described with reference to, Figures 9A and 9B - although with instructions to lock (preferably all) the electrically controlled exterior lock(s) rather than instructing to unlock only the lock of the door associated with the external keypad. Confirmation of successful arming is preferably provided by a visual indication from the keypad, as well as optionally audible confirmation. A haptic enabled hands free entry device may also provide a recognisable tactile feedback confirming successful arming. Similarly, in the event that an attempt at hands free arming fails - for example because the central unit detects that another entrance door is open or unlocked, the user should be provided with feedback to the effect that the attempt to arm has failed, and that the system remains disarmed. Preferably the feedback provides an indication of the nature of the failure, either visually using an appropriate indicator or visual code, and/or audibly by the playing of a pre-recorded message or the like. Such feedback may conveniently be provided by appropriate interfaces of the external keypad, e.g. LED indicators and/or a loudspeaker.