SimpliSafe home alarms transmit PIN unlock codes in the clear – ideal for lurking burglars

How to break into hundreds of thousands of homes in America

Pics and vid If you've got a SimpliSafe wireless home alarm system, as hundreds of thousands of homes in the US apparently do, then it's time to buy a new alarm system because yours is screwed.

SimpliSafe markets itself as a wireless home alarm system that eliminates all those fiddly wires from sensors. Sadly, the engineers behind the security system didn't think about information security, because it turns out the alarm system is ridiculously easy to hack.

It appears SimpliSafe's systems send messages unencrypted in the clear over the air. That means it's trivial to send spoofed sensor readings – such as back-door closed – to fool alarm control boxes into thinking no break-in is happening, and replay PIN codes from keypads to activate or deactivate security systems.

A thief just has to loiter near a home with some radio equipment, pick up the unencrypted PIN messages transmitted from a keypad to the control box, and later replay the messages to deactivate the alarm when the homeowners are out.

Dr Andrew Zonenberg, senior security consultant at IOActive, discovered these weaknesses after taking the electronics out of a SimpliSafe alarm keypad, and analyzed the signals coming in and out of the microcontrollers to the radio circuitry. That allowed him to decode the communications protocols, which are unencrypted and easy to replay.

"Although I still haven’t figured out a few bits at the application layer, the link-layer framing was pretty straightforward," said Zonenberg.

"This revealed something very interesting: when messages were sent multiple times, the contents (except for a few bits that seem to be some kind of sequence number) were the same. This means the messages are either sent in cleartext or using some sort of cipher without nonces or salts.

"After a bit more reversing, I was able to find a few bits that reliably distinguished a 'PIN entered' packet from any other kind of packet."

He continued:

A few hundred lines of C later, I had a device that would passively listen to incoming 433MHz radio traffic until it saw a SimpliSafe “PIN entered” packet, which it recorded in RAM. It then lit up an LED to indicate that a PIN had been recorded and was ready to play back. I could then press a button at any point and play back the same packet to disarm the targeted alarm system.

Youtube video

Components needed to hijack the radio-based system shouldn't cost too much, and can be battery powered. The burglar simply needs to hide the device within 100 feet of a victim's home, record the PIN messages are they are transmitted, and can then replay them disable or activate the alarm with ease.

The problem for SimpliSafe is that this issue can't be easily fixed as the hardware stands. The equipment uses write-once microcontroller chips, so there's no way to apply a firmware update to add encryption to the mix. Boxes will need to be ripped up and replaced.

To make matters worse, many SimpliSafe users advertise their hardware with yard signs and window decals to scare burglars off. Instead they are advertising that their homes are easy to attack.

Zonenberg said he contacted the biz repeatedly to explain what they were doing wrong but got stonewalled, so he went to US-CERT instead. Similarly, El Reg has had no luck getting in contact with the firm about the issue.

SimpliSafe really only has one option to deal with the issue – a total product recall and replacement. If you've just bought a system, now would be a good time to use that 60-day money-back guarantee. ®

Updated to add

Simplisafe has published a statement on its website, which you can read here in full.

Similar topics

Other stories you might like

  • Why Wi-Fi 6 and 6E will connect factories of the future
    Tech body pushes reliability, cost savings of next-gen wireless comms for IIoT – not a typo

    Wi-Fi 6 and 6E are being promoted as technologies for enabling industrial automation and the Industrial Internet of Things (IIoT) thanks to features that provide more reliable communications and reduced costs compared with wired network alternatives, at least according to the Wireless Broadband Alliance (WBA).

    The WBA’s Wi-Fi 6/6E for IIoT working group, led by Cisco, Deutsche Telekom, and Intel, has pulled together ideas on the future of networked devices in factories and written it all up in a “Wi-Fi 6/6E for Industrial IoT: Enabling Wi-Fi Determinism in an IoT World” manifesto.

    The detailed whitepaper makes the case that wireless communications has become the preferred way to network sensors as part of IIoT deployments because it's faster and cheaper than fiber or copper infrastructure. The alliance is a collection of technology companies and service providers that work together on developing standards, coming up with certifications and guidelines, advocating for stuff that they want, and so on.

    Continue reading
  • AMD refreshes Ryzen Embedded line with R2000 series
    The target? Thin clients and industrial devices – with new SoC family running up to 4 independent displays

    Embedded World AMD is bringing to market a new generation of Ryzen chips for embedded apps promising more CPU cores, enhanced built-in graphics and expanded I/O connectivity to drive kit such as IoT devices and thin clients.

    Crucially, AMD plans to make the R2000 Series available for up to 10 years, providing OEM customers with a long-lifecycle support roadmap. This is an important aspect for components in embedded systems, which may be operating in situ for longer periods than the typical three to five-year lifecycle of corporate laptops and servers.

    The Ryzen Embedded R2000 Series is AMD's second-generation of mid-range system-on-chip (SoC) processors that combine CPU cores plus Radeon graphics, and target a range of embedded systems such as industrial and robotic hardware, machine vision, IoT and thin client devices. The first, R1000, came out in 2019.

    Continue reading
  • DeadBolt ransomware takes another shot at QNAP storage
    Keep boxes updated and protected to avoid a NAS-ty shock

    QNAP is warning users about another wave of DeadBolt ransomware attacks against its network-attached storage (NAS) devices – and urged customers to update their devices' QTS or QuTS hero operating systems to the latest versions.

    The latest outbreak – detailed in a Friday advisory – is at least the fourth campaign by the DeadBolt gang against the vendor's users this year. According to QNAP officials, this particular run is encrypting files on NAS devices running outdated versions of Linux-based QTS 4.x, which presumably have some sort of exploitable weakness.

    The previous attacks occurred in January, March, and May.

    Continue reading

Biting the hand that feeds IT © 1998–2022