SimpliSafe home alarms transmit PIN unlock codes in the clear – ideal for lurking burglars
How to break into hundreds of thousands of homes in America
Pics and vid If you've got a SimpliSafe wireless home alarm system, as hundreds of thousands of homes in the US apparently do, then it's time to buy a new alarm system because yours is screwed.
SimpliSafe markets itself as a wireless home alarm system that eliminates all those fiddly wires from sensors. Sadly, the engineers behind the security system didn't think about information security, because it turns out the alarm system is ridiculously easy to hack.
It appears SimpliSafe's systems send messages unencrypted in the clear over the air. That means it's trivial to send spoofed sensor readings – such as back-door closed – to fool alarm control boxes into thinking no break-in is happening, and replay PIN codes from keypads to activate or deactivate security systems.
A thief just has to loiter near a home with some radio equipment, pick up the unencrypted PIN messages transmitted from a keypad to the control box, and later replay the messages to deactivate the alarm when the homeowners are out.
Dr Andrew Zonenberg, senior security consultant at IOActive, discovered these weaknesses after taking the electronics out of a SimpliSafe alarm keypad, and analyzed the signals coming in and out of the microcontrollers to the radio circuitry. That allowed him to decode the communications protocols, which are unencrypted and easy to replay.
"Although I still haven’t figured out a few bits at the application layer, the link-layer framing was pretty straightforward," said Zonenberg.
"This revealed something very interesting: when messages were sent multiple times, the contents (except for a few bits that seem to be some kind of sequence number) were the same. This means the messages are either sent in cleartext or using some sort of cipher without nonces or salts.
"After a bit more reversing, I was able to find a few bits that reliably distinguished a 'PIN entered' packet from any other kind of packet."
A few hundred lines of C later, I had a device that would passively listen to incoming 433MHz radio traffic until it saw a SimpliSafe “PIN entered” packet, which it recorded in RAM. It then lit up an LED to indicate that a PIN had been recorded and was ready to play back. I could then press a button at any point and play back the same packet to disarm the targeted alarm system.
Components needed to hijack the radio-based system shouldn't cost too much, and can be battery powered. The burglar simply needs to hide the device within 100 feet of a victim's home, record the PIN messages are they are transmitted, and can then replay them disable or activate the alarm with ease.
The problem for SimpliSafe is that this issue can't be easily fixed as the hardware stands. The equipment uses write-once microcontroller chips, so there's no way to apply a firmware update to add encryption to the mix. Boxes will need to be ripped up and replaced.
To make matters worse, many SimpliSafe users advertise their hardware with yard signs and window decals to scare burglars off. Instead they are advertising that their homes are easy to attack.
Zonenberg said he contacted the biz repeatedly to explain what they were doing wrong but got stonewalled, so he went to US-CERT instead. Similarly, El Reg has had no luck getting in contact with the firm about the issue.
SimpliSafe really only has one option to deal with the issue – a total product recall and replacement. If you've just bought a system, now would be a good time to use that 60-day money-back guarantee. ®
Updated to add
Simplisafe has published a statement on its website, which you can read here in full.