More than a quarter million homes protected by SimpliSafe wireless security systems are vulnerable to hackers who can deactivate the alarm anytime, according to IOActive, a Seattle-based security consulting firm.
IOActive published a proof of concept report on Wednesday that outlines how it disarmed SimpliSafe’s wireless home security systems. The hack, according IOActive researcher Andrew Zonenberg, is able to eavesdrop on wireless transmission between SimpliSafe components and capture PIN entries used to unlock the security system.
Researcher Zonenberg said to exploit the vulnerability requires a $250 investment in SimpliSafe components and a couple of microcontrollers. The vulnerability, he said, surrounds the communication between the system’s keypad and wireless base station.
After some sleuthing, Zoneberg was able to establish the base station used on-off keying in the 433 MHz ISM band and the base station replied using the same modulation at 315 MHz. The key wasn’t “messing with radio protocol” to figure out the PIN code for the alarm, wrote Zoneberg, it was rather to record the data bytes that contained the PIN data and then later replay the sequence to unlock the SimpliSafe alarm.
“A few hundred lines of C later, I had a device that would passively listen to incoming 433 MHz radio traffic until it saw a SimpliSafe ‘PIN entered’ packet, which it recorded in RAM,” wrote Zoneberg. “It then lit up an LED to indicate that a PIN had been recorded and was ready to play back. I could then press a button at any point and play back the same packet to disarm the targeted alarm system.”
SimpliSafe did not returned requests for comment. However, IOActive says that due to the design flaw, SimpliSafe will likely have to replace all keypads and base stations to fix the problem. According to 2015 interview with SimpliSafe’s CEO Chad Laurans, SimpliSafe security products are used in 300,000 U.S. homes.
SimpliSafe told customers concerned about the vulnerability on Wednesday that there was an extremely low probability of being impacted by the flaw. Nevertheless, they were urged to be vigilant about monitoring their home security system and watch for unexpected disarming of their SimpliSafe system. Customers were told no fix was currently available.
Daniel Miessler, director of advisory services at IOActive, said that SimpliSafe was far from alone when it comes to insecure data transmissions between device components. “These vulnerabilities are common among many manufacturers who are not building security into the products before they ship them,” Miessler said. In the case of SimpiSafe, the company’s lack of cryptographic controls when transmitting data between components caused the vulnerability, he said.
SimpliSafe, Miessler said, is representative of a much larger problem whether it be consumer security systems, commercial grade products or the universe of consumer and industrial IoT devices.
Similar vulnerabilities have been well documented by ADT, Vivint, Comcast’s Xfinity and Samsung’s SmartThings home security devices.
What makes SimpliSafe’s vulnerability unique, Miessler said, was the difficult nature of fixing the problem. According IOActive’s research, a firmware update to fix the issue is out of the question.
“If in fact the controller and receiver hardware are incapable of any type of upgrade, there will likely be calls for a large-scale recall,” said Kenneth White, a Washington DC-based security researcher in an email interview.
“This appears to be a great example of a product that should have had independent third-party review prior to marketing,” White said. “Any credible security lab would have identified the lack of proper communication encryption as a serious issue.”