Popular home security system SimpliSafe can be easily disabled by burglars

There's no easy fix and systems need to be replaced, security researchers said

It's not unusual to hear of vulnerabilities in smart-home security systems these days, as security researchers turn their attention to the Internet of Things. It's worrying, though, when a modern security system turns out to be vulnerable to a so-called replay attack, the kind of thing that worked against garage door openers back in the 1990s.

The latest example is SimpliSafe, a wireless alarm system that's marketed as cheaper and easier to install than traditional wired home security systems. Its manufacturer claims that the system is used in over 200,000 homes in the U.S.

According to Andrew Zonenberg, a researcher with security consultancy firm IOActive, attackers can easily disable SimpliSafe alarms from up to 30 meters away, using a device that costs around $250 to create a replay attack.

SimpliSafe has two main components, a keypad and a base station, that communicate with each using radio signals. The base station also listens for incoming signals from a variety of sensors.

Zonenberg found that the confirmation signal sent by the keypad to the base station when the correct PIN is entered can be sniffed and then later played back to disarm the system. Recovering the actual PIN is not necessary, since the "PIN entered" packet can be replayed as a whole.

This is possible because there is no cryptographic authentication between the keypad and the base station.

To pull off the attack, Zonenberg bought a SimpliSafe key pad and base station and then soldered a generic microcontroller board to them. With a few hundred lines of C code the gadget can listen for incoming 433 MHz radio traffic and capture "PIN entered" packets from other SimpliSafe key pads located within 100 feet.

When the owner of a real SimpliSafe system enters the correct PIN, a device like Zonenberg's that's hidden in its vicinity will capture the confirmation packet and will store it in memory. The attacker can use the device to resend the packet to the base station at a later time, for example when the home owner is away. This will disarm the alarm.

Fixing the problem would require SimpliSafe to add authentication and encryption to the system's communications protocol, so that base stations will only accept signals from authorized key pads.

Unfortunately such changes can't be made to existing SimpliSafe systems, because the microcontrollers they use cannot be reprogrammed, Zonenberg said in a blog post Wednesday. "This means that field upgrades of existing systems are not possible; all existing keypads and base stations will need to be replaced."

According to Zonenberg, the attack is inexpensive and can be implemented even by low-level attackers, especially if they pay someone else to build the sniffing device for them. To make matters worse, the manufacturer provides "Protected by SimpliSafe" warning signs that users can display on their windows or in their yards, inadvertently marking their homes as potential targets.

SimpliSafe did not immediately respond to a request for comment.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?