According to a blog post published Wednesday by IOActive researcher Andrew Zonenberg, a clever and digitally savvy thief would be able to disable a SimpliSafe alarm relatively easily, and from quite a distance away. In fact, intruders could be up to 100 feet removed from your home and still be able to deactivate your security system, creating an in for themselves. More frightening still, Zonenberg writes, “This attack is very inexpensive to implement — it requires a one-time investment of about $250 for a commodity microcontroller board, SimpliSafe keypad, and SimpliSafe base station to build the attack device.” So basically, the intruder would be able to use the security system to … disarm itself.
So is there any solution to this massive flaw? Apparently not, the security expert writes.
“Unfortunately, there is no easy workaround for the issue since the keypad happily sends unencrypted PINs out to anyone listening,” Zonenberg says. “Normally, the vendor would fix the vulnerability in a new firmware version by adding cryptography to the protocol. However, this is not an option for the affected SimpliSafe products because the microcontrollers in currently shipped hardware are one-time programmable. This means that field upgrades of existing systems are not possible; all existing keypads and base stations will need to be replaced.”
Yikes.
SimpliSafe has responded to IOActive’s criticisms by noting, “While any wireless system is susceptible to this type of attack from a sufficiently savvy and motivated intruder, our systems can be backed up with a land line or an Internet connection for no additional cost.” The company also claims that the sort of attack described by the blog “represents such a small percentage of total break-ins that the FBI does not even keep a count.”
SimpliSafe continues, “This is because the majority of break-ins are a quick forced entry and not the sophisticated type of attack that requires diligent planning as well as highly illegal and cost-prohibitive equipment. Assuming an intruder has the requisite technology, he would need to know the frequency ranges he needs to jam, and also know the layout of your home beforehand, as he would have to avoid motion detectors even in the unlikely event that he bypassed a door sensor.”
So better hope your burglars aren’t so tech savvy, or replace your alarm system.
