New research suggests alarm system SimpliSafe simply isn't safe
If you watch TV at all, at least in the US, you've likely seen the ads for the latest technologies being pushed to market. While many folks like to be early adopters, there's something to be said for ignoring that pie-in-the-sky pitch and waiting until something has had time on the market and been thoroughly tested.
We recently saw this with the Ring doorbell, a product that continues to run endless TV commercials, perhaps just banking on appealing to the average person who doesn't look into things too carefully. Another one taking up your screen time these days is a new alarm system calling itself SimpliSafe. The problem is, research indicates it may not be living up to its impressive moniker.
Andrew Zonenberg at IOActive reports that, from its testing of the SimpliSafe system, there are some problems, and they are not minor.
There is some background information on how the system works, but the main components are the keypad and the base unit, which communicate in the 433 MHz and 315 MHz range.
Once there was some understanding of how the system works, based on dismantling several units, Zonenberg states "Rather than waste time setting up an SDR or building custom hardware to mess with the radio protocol, I decided to 'cheat' and use the conveniently placed test points found on all of the boards. Among other things, the test points provided easy access to the raw baseband data between the MCU and RF upconverter circuit".
From there the research went on saying "To implement the actual attack I simply disconnected the MCUs from the base station and keypad, and soldered wires from the TX and RX basebands to a random microcontroller board I had sitting around the lab. A few hundred lines of C later, I had a device that would passively listen to incoming 433 MHz radio traffic until it saw a SimpliSafe 'PIN entered' packet, which it recorded in RAM. It then lit up an LED to indicate that a PIN had been recorded and was ready to play back. I could then press a button at any point and play back the same packet to disarm the targeted alarm system".
The snooping system could be created for a one-time $250 investment in the necessary hardware. It was then just a matter of hiding the device somewhere within 100 feet of the targeted home and waiting for the PIN to be transmitted. Then the bad guy is in and the device can move on to the next location.
Perhaps the worst part is that there is no fix, as Zonenberg states, "the keypad happily sends unencrypted PINs out to anyone listening". This can be fixed in future products, but current customers are out of luck as the microcontrollers are one-time programmable, so all current systems will need to be replaced. IOActive contacted the manufacturer but received no response.