A security system used in more than 200, 000 homes has an unfixable flaw that allows tech-savvy burglars to disarm the alarm from as far away as a few hundred feet.
The wireless home security system from SimpliSafe is marketed as costing less than competing ones and being easier to install, since it doesn't use wires for one component to communicate with another. But according to Andrew Zonenberg, a researcher with security firm IOActive, the system's keypad uses the same personal identification number with no encryption each time it sends a message to the main base station. That opens the system to what's known as a replay attack, in which an attacker records the authentication code sent by the valid keypad and then recycles it when sending rogue commands transmitted over the same radio frequency.
"Unfortunately, there is no easy workaround for the issue since the keypad happily sends unencrypted PINs out to anyone listening, " Zonenberg wrote in a blog post published Wednesday. "Normally, the vendor would fix the vulnerability in a new firmware version by adding cryptography to the protocol. However, this is not an option for the affected SimpliSafe products because the microcontrollers in currently shipped hardware are one-time programmable. This means that field upgrades of existing systems are not possible; all existing keypads and base stations will need to be replaced."
The hack required about $250 (£175) worth of commodity hardware to build a microcontroller and a few hundreds lines of code to make it communicate with the SimpliSafe base station. With that one-time investment out of the way, an intruder would then hide the device within a few hundred feet of the SimpliSafe base station and wait for the owner to activate or deactivate the alarm. The attacker could later replay the captured PIN along with a deactivation command to prevent the alarm from sounding during a home break in.
Zonenberg said he made attempts through multiple channels to alert SimpliSafe officials to his findings and never received a response. According to the company's LinkedIn page, the system is used in more than 200, 000 homes. Update: In an e-mail sent after this Ars post went live, a SimpliSafe official wrote:
While any wireless system is susceptible to this type of attack from a sufficiently savvy and motivated intruder, our systems can be backed up with with a land line or an internet connection for no additional cost. Also, this type of attack represents such a small percentage of total break-ins that the FBI does not even keep a count. This is because the majority of break-ins are a quick forced entry and not the sophisticated type of attack that requires diligent planning as well as highly illegal and cost-prohibitive equipment. Assuming an intruder has the requisite technology, he would need to know the frequency ranges he needs to jam, and also know the layout of your home beforehand, as he would have to avoid motion detectors even in the unlikely event that he bypassed a door sensor.