Researcher Claims SimpliSafe Home Security System Is Simply Vulnerable
Friday, February 19, 2016
Maybe you've seen the advertisements on late-night television and cable. SimpliSafe offers a wireless, do-it-yourself home security system that is cheaper than traditional wired systems. IOActive Labs examined the SimpliSafe system and found it was pretty easy to hack and record the alarm disable code, making the system not very secure. Plus the hacker could return in the future at any time and easily disable the system:
"This attack is very inexpensive to implement – it requires a one-time investment of about $250 for a commodity microcontroller board, SimpliSafe keypad, and SimpliSafe base station to build the attack device. The attacker can hide the device anywhere within about a hundred feet of the target’s keypad until the alarm is disarmed once and the code recorded. Then the attacker retrieves the device. The code can then be played back at any time to disable the alarm and enable an undetected burglary, or worse..."
Unfortunately, the bad news gets worse because:
"... there is no easy workaround for the issue since the keypad happily sends unencrypted PINs out to anyone listening. Normally, the vendor would fix the vulnerability in a new firmware version by adding cryptography to the protocol. However, this is not an option for the affected SimpliSafe products because the microcontrollers in currently shipped hardware are one-time programmable. This means that field upgrades of existing systems are not possible; all existing keypads and base stations will need to be replaced."
Unencrypted PINs sent? Wow! Not good.
IOActive first discovered this vulnerability in August, 2015. The IOActive Labs Security Advisory (Adobe PDF) reported a timeline with the number of instances IOActive labs attempted to contact the vendor without an response. SimpliSafe is not alone. InfoSecurity reported:
"SimpliSafe is not the only home security system in the spotlight of late. Earlier in the year, a vulnerability was discovered in Comcast XFINITY’s Home Security System that could open the door—literally—to intruders."
How did this happen? TrendMicro UK probably said it best last year:
"The Internet of Things has the potential to transform the way we live and work. A network not just of mobile phones, PCs and laptops but billions of connected smart devices – from fridge-freezers to kettles, cars and medical devices. But this potential will never be realized unless manufacturers are able to respond to consumer privacy and security concerns... it’s perhaps no surprise that everyone wants to rush their products out before their competitors. But fail to understand and respect the significant privacy and security concerns of consumers in your region and you’re in danger of falling at the first hurdle."
Manufacturers: don't fall at the first hurdle. Get security right.
After reading published news reports, some SimpliSafe customers expressed their security concerns on the company's customer service forums online. Consumers: if you bought a SimpliSafe home security system, what communications have you received about fixes?
[Editor's note: in the last paragraph, the text link to the company's online customer service forum was added on February 19 at 1:45 EST.]
This is a very concerning read. I'm going to have to dig and find out what resources they now have in place to prevent this in future
Posted by: Alan | Thursday, September 29, 2016 at 03:28 PM