Keychain Remote USB Security Update

Recently a security researcher helped us to identify a potential vulnerability in our Keychain Remote USB software that would make it feasible for someone with physical access to your Keychain Remote USB to extract your system configuration settings through a series of steps involving computer software tools. Even though, over the years, we have no reports of any home break-ins as a result of this finding, we feel it important to share this information.

And, we are taking this opportunity to remind our customers that your Keychain Remote functions just like a “key.” It is a convenient way to arm and disarm your alarm system, but it is important to keep your USB Keychain Remote safe and secure, so as to not let it fall into the wrong hands.

Meanwhile, as an additional safety measure, we are providing a software update to the Easy Setup Wizard to patch the issue. Instructions on how to get the update are at the bottom of this article. Non-USB Keychain Remotes are not impacted.

Overview

If you used the Keychain Remote USB device to configure your system, your settings will be stored on the USB device. If someone were to get physical access to your Keychain Remote USB, they could plug it into a computer and use tools to read your configuration settings, such as your PIN(s) and the serial numbers of your sensor – however, this person would not be able to access your safe word or any personally identifiable information, such as name and address.

With the sensor serial numbers, a malicious user could program them into their own SimpliSafe system and, if they positioned their system close enough to your house, they could pick up signals from your sensors. This may be a potential privacy and security concern to customers.

Your Keychain Remote USB configuration settings cannot be accessed remotely, wirelessly, or by momentarily seeing or handling your Keychain Remote USB. We closely monitor all cybersecurity risks and have no evidence that anyone has ever used a cybersecurity vulnerability to break into a home protected by one of our systems.

What devices are of concern?

Versions 1 and 2 Keychain Remotes with a USB port are affected - Keychain remotes without a USB port are not.

USB Keychain Remote

What can I do to protect my configuration information?

  • Never give your Keychain Remote to an untrusted person. Protect it the same way you protect your house keys.
  • Use a Non-USB Keychain Remote or our Mobile App to arm/disarm your system.
  • If you ever lose your Keychain Remote, change your PIN and remove the lost Keychain device from your system.
  • Email software-update@simplisafe.com and we will provide (Mon - Fri, 9am to 5pm ET) a personalized step-by-step plan on how to download, install, and use an updated version of the Easy Setup Wizard configuration software – one that clears the data from the USB device when not in use.

Credit

We thank Nick Delewski of Spirent Communications for disclosing the information to us in order to help SimpliSafe improve the security of our product. Nick contacted SimpliSafe in Feb ’17 and again in July ’17 to disclose his findings. And, we are grateful to partner with Nick and the security community as a whole, to ensure our systems and our customers are always safe and secure. If you would like to submit a security related question and/or concern please reach us at security@simplisafe.com.