SimpliSafe Hacking Vulnerability

Moderator's Note:
You can see our response to these articles here: http://simplisafe.com/blog/our-commitment-to-your-security

Just read this article about how easy it is to hack the SimpliSafe system and disarm the alarm:

msn.com/en-us/money/companies/300000-american-homes-at-risk-for-unfixable-alarm-hack/ar-BBpChNa?li=BBnb7Kz

Great! I just installed one in my home. Haven't posted the yard signs yet and now I don't plan to; no sense letting everyone know I have a vulnerable system! (Maybe I can find some ADT signs to use as a decoy...)

I also did not realize this:

SimpliSafe has also installed a one-time programmable chip in its alarm, meaning there's no chance of an over-the-air update. It means there's no patch coming, leaving all owners without a remedy other than to stop using the equipment...

And this:

SimpliSafe spokesperson Melina Engel told FORBES that it was planning on releasing hardware with over-the-air firmware updates and that customers would be given a discount on those once they are available.

Thanks! Now I have to buy something else to make the system I thought was secure actually secure...

I was just about to post the

I was just about to post the same article when I saw yours. I'd like to know ASAP about the supposed new hardware coming out with the capability for over-the-air firmware updates. The article mentions that current customers will be able to get this hardware at a discounted price. No discounts, SS! Just trade out our equipment for free.

"SimpliSafe spokesperson Melina Engel told FORBES that it was planning on releasing hardware with over-the-air firmware updates and that customers would be given a discount on those once they were available."
(msn.com/en-us/money/companies/300000-american-homes-at-risk-for-unfixable-alarm-hack/ar-BBpChNa?li=BBnb7Kz&ocid=iehp)

Once Simplisafe resolves the

Once Simplisafe resolves the issues, for us folks on hardware that can't be firmware updated, they need to send us out new hardware. I will be keeping tabs on this.

During the interim they

During the interim they should upgrade all users to Interactive Alerts status at no additional charge. IMHO

Scare propaganda, designed to

Scare propaganda, designed to sell magazines. Can SS be hacked? Of course, any system can. Will it be? Not by drug addicts, gang bangers or teens "acting out". As long as you a) don't advertise you have a lot of stuff worth stealing and b) let people know you have SS, the odds of your system being hacked is miniscule.

But not having an Alarm Sign

But not having an Alarm Sign increases the odds that you will have an incident/break in.

I agree with sevensiamesecats

I agree with sevensiamesecats and LHM. I wasn't thrilled with the news either and I certainly will follow to see how SS reacts and will be interested in a new and improved base if the price is right, but I'm not overly concerned. I'm fairly certain that the typical home invasions/break-ins in our area are from the crow bar/break a window/crude variety, not the signal jammer/code stealer/high tech hacker/refined variety.

I read the Forbes article

I read the Forbes article about the potential hole in security. I'm sad to say that I cared less about the vulnerability than I did of the reveal that new hardware is coming. That's how pathetic SS has become about revealing developments to the system (and actually "developing" them) - At this point I am actually more interested in a hint of development than I am about the security of my home.

I agree that the chances of

I agree that the chances of my system being hacked are remote.

That is not what annoys me most. What does is the fact that SS would develop and sell a system that is 1) Vulnerable in the first place and 2) Cannot have the firmware updated.

It will probably take a class action lawsuit to get SS to provide current users with the new hardware at no cost...

Selling a system that can be

Selling a system that can be hacked like this? You fault the for that?! Heck, no one can claim that their system can't be hacked. If they tell you that, they're just plain lying to you. There is no such thing as an unhackable system. There are just systems that haven't been hacked yet, with yet being the operative word.

Now, selling a system that can't be updated, I'll agree with you there 100%. To sell a system that can't updated in this day and age is tantamount to criminal negligence as far as I'm concerned. But that's just my opinion.

This is a serious issue. We

This is a serious issue. We live in an age where electronics are cheap and plans to build scanners are all over the place. I have been in IT for over 25 years and this is incredulous. Using encryption has been very simple and we read in the papers all the time of stores and companies who get hacked because they lack reasonable security protocols. It doesn't have to be RSA TOP-SECRET level encryption, but a simple 256 or 512 cypher would be simple.

Given that you have to be able to read to gain this info, I don't think it will apply to crowbar wielding smash-and-grab types. However that does nothing to alleviate my mistrust in a company that sells security systems. It also creates the unnecessary debate of home protection with and without an encrypted PIN. I'm paying a monthly service fee to protect my home from all, now it's reduced to protecting my home from the less sophisticated illiterate troglodytes.

I wonder if ADT uses similar unencrypted wireless technology.

"Can't be updated" is perhaps

"Can't be updated" is perhaps too strong. Having a control chip which cannot be reprogrammed is not "criminal negligence", and in fact may be a good thing for a security system. Now, if it is soldered in place, so cannot be replaced, that would be rather more of a problem.

@sevensiamesecats, well, when

@sevensiamesecats, well, when I said "can't be updated" I was just paraphrasing the article as I recalled and understood it. Looking back at the article, I see it actually says, "SimpliSafe has also installed a one-time programmable chip in its alarm, meaning there’s no chance of an over-the-air update". I could be mistaken, but, to me, one-time programmable chip says "can't be updated".

I'd love to be proven wrong though.

Time will tell.

Here's hoping all the thieves in my area are of the unsophisticated illiterate troglodyte variety.

A one-time programmable chip

A one-time programmable chip "can't be updated". It can, however, be replaced, particularly if it is mounted in a socket.

These stories are funny. ANY

These stories are funny. ANY system can be "hacked". Yet another reason to NOT advertise your SS system.
Have you seen the story of the guys that hacked a Jeep's computer with a wireless signal? Is everyone freaking out and leaving their cars parked for fear of being hacked? No.
Most robberies are a quick smash and grab job. They don't care about taking the time to purchase equipment, wire up some electronics, sit around your house waiting for you to arm and disarm the alarm enough to capture a PIN, then sneak in and rob you. No, they'll just kick in a door or smash a window, grab some stuff and be gone.
This is also a reason for a 3rd party camera. My Foscam has it's own alarm schedule and notifications, regardless of my alarm system status.

Here is their response to my

Here is their response to my inquiry. I have removed the names to protect the innocent.

-------------------------------------------------
Hello,

Thanks for writing in. As our systems use wireless technology, there is an understandable concern over the potential to hack or jam our signal. Much of it comes from a certain video online that fails to depict the equipment used or the number of attempts made to compromise that signal. While any wireless system is susceptible to this type of attack from a sufficiently savvy and motivated intruder, our systems can be backed up with with a land line or an internet connection for no additional cost. Also, this type of attack represents such a small percentage of total break-ins that the FBI does not even keep a count. This is because the majority of break-ins are a quick forced entry and not the sophisticated type of attack that requires diligent planning as well as highly illegal and cost-prohibitive equipment. Assuming an intruder has the requisite technology, he would need to know the frequency ranges he needs to jam, and also know the layout of your home beforehand, as he would have to avoid motion detectors even in the unlikely event that he bypassed a door sensor. Furthermore, our systems use a proprietary algorithm that helps the system distinguish between everyday interference from nearby household electronics, and unusual, possibly targeted interference. Our interactive monitoring plan for $24.99/month can be set up to notify you if your system detects abnormal RF interference. Ultimately, no system is impenetrable, and it would be unfair for us or any company to tell you otherwise, but SimpliSafe has measures in place to protect you against this type of intrusion, and with the likelihood of cellular jamming being as slim as it is, the odds are more than in your favor.

Cheers,
******
-----------------
SimpliSafe, Inc. Live. Safely
customer-support@simplisafe.com
1-888-95-SIMPLI (1-888-957-4675)

To respond to this contact you may visit our support site or reply to this email.
Discussion Thread:

Currently there are postings of security issues with SimplySafe:

theregister.co.uk/2016/02/17/simplisafe_wireless_home_alarm_s...

We are now discussing this on the forums and I was curious if you have any formal response to this?

Regards,
******

This email was sent by SimpliSafe, Inc. (294 Washington St, Floor 9, Boston, MA 02109).
You may unsubscribe online. We respect your right to privacy.

Better links on this

Better links on this issue:

blog.ioactive.com/2016/02/remotely-disabling-wireless-burglar.html

ioactive.com/pdfs/IOActive_Advisory_SimpliSafe-Replay.pdf

It's disappointing that the researcher tried multiple times to contact the company and didn't receive a response.

I would say that the response that the gear required to do this is "highly illegal and cost-prohibitive" is inaccurate.

This would seem to be bad protocol design and "security through obscurity" which never works in the long run.

The article posted by Unibass

The article posted by Unibass refers to someone jamming the cellular signal, not intercepting the pin transmission between the keypad and base station. The question I have is what do the key chain remotes use to arm/disarm the system and can that also be intercepted? They clearly don't use the pin as there is no way to update the key chain remote when you change the pin and it still works so is just using them instead of the keypad a viable workaround until the issue is fixed?

dsmmrm, ahh. - fair point and

dsmmrm, ahh. - fair point and good question. I would argue that anyone using a wireless system should understand and accept that signal jamming is always a risk. If you don’t want to accept that risk, go to the trouble of wiring everything together. Not using basic/off the shelf crypto to secure communication used for control is a pretty bad design flaw.
Regarding the keychain remote, I would assume that the serial number of the remote is stored as part of the live configuration and that the serial number becomes implicitly trusted. Presumably if you could forge or replay traffic from that trusted remote, you’d be able to disarm. **Note: this is pure speculation on my part regarding the operation of the remote**

Coupled with the perpetual

Coupled with the perpetual delay in availability of a camera speaks volumes for the units' design shortcomings. Even though simple electronics can be assembled to intercept and play back the codified control signals form the keypad, it would require the recorder to be in fairly close proximity. Keypad is expected to be within 100ft of the base. So, the snoop would need to be just about within sight. Anyone planting a recorder for this purpose would need to be pretty sophisticated and think that the contents of the property are worth that type of planning. Seems pretty slim to me - what am I missing?.

Bigger concern is the security of the remote internet to cell signal arm / disarm functions. I didn't read any mention of how or if the cell signal is sent (encrypted) to the base. Does anyone have any information on that? This could be the biggest vulnerability as the units could be hacked enmass and all profile data including the location of the hacked unit compromised - sold on the open market. I hope this can be thoroughly explained by Simplisafe before this business and our investments all go down the drain.

Please, Simplisafe, give us the facts. and don't sugar coat them. The explanation that I read in the post from unibass doesn't make much sense..

So what if you arm and disarm

So what if you arm and disarm your alarm via mobile device like iPhone for the time being?

Would this prevent sniffers on that frequency?

@vinhbm, SimpliSafe has said

@vinhbm, SimpliSafe has said so in comments to CNet apparently (emphasis mine):

Melina Engel, SimpliSafe's VP of Marketing, points out that each system includes a log entry each time you enter your passcode, and says that SimpliSafe has no record of customers reporting break-ins with logs that show an unexplained disarm event prior to the burglary.

Engel also notes that disarming the system using the web or app interface would not be exploitable by the IOActive method.

"All major alarm systems face similar concerns. Nonetheless, we are actively working to address [them]," Engel said, adding that SimpliSafe is updating its hardware to include remotely upgradeable firmware.

From cnet.com/news/researchers-claim-they-can-remotely-disable-simplisafes-wireless-security-system/

They don't say it couldn't be exploited in another manner, but it seems less likely since that is done over a cellular network which I suppose would have it's own security as well. I tried using all functions of the iPhone app and it works and provides every option that the keypad does with regards to arming / disarming the base unit. The app is also secured by it's own PIN and/or fingerprint ID. I even took a battery out of the keypad and it all still worked, though the chirps given by the external signal indicating a pending alarm did not function without the presence of the keypad in the system.

Thanks. I didn't know they

Thanks. I didn't know they made that comment.

I will be using my mobile device until they release new hardware which we have to pay again to fix this issue. Hopefully they will have a resolution soon.

cheers

I also would like to see a

I also would like to see a response to the below question.

dsmmrm says:

The article posted by Unibass refers to someone jamming the cellular signal, not intercepting the pin transmission between the keypad and base station. The question I have is what do the key chain remotes use to arm/disarm the system and can that also be intercepted? They clearly don't use the pin as there is no way to update the key chain remote when you change the pin and it still works so is just using them instead of the keypad a viable workaround until the issue is fixed?

Regarding the few issues I

Regarding the few issues I have had since ordering my system, I have thus far, been satisfied with the resolutions.

However, that does not mean that this news is not of great concern to me. I just purchased my system, four months ago. To be expected to purchase a new and better system (as a proposed resolution to a company problem mind you) makes me a tad bit upset.

Another issue I have is with the (presumed) amount of systems sold over the holiday, at a major price reduction, and there has yet to be an increase in the hours customer service is available. That does not sit well with me - at all. To (again, presumably) be raking in such profits, but not putting them toward more customer service employees and expanded customer service/help hours, is a potentially troubling direction to see a company go in.

I am certain all of those new customers (whom received a really great deal on the price of the Best Selling Package) are going to be quite heated when realizing they just purchased an alarm with the knowledge that SimpliSafe is going to require a new system to be bought to replace it, due to known security flaws.

I cannot overlook this with the positivity, comfort, or optimism, some others, have.

I got the same stock reply

I got the same stock reply that unibass received. This was my reply:

---------------------------------------------------------------------------------------------

> Our interactive monitoring plan for $24.99/month can be set up to notify you if your system detects abnormal RF interference.

So, to protect against a vulnerability in the equipment I've been using for years, according to you I need to pay more to protect against it?

> Assuming an intruder has the requisite technology, he would need to know the frequency ranges he needs to jam

> and with the likelihood of cellular jamming being as slim as it is, the odds are more than in your favor.

This is not a jamming attack. This creating a device that can duplicate a correct PIN recorded from the keypad as it sent to the base station. If you'd had followed the link in the article, you would've found that the frequency is easily found by connecting to a keypad:

blog.ioactive.com/2016/02/remotely-disabling-wireless-burglar.html

As the signal is transmitted across the 433 Mhz band in the clear, not encrypted, it can easily be identified as a PIN entry and recorded.

-------------------------------------------------------------------------------------------------

IMO, we should receive at least new base stations and keypads that use encryption, for free, no questions asked. The motion sensors are potentially vulnerable too. And the idea that we should have to pay for new equipment that allows for additional firmware updates is absurd.

I shouldn't have to trade in my equipment for a fee, nor should I need to pay for a higher monitoring plan to protect against potential jammers. (Although, that is not what this particular vulnerability is about.)

This is a design flaw and needs to be rectified, at no cost to customers.