Our Commitment to Your Security

On Wednesday, the consulting firm IOActive wrote a blog post about SimpliSafe, suggesting that a determined attacker could intercept a SimpliSafe wireless communication and use it to disarm the system. We’d like to clarify a few important points:

  • The hack described is sophisticated and highly unlikely. IOActive purchased specialized equipment and programmed a chip by writing custom code. Once programmed, the equipment would need to be within close proximity of the alarm system and in use the moment the system is disarmed by an authorized user.
  • We have not received any reports of anyone attempting this to attack on our system outside of a controlled testing environment.
  • We are also not aware of this happening to the systems of other major home security providers that use similar technology.

Nothing is more important to us than the security of our customers, and we take all potential vulnerabilities seriously. While we believe that the scenario described in the report is highly unlikely to occur, we are diverting engineering resources to investigate. In the meantime, we are not recommending any action on your part. However, if you are concerned, here are some steps you can take to optimize the security of your home:

  • Change your PIN code regularly. This is a good security practice regardless.
  • Monitor notifications of your alarm being disarmed for any unexpected activity.
  • Take note of any suspicious person or unidentified equipment located very near to your home as you come and go, as the concern raised requires close proximity.
  • If you have our Interactive plan, disarm your system with your smartphone or webapp, which bypasses this issue.

Of course, like all security systems, ours is not infallible. But we believe that SimpliSafe offers outstanding protection against real world problems, addressing the common ways that alarms are attacked. In designing our system, that’s what we’ve focused on preventing. For example:

  • 1 in 5 burglars cut alarm or telephone wires before breaking in. Our system uses a cellular connection that can’t be physically cut.
  • Burglars often smash keypads to try to prevent alarm signals from being sent. We separated the alarm signal from the keypad to mitigate this tactic.
  • Our monitoring service has six redundant monitoring centers to reduce the risk that local catastrophes might affect your coverage.
  • If an intruder disables your power or there is an outage, SimpliSafe’s battery backup is designed to continue to power your system.

The security of our systems is our top priority. We protect our own families with SimpliSafe. If you have any remaining concerns, we encourage you to give us a call (800-297-1605) and feel free to ask to speak to a supervisor.

One final note: we were not made aware of this issue until this week. IOActive tried to contact us via one of our employees on LinkedIn. To make it easier for security researchers to notify us going forward, we have set up a dedicated email address for them to reach us at: security@simplisafe.com.

*

*

Vulnerability dismissed.

Vulnerability dismissed. Inability to update current systems to counter future vulnerabilities ignored. Bullets dodged.

Well played, SS.

Nice post. Short concise, a

Nice post. Short concise, a bit sarcastic. Like your style.

This is where SS posts that on Sunday evening, (no "what year" jokes please) 8PM eastern, the director of product development will be hosting a one hour live webinar on the announcement, countermeasures a customer can consider and what SS is considering for proactive solutions, when they will be available etc. A recorded copy will then be posted at the SS resource center that can be viewed at registered customer's leisure.

If this isn't sarcasm, I don't know what is.

Thanks, Captain11. I like

Thanks, Captain11. I like your style as well. :-) But I wouldn't characterize your post as sarcasm. It reads more like a fairy tale to me.

I'm highly disappointed that

I'm highly disappointed that a fairly new system was created without the firmware / software being upgradeable to fix bugs like this. I just recommended this to someone recently as well. They are more than annoyed that they will have to likely replace the base station and keypads in the near future if/when a updated hardware model comes out.

Change your PIN code regularly. This is a good security practice regardless.
- The system is limited to a 4-digit pin. Having to use a new 4-digit pin every few months would cause a lot of confusion when you have multiple family members in the house dis-arming the system.

Monitor notifications of your alarm being disarmed for any unexpected activity.

- This entails babysitting your home alarm system.

Take note of any suspicious person or unidentified equipment located very near to your home as you come and go, as the concern raised requires close proximity.

- The article said someone could be within 100-ft range of your home. So, it could be your neighbor across the street or next door in the privacy of hteir own home listening for your pins.

Seems to me that some bad

Seems to me that some bad engineering (or 'cheap') was done by SimpliSafe. I've used and recommended SS, but this is a major fail and will no longer recommend SimpliSafe. The hack is not sophisticated, contrary to the SS statement, for anyone with a rudimentary ability to copy some simple instructions that are now, obviously, public. SS management, you have placed my family and others at risk and not really 'owned' it.

Firstly, hackers have to know

Firstly, hackers have to know you have SS. Secondly, hackers have to know if you have anything worth stealing. Just because this issue became public certainly does not mean hackers are going to swarm Radio Shacks for the items they need. Just a whole lot of paranoia and just means for some to blow off steam. This issue affects other systems as well. Probably more of a chance of getting mugged or carjacked than someone burglarizing a SS user.

@michaelsc 100% agree.

@michaelsc 100% agree.

Thanks Hondaman88. Also,

Thanks Hondaman88. Also, thanks for the help you given me in the past with your posts. I am sure others are very appreciative as well.

100' is under "ideal"

100' is under "ideal" situations. Every wall or obstruction between your component and the hacker cuts that range down. So the neighbor would probably have to be in his yard, and the stranger in a car with open windows in order to maximize the chances of a successful hack.

@yccs1, congratulations. You

@yccs1, congratulations. You have managed to keep your eye on the big picture. Like you, I am highly disappointed that a fairly new system was created without the firmware / software being upgradeable to fix bugs like this. Worse still, if SS doesn't address this issue (and they certainly seem to have sidestepped it in their announcement), this bug and any future bugs that may be discovered could remain permanently embedded in your system.

There's a light of sorts at the end of the tunnel, however. If you review the Forbes article, you'll notice that SS's spokesperson, Melina Engel, mentioned that SS was planning on releasing hardware with over-the-air firmware updates. All you'd have to do to take advantage of this new feature is purchase various pieces of your system all over again. But at least you'd be able to do that at a discount. Melina didn't give a date for when the new hardware would become available.

Feel better now?

I'm disappointed myself, as

I'm disappointed myself, as I've recommended this system to others and have been very happy with it otherwise. Can't do that anymore.

It's probably true that the practical danger isn't extremely high, but it's very difficult to be sure. It's enough to take down my sign at very minimum.

A few things concern me:

1) The fact that this is an IoT device that cannot be software updated to address a security issue. Security issues should have been expected, people have been worried about IoT and security for years, the ability to update software is just an absolute requirement.

2) The fundamental nature of the flaw makes me wonder what ELSE hasn't been looked at - security of the website, for example.

3) The response "The hack described is sophisticated and highly unlikely." Similarly "sophisticated" exploits are actively in use to break into cars.
http://www.nytimes.com/2015/04/16/style/keeping-your-car-safe-from-elect...

4) The response, "We are also not aware of this happening to the systems of other major home security providers that use similar technology." No competitor has to implement their system insecurely without authentication, it's not like the very nature of being wireless means you must be insecure.

There seems to be a

There seems to be a prevailing belief that the hack is extremely complicated or requires very specialized equipment. That's simply not true. Discovering the vulnerability required a certain level of expertise and diligence, but exploiting it given the now available instructions is relatively easy and becoming easier all the time. Already, there's another variant based on software-defined radio that does requires nothing more than a $100 USB dongle that you can legally purchase online and some readily downloadable software. In another week or two, the whole thing will be packaged up with step-by-step instructions an idiot could follow.

Given that the exploit can be performed from hundreds of feet away, cracking simplisafe systems is about to become a sport. Having simplisafe yard signs or stickers has gone from having mild deterrent value to an advertisement of relatively easy access to a home that someone considered worth protecting with a security system.

At the very least simplisafe should be contacting owners to advise them to remove the signs. The system will then retain its value has a post-incursion deterrent, for a while at least. Since unlocking via the app does not yet have known vulnerabilities, it would be the decent thing to provide the capability without charging extra for the interactive system.

See, for example:

See, for example: greatscottgadgets.com/2016/02-19-low-cost-simplisafe-attacks/

"If you have our Interactive

"If you have our Interactive plan, disarm your system with your smartphone or webapp, which bypasses this issue."

I thought I bought a secure security system with monitoring for $14.99 per month as advertised. Apparently not.

I can tell you that the

I can tell you that the issues some are making out to be as "highly improbable" and "extremely complex" (concerning a burglar implementing the exploits of this hack) are all legitimate problems for me.

I think sometimes others need to not simply think of their own exact situations when it comes to obstacles. Because for every, "oh you are paranoid and here is why" comment, I can literally respond with a reason why it very well could affect someone - including myself.

The only reason I have not detailed the aforementioned is because it would only be giving burglars a possible guide to a home such as my own (and others like it). There is no need to make utilization of the exploit any easier for those looking to take advantage of it.

pnf and Shiherlis I

pnf and Shiherlis I completely agree with you. Every day that goes by without a fix is another day this vulnerability becomes less sophisticated. I don't care if I have the only SS system in the country. The vulnerability has been exposed and the detailed instructions to perform the hack is soon to be available for anyone to download. This is not about being paranoid. This is about a company not stepping up and taking responsibility. I don't care if every other security system has this or some other vulnerability. The fact is MY SS system has the vulnerability. I would have the same concerns regardless of the company.

Then instead of whining about

Then instead of whining about this, hire an attorney. SS is not going to "step up" because you posted. I understand the frustration, but if you really want to resolve this, get legal help and then move to another company.

johnoreilly91 are you serious

johnoreilly91 are you serious or just another SS employee trying to calm the masses? These forums are for SS customers and potential customers to comment as they see fit to solicit feedback. I suggest you just stay off and don't read the posts if you don't like what you see.

I have an SS system, for 2

I have an SS system, for 2 years now. Instead of spending you time posting this crap, get legal help, if you feel you have been victimized, then move to another company. You guys sound like a bunch of gossip mongers who offer no real solution. Just complainers.

I'm sorry it seems that way

I'm sorry it seems that way to you. Actually, I feel very much vested in the success of the Simplisafe community, which includes both the company and its customers. Currently, there's a vulnerability that affects every owner of the system and could easily snowball to affect the viability of Simplisafe as a business. Yes, it's clear what personal remedies are available to an individual dissatisfied customer, but I'd kind of like to see everyone come out of this debacle safely.

Folks, this is not a new

Folks, this is not a new issue, and SS should not need to "investigate it" or whatever they said. There is no doubt that the people who designed it and maintain it know all about this. If they don't then they are incompetent, and no one is that incompetent. It's just that simple.

Over a year ago I bought SS on the recommendation from a friend of mine who had been using it. We're both engineers and we both knew about this "issue" when I bought my system. A few weeks later I played around with some toys I had sitting around in my basement, confirmed it and knew it could not be fixed. My friend and I laughed about SS having deployed it, and didn't think much of it after that.

Frankly, the "issue" is actually a bit worse than what has been published. I knew all this and still, I kept my system and I even recommended it to my mom. Why?

1 - There is no reason for me to believe that a sophisticated burglar is going to target my home. I don't have anything specific that can't be stolen from my neighbors, so burglars are going to move to the next house without an alarm.

2 - From an engineering standpoint, this attack is unsophisticated. From an average person standpoint, it is fairly sophisticated. While it can be performed with off the shelf hardware (but not from Radio Shack - at least not all of it) it still requires custom software and a somewhat knowledgeable user. Yes, I could build a device and sell it to burglars, but again, it's easier for burglars to move on to the next house.

3 - It's cheap. My attraction to SS was its price and its low monitoring cost. Given items 1 and 2 above, I decided that the security was good enough at the cost I was paying.

4 - It's easy and inexpensive to expand.

5 - I saw this "issue" as an opportunity to interface SS with other devices and systems in my home, which I did do.

All that said, these factors apply to me. I suspect they apply to most people, but everyone has to make that choice. And when you make that choice, consider a few things:

1 - SS can not completely fix this "issue" without replacing every piece of hardware in your system. They can mitigate it by replacing some parts (the more expensive ones) but a complete fix means all new hardware.

2 - Any new hardware that "fixes" this issue is, for several reasons, going to be more expensive than the existing hardware, including the most basic sensors.

3 - Many other wireless alarm systems suffer from this or similar issues. And so do other things.

4 - If you are under a specific threat or are likely to be a target for burglary by people with a strong motive and resources to get into your home, then you probably should look at a new system. But in that case, carefully research any system you consider. Determined, motivated attackers are going to get in.

5 - Short of item 4, like many things in life, it's a cost / feature analysis. You can spend a lot more to eliminate this risk, but do you need to? Really?

Personally I think the best "fix" for this "issue" is to not advertise that you have SimpliSafe in your home. I don't.

Just my 2 cents, YMMV, good luck.

Thanks for your wonderful

Thanks for your wonderful post jim_58. I definitely agree with most, if not all points in your post. I definitely agree with your best fix. I have not installed the yard sign or window stickers yet and don't intend to. Don't get me wrong. I think a yard sign and window stickers saying your house has a monitored security system may be a good deterrent. I just don't think it's a good idea to advertise which system. Besides, without some kickbacks, I have no incentive to advertise for SimpliSafe.

jim_58 would you provide

jim_58 would you provide reference for this issue not being new? Besides being non-sequitur, the not new arguement is not supported by Simplisafe in the original post at top.
Suppose the issue was not new? Then it would be even worse; that it was not fixed yet., IMO.
My concern relates to greatscottgadgets.com exploits entitled, Low Cost SimpliSafe Attacks. Using a cheap commercially available radio.
This one should be straight forward for script kiddies to deploy, when and if word and exploit kits get out.
What else I read is that the PIN from the SS keypad to the base unit is readable over the air. I feel that is not good. Maybe the SS engineers thought an uncommon encoding protocol would provide security by obscurity. But that is thinking like an electrical engineer, not a computer science person. From a design standpoint, readable pass code is poor practice. Encryption of comms / passcode is not rocket science, but it would add cost.
Also, it is news to me that SS firmware is not upgradable. Didn't do my homework. Seems to me that firmware upgrade is 1. A challenge for white hat hackers. 2. Indication that Simplisafe's business model could be planned obsolesence, IMO.
For just a little more $ I could have gotten equipment from a different manufacturer, installed it myself and signed up for third party monitoring. But it would not be as easy as SS.
My option to send the system back for refund ended last month. If I could, I would choose something else now.
I don't feel I was ripped off or anything. I'm just disappointed.

I feel the SS system still has utility. My opinion has changed from SS being a good value to being cheap.

With what is thought to be

With what is thought to be known in this forum on this issue, does the below statement by SS have any validity? Please advise.

"If you have our Interactive plan, disarm your system with your smartphone or webapp, which bypasses this issue."

I have not seen any

I have not seen any indication that the PIN is "not encrypted". It appears the problem is that the communications package is "static" and so can be recorded and played back.

When I say that the issue is

When I say that the issue is not new, I mean that the "issue" (if it is an issue, and depending upon exactly what aspect of the published reports or the system we're talking about) has existed from the very creation of the product. It works this way by design, probably to reduce cost. If you think about it, knowing that at least some of the equipment is not field upgradeable, the issue must have always existed and can not be "fixed" without replacing some or all of the hardware. The only difference is that people started to publish it.

I think this is a little beyond script kiddies, and I still think that this is fine for the average home. Again, if you have reason to believe that your home is a target and that there are motovated people who will try to get in, then perhaps a much more elaborate system is appropriate.

Regarding the suggestion from

Regarding the suggestion from SimpliSafe quoted above, based upon what i know about the system, my opinion is that if someone has the equipment and / or skill, this recommendation is not an effective countermeasure, nor is routinely changing your PIN.

The PIN is not encrypted, but

The PIN is not encrypted, but it does require some decoding.

I'm not saying that is not

I'm not saying that is not the case, but the fellow who wrote the article seems to indicate he "couldn't" (or at least didn't) decode it.

I think they were

I think they were incompetent.

jim_58,
I'm an engineer too. I agree with most of your points except the one that you make saying that Simplisafe considered this attack vector. I would assert that they didn't. And I would base that on the fact that it is not that hard to protect against (or at least make very difficult).

Do you have an automatic garage door opener? How often to you hear about burglars using replay attacks to break into garages to get access to a house? And how much cost is in the controllers for that garage door opener? Yeah, not very much.

Garage door openers use what they call "rotating codes". Essentially, they don't transmit the same data pattern every time. If the Simplisafe engineers gave it a little thought, they could have upped the level of their security to the level of a garage door opener with almost no cost. They already have microcontrollers in both the keypad and the base. The algorithms aren't that complicated. A little extra code and we wouldn't be talking about this.

I guess I keep my Simplisafe for the reasons you stated. But I'm very disappointed. It's a cheap system and all the connotations that go with being a cheap system.

Does anyone know what kind of

Does anyone know what kind of algorithm GE systems use? Adding a sensor on SS means just entering the serial number into the base which is static. I already figured when I saw this that the system likely was not encrypted or could be easily attacked with a replay attack. After all, programming the sirens is essentially a hack where by a couple disarm signals are all the siren needs to learn the disarm signal indefinitely. I like how they say the system was designed by a Harvard engineer seeming to suggest the system is without design flaws even though this isn't true and there is plenty of evidence of shoddy design and cost cutting.

That was just the first

That was just the first article. Subsequently, others have piled on, and the PIN protocol is fully decoded. See
greatscottgadgets.com/2016/02-19-low-cost-simplisafe-attacks/

"Personally I think the best

"Personally I think the best "fix" for this "issue" is to not advertise that you have SimpliSafe in your home. I don't." I decided to leave the signs from my old monitory company up.

I agree. Ideally, Simplisafe

I agree. Ideally, Simplisafe would stop selling the signs.

Or make them more generic.

Or make them more generic. But they also see it as advertising, which makes sense from a business standpoint.

@platelunch, yeah they could,

@platelunch, yeah they could, probably should, have rotated, but still, that is really not such a big help. It's just hard to believe that they didn't implement such a well known technique because they didn't know about it. That said, I sure have no interest in dying on the defend-the-Harvard-engineer-who-designed-SimpliSafe hill. Heck, I work at MIT, and if an MIT engineer had designed it, we would not be having this discussion! :-)

Maybe I should design my own ultra inexpensive alarm system, then we can advertize that it was designed by an MIT engineer! Haha

In response to jim_58 By the

In response to jim_58

By the articles, I don't think they have to replace every piece of hardware. It seems to just be the base station and the keypads.

I think a lot of people have a security also for privacy purposes. How would you like it if someone disarmed your system, went into your house to eat the food from your fridge and rummaged through your clothes then left un-noticed?

And, frankly, I'm a very skeptical person. So, I'm going to be skeptical that you are not a SS employee posting to defend the product. I personally wouldn't have recommended this to my friend if I had known of this vulnerability a few months ago. Also, if you as an engineer already knew this hack was possible, then I would have to presume that almost any other engineer could easily circumvent the system if they wanted to. Do I feel safer/better knowing that? No, not at all.

It's like buying a car with a known defect that could jeopardize your safety at some point to save some money, why would you do it?

Also, I think as customers

Also, I think as customers and their website's gaurantee .. anyone who wants to return the system or ask for updated hardware when released should be able to leverage these statements posted:

100% Satisfaction Guaranteed
SimpliSafe guarantee

We at Simplisafe are committed
to providing you with only the best
products and services. Our goal is to
make your life safer and easier. If you
are in any way unsatisfied with your SimpliSafe
product or service, please contact us and we’ll do our
best to make it right.

3 Year Product Warranty
SimpliSafe guarantee

Even after 60 days has passed, you
still benefit from our three-year
product warranty. If anything goes
wrong with your system, just call us (1-800-297-1605)
and we’ll do whatever it takes to sort things out
Usually, we’ll just send you a replacement part,
completely free of charge. We can afford to offer this
because our components are so reliable.

@ycss1, LOL, no I don't work

@ycss1, LOL, no I don't work for SS. I don't really feel I'm defending SS. I'm just pointing out that I feel this system is good enough for ordinary security against the most common threats. I have said that if a skilled person wants to defeat the system they can do so, I just don't see the average thief bothering, especially if it's just to eat my Jello pudding. Now if you have a beautiful Monet prominently displayed in your living room, perhaps you need to upgrade your SS security system. As I have said, it's up to each homeowner to make that decision.

And yes, any halfway decent engineer, or even electronics hobbyist, could accomplish this. But I don't know too many - okay, I don't know any - who also break into homes, although I would love to score a Monet, so perhaps I'll be the first. Do you have one?

If you re-read my post carefully, you'll see I qualified my statement about what has to be replaced, and it depends upon what "issue" you want to address. Currently the base station and the keypad talk back and forth to each other, so if SS can call those units home and reprogram them then this would go a long way toward solving their issues. I have not cracked open the hardware, so I don't know if the chips in these components can be reprogrammed. If they can, then great. If the chips have to be replaced, well that's going to be more tricky.

Unlike other people on the Internet, I'm not interested in publishing a laundry list of what could be done. However, there are downsides to having the sensors transmit data in the clear as well. But I personally like it, as it opens up extra capabilities.

So in summary, I don't work for SS, yes the system has issues, personally I'm fine with them but YMMV. That said, if they could reprogram the devices and offer to, I might take them up on it. Maybe. We'll see.

I have "looked under the

I have "looked under the hood" in the base unit, and no chip is in a socket, which means replacing any would be beyond the capability of most users. It is claimed they can't be reprogrammed, which may or may not be the case. If both of these are the case, then the only way to make any significant change in operation is to redo or replace the main board.

You probably have to replace

You probably have to replace the main logic board, the keypad and the keyfob.

Every board I have designed

Every board I have designed had the capability to reprogram the chip even though it was soldered to the board, so the fact that the chip is not in a socket does not mean the chip can't be reprogrammed. However, I do agree that it's pretty unlikely that it can be.

Yes, good design of the board

Yes, good design of the board supports reprogramming of memory - if the memory used is re programmable. Not all memories are re programmable; whether to use it is a design decision based on many factors. Sometimes it bites you, sometimes it is not a problem.

It seems like a relatively

It seems like a relatively simple solution to the immediate problem would be to provide a subset of the interactive plan at no cost, i.e. just the ability to set the mode via an app, without the event log, which they could still charge extra for.

No the event log is available

No the event log is available with the cheapest plan via the app.

Given SS made such an obvious

Given SS made such an obvious and avoidable security error it is likely that their OTA (over-the-air) update system will include flaws as well. Because:

(1) OTA delivery processes are hard to secure so it may likely be hackable; and/or (2) the firmware code may be obtainable/captured so it can be reverse engineered to identify more flaws/exploits.

I am not saying that it is impossible to make secure systems. However, many companies building IoT (internet-of-things) products often have no experience with the many threats/attacks they will be facing. Thus, unless they really change their engineering culture, their IoT products are likely to include flaws that can be easily exploited.

BTW: This type of flaw (replay exploit) is very easy to use, it is just the kind of thing junior script kiddies will try out for the Lulz. Further, software defined radio (SDR) exploits are all the rage now since SDR radio dongles can be had for less $40 and Linux hacker distros (e.g., Kali Linux) are readily available. (These distros come preinstalled with all the SDR/Wi-Fi hacking tools.) All you need to do is install Kali on battery powered micro-board computer, plug a SDR dongle in it, and hide the package near the target. It sounds fun, just like fishing.

I wish SS luck because I want to use their system -- as soon as they get it fixed. (Of course I will wait for the Defcon crowd to have a whack at it becfore I jump in) Also, just so you know I am not picking on SS, there are many companies, even security oriented companies, that have built similar or worse flaws into their IoT products. Just watch a few Defcon videos on youtube -- you will be amazed at how open/unsecure many IoT products are including, ATM's, security cameras, remote controlled anything, and so on.

Taking down the yard signs

Taking down the yard signs and window decals. However, I will keep my alarm permit sticker on my window.

Hacking - that is why I am

Hacking - that is why I am not in favor of over the air updating of an alarm system. I want to download the update, load it to a USB, and stick it into the base. That way, I know that only updates I approve are applied.

Are the remotes vulnerable

Are the remotes vulnerable like the key pads? Or is that a safe alternative, in addition to the app?