SimpliSafe home alarm hacked via $250 device

Feb 17, 2016 16:55 GMT  ·  By

SimpliSafe home alarm systems are extremely easy to hack, allowing attackers to effortlessly capture the alarm's PIN and disable the security system, facilitating unauthorized intrusions and theft, IOActive reports.

SimpliSafe is a radio-based home alarm system that has been installed in more than 1 million homes across the US. The company specifically built the system to be easy to install without the need for a professional technicians crew, consisting of a base station, sensors that you mount around the house, at doors and windows, and a controller pad from where users manage their system and enter PIN codes.

IOActive's Andrew Zonenberg has discovered that these devices all talk to each other via non-encrypted WiFi, with the controller pad broadcasting a "PIN code" message to the base station whenever the alarm was turned off.

The researcher found that these devices are interchangeable and that they can be moved from system to system. Using this knowledge, he bought a second alarm system and hot-wired a microcontroller board to this second system's controller pad and base station.

Burglars could hack the alarm system from 100 feet / 30 meters away

By doing this, he created a custom apparatus that could listen to mass broadcasted "PIN code" messages (from the original system), record them in the microcontroller board's RAM (on the second system), and play it back to the original home alarm system on demand.

This means that he could place his device near someone's home (with SimpliSafe installed), leave it until somebody deactivates the alarm, and have the PIN code recorded in his board's memory. He could then use this PIN code whenever the homeowners left, silently disabling the home alarm system and carry out burglaries. All with the push of a button, just like in the movies.

The total cost of Mr. Zonenberg's device was $250 / €225, a sum that's negligible to most crooks if they weigh in all the potential profits.

"Unfortunately, there is no easy workaround for the issue since the keypad happily sends unencrypted PINs out to anyone listening," Mr. Zonenberg explains. "Normally, the vendor would fix the vulnerability in a new firmware version by adding cryptography to the protocol. However, this is not an option for the affected SimpliSafe products because the microcontrollers in currently shipped hardware are one-time programmable."

IOActive contacted SimpliSafe in September 2015, but the manufacturer has not yet responded. Below is IOActive's Andrew Zonenberg  presenting a demonstration of his research: