
SimpliSafe Alarm System Replay Attack - npongratz
http://blog.ioactive.com/2016/02/remotely-disabling-wireless-burglar.html
======
Hogg
I did a similar project with Simplisafe, but I went the SDR route and figured
out their protocol, so I can forge sensor/keypad messages or decode PIN
entries from keypads. (I'm in contact with the IOActive researcher, Andrew, to
share this information.) It was a fun learning experience. My original goal
was to just get the damn system to reach my detached garage (which is about 25
feet from my house).

In his blog post, Andrew said he didn't bother to reverse-engineer the
protocol because if you can replay a "disarm" command with the correct PIN,
that's everything you need. That's probably true, but it could also profit an
attacker to record someone's PIN in case they use it for other things. And
depending on the limits of the Simplisafe base station, you could potentially
brute-force a "disarm" from every possible device ID - most likely, you'll
eventually use the ID of a keyfob associated with the system, so it will
disarm. Then you'd have control without the user ever entering their PIN.

These things are largely academic, I think. It's been known for a while that
you can just jam the system by transmitting at 433MHz while you kick down the
doors or whatever. Very cool anyway.

On the other hand, now I can build my own sensors and add them to my system,
if I want. Or build a repeater so I can finally have a keypad in my garage. :)

~~~
tptacek
Can you write more about how you reversed the RF protocol? I'd really like to
hear more about it. I've noticed that virtually all major published vuln
research targeting RF systems like this starts by hijacking and endpoint and
turning it into a modem.

I think there are a _lot_ of people interested in learning more about the
process of attacking RF systems from an SDR.

~~~
Hogg
I'd like to, but I'm not sure how to proceed. I don't know if I should try
notifying Simplisafe, and/or give people more time to get rid of the system. I
also don't have a good way to publish - I don't have a personal website or
anything. Any suggestions?

~~~
rubidium
In general, people are not going to get rid of systems. SimpliSafe is $15 a
month after equipment. For some, it's the only security system they can
afford, or it's as much as they want to spend on it (disclaimer: me).

So one way you can help their security is

1) Don't publicize easy to follow step-by-step ways of how to do this. There's
a big difference between disclosing a security issue and giving non-technical
people an easy way to bypass a security system. The fact that a security
weakness is known and publicized doesn't help xx% of thieves who don't have
the resources to implement it. It does help the aware customer to make changes
to their security and demand a fix from the vendor.

2) Responsibly disclose to Simplisafe like the linked post did is best. If
they don't respond, then post what you were able to do in a similar manner.
Going through ioactive would be a great idea as they're familiar with this
process.

~~~
Lawtonfogle
1 sounds like security by obscurity and it sounds like prevent information
being made public knowledge that should impact customers' choices and might
lead to better locking down the system. While the ideal rational consumer
would be just as impacted by a standard disclosure, I've never met an ideal
rational consumer. People will be much more aware if you can show them a web
page that gives a step by step guide how to destroy their security system.

To give a comparison, consider all the NSA spying leaks and then consider that
show host (John Oliver I believe) who went around asking people questions in a
way that made them much more informed of what the implications of spying was,
and in doing so changed their reaction.

------
rubidium
I'm glad places like IOActive exist. Reading up on their procedure
([http://www.ioactive.com/pdfs/IOActive_Advisory_SimpliSafe-
Re...](http://www.ioactive.com/pdfs/IOActive_Advisory_SimpliSafe-Replay.pdf)),
they gave the vendor 5 months to even respond before posting this. All and all
a much better process than a "hacker" posting it to his blog because a company
didn't respond to his email the day before.

There's no such thing as perfect security via alarm. However, if a company
refuses to even respond to someone reporting a vulnerability, then the public
should be informed.

As a simplisafe customer, I will be contacting them and demanding a fix to
this vulnerability or full refund.

~~~
gruez
>All and all a much better process than a "hacker" posting it to his blog
because a company didn't respond to his email the day before.

I actually never seen this happen.

~~~
joshstrange
Same here, in fact I'm often blown away but the timelines at the bottoms of
reports like this. Not in a "they should have released this sooner" type of
way but more of a "wow, they were extremely patient with this vendor after
numerous delays and all out of the goodness of their hearts". It would be just
as easy for these researchers to say say "hmm interesting" and never alert the
vendor or publish the findings.

------
creeble
I'm very interested in this space. Had a "break-in" at my storage/office
warehouse recently, and my camera-based alarm system failed me. It really
wouldn't have mattered because it was a smash-and-grab that was over before
the cops could have responded anyway.

I think the basic problem most alarm systems have is that wireless systems are
generally vulnerable, and wired systems are an order of magnitude more
difficult/expensive to install. I don't think there is a straightforward
solution to this problem.

The Simplisafe vulnerability is still considerably difficult for an average
burglar to use. I would be fairly surprised that any _burglar_ would use it,
as there are so many more attack vectors that could be exploited.

~~~
ekimekim
Forgive my naivety (and I'm fully aware of IT people's tendency to declare all
other fields "easy" and "why don't you just"), but why wouldn't the following
work?

* Wireless system

* Active heartbeats saying "no alarm", with proper crypto (eg. signed message which contains a monotonic sequence number)

* If the sensor detects a problem, it sends an alarm message

* If the sensor is jammed and "no alarm" heartbeats can't get through, it's treated as an alarm.

The only unavoidable problem I can see would be that someone with a jammer
could always jam your signal to generate alarms on demand.

~~~
superuser2
1) An attacker (/ RF noise) can induce false alarms frequently enough that you
no longer take the alarm seriously.

2) Can I get the crypto keys you're relying on by buying the hardware myself
and dumping the firmware? What about by ripping an exterior sensor off the
wall? What about by social engineering you into giving me an invoice with the
serial number on it?

3) What happens if I power-cycle your building? Do the sequence numbers start
over?

4) How are you going to communicate the alarm condition to anyone who can
help? If I cut your phone/internet lines? If I bring a cell phone jammer?

Not an expert either, but I remember a fascinating chapter of a security
engineering textbook from HN years ago talking about what goes into the design
of robust alarm systems. The process is largely driven by the high-end
valuables insurance industry, which has standards/certifications for the
alarms you must buy to enjoy their protection. I'll see if I can dig it up.

Wireless isn't inherently impossible to secure, but it must be done _very
carefully_.

------
lerxst
This is exactly why I put a different security alarm system sign in my yard
than the one that's actually installed. Unfortunately, there are probably many
homeowners who put SimpliSafe stickers in their windows letting anyone passing
by know their home is vulnerable to this attack.

~~~
rcurry
When I was a kid, my dad didn't want to spend money on an alarm system so he
just added that magnetic glass breakage tape around all the first floor
windows and installed a metal panel with a locking cover plate and a series of
blinking LEDS on the front and back doors. It looked really authentic, and it
seemed to work - other houses in our neighborhood got burgled once in a while,
but ours was the only one with those scary red lights blinking back and forth
on all the doors.

------
verytrivial
I see SimpliSafe Inc raised $57M in 2014[1]. I imagine there is now a rather
intense conference call on today's calendar.

[1] [http://www.betaboston.com/news/2014/05/21/simplisafe-
raises-...](http://www.betaboston.com/news/2014/05/21/simplisafe-
raises-57-million-for-easy-home-security-device/)

------
hacym
I am a SimpliSafe customer, and I emailed them about this. Here is the
response:

"Thanks for writing in. As our systems use wireless technology, there is an
understandable concern over the potential to hack or jam our signal.

Much of it comes from a certain video online that fails to depict the
equipment used or the number of attempts made to compromise that signal. While
any wireless system is susceptible to this type of attack from a sufficiently
savvy and motivated intruder, our systems can be backed up with with a land
line or an internet connection for no additional cost.

Also, this type of attack represents such a small percentage of total break-
ins that the FBI does not even keep a count. This is because the majority of
break-ins are a quick forced entry and not the sophisticated type of attack
that requires diligent planning as well as highly illegal and cost-prohibitive
equipment.

Assuming an intruder has the requisite technology, he would need to know the
frequency ranges he needs to jam, and also know the layout of your home
beforehand, as he would have to avoid motion detectors even in the unlikely
event that he bypassed a door sensor.

Furthermore, our systems use a proprietary algorithm that helps the system
distinguish between everyday interference from nearby household electronics,
and unusual, possibly targeted interference. Our interactive monitoring plan
for $24.99/month can be set up to notify you if your system detects abnormal
RF interference.

Ultimately, no system is impenetrable, and it would be unfair for us or any
company to tell you otherwise, but SimpliSafe has measures in place to protect
you against this type of intrusion, and with the likelihood of cellular
jamming being as slim as it is, the odds are more than in your favor."

Note they are trying to sell me on their most expensive plan and that they
never mentioned the attack that is referenced in the article (which I linked
to)."

Time to look into a new company.

------
dsiegel2275
I am selling my house and literally five minutes ago just got off the phone
with my realtor telling her to make a counter offer to a buyer and to include
in the counter offer that our security system isn't included. We have intended
on taking our SimpliSafe security system to our new house.

Now I read this.

~~~
0xdeadbeefbabe
Bah. It's still better than nothing.

------
xenadu02
Are there any non-garbage home security systems?

~~~
kefka
Yes, there's a full machine-learning stack you can buy. Has auto-mapping,
heuristics, active listening, voice commands, and can easily move from room to
room. Also equipped with weapons platform to deter people who shouldn't be
there.

A dog.

~~~
Xylakant
I own a dog, and I can tell you that the machine-learning features are
generally overrated. It tends to learn what you don't want it to learn and
tends to forget about the things you want it to learn. It's also high-
maintenance and can't be left alone for extended periods of time. It's also
vulnerable to a "replay offer steak" attack. (12/10 for enriching my life,
would do again)

------
URSpider94
Home security seems like one of those spaces where it's hard to be disruptive.
By that, I mean Christensen's definition of offering a solution that would be
judged "not good enough" by the existing market, in order to attract new
customers at a lower price point.

~~~
maxerickson
Given the SDR hack described above, it seems they barely even tried to make
the thing secure.

I guess anybody wanting to sell wireless IOT stuff better be advertising how
their device pairing is robust or be getting heaps of criticism.

(I think it must be possible to robustly pair devices, I would be interested
in discussion of why it wouldn't be possible, and in discussion of user
friendly ways to do it)

