Breaking SimpliSafe Security Systems With Software Defined Radio

The SimpliSafe home security system is two basic components, a keyboard and a base station. Sensors such as smoke detectors, switches, and motion sensors can be added to this system, all without a wired installation. Yes, this security system is completely wireless. Yes, you can still buy a software defined radio for ten dollars. Yes, the device has both “simple” and “safe” in its name. We all know where this is going, right?

Last week, [Andrew Zonenberg] at IOActive published a security vulnerability for the SimpliSafe wireless home security system. As you would expect from an off-the-shelf, wireless, DIY security system, the keypad and base station use standard 433 MHz and 315 MHz ISM band transmitters and receivers. [Dr. Zonenberg]’s attack on the system didn’t use SDR; instead, test points on the transmitters were tapped and messages between the keypad and base station were received in cleartext. When the correct PIN is entered in the keypad, the base station replies with a ‘PIN entered’ packet. Replaying this packet with a 433 MHz transmitter will disable the security system.

[Michael Ossmann] took this one step further with a software defined radio. [Ossmann] used a HackRF One to monitor the transmissions from the keypad and turned to a cheap USB SDR dongle to capture packets. Replaying keypad transmissions were easy, but with a little bit more work new attacks can be found. The system can be commanded to enter test mode even when the system is armed bypassing notifications to the owner.

It’s a hilarious failure of wireless security, especially given the fact that this exploit can be performed by anyone with $100 in equipment. With a little more effort, an attacker can execute a PIN replay from a mile away. Sadly, failures of security of this magnitude are becoming increasingly common. There will assuredly be more attacks of this kind in the future, at least until hardware manufacturers start taking the security (of their security products) seriously.

49 thoughts on “Breaking SimpliSafe Security Systems With Software Defined Radio

  1. Security through obscurity has been proven to be useless time after time, yet people still use it.
    Everything about a product should be available for full inspection, and as long as the keys are secret the system should be secure. The Cryptophone is a great example of security done the right way.

    1. Is it security by obscurity or is it buying cheap hardware from a Chinese OEM for resale and not doing an audit on how it works? I have to wonder who wrote the code in this system.

    2. A security company should hide nothing. From the source code part of the Cryptophone website:
      “Why are you the only vendor offering the source code for review to anybody?

      We can only assume that other vendors have something to hide. They might be afraid of competition and want to protect so called “trade secrets”. The nice thing about our products is that we have no (trade) secrets, and invite everyone to make interoperable products based on the published protocol. We believe in standards that are open for anybody to join – as long as they go and implement their own product and do not steal from our published source.”

  2. hehe yeah the hackrf one is awesome. I was sitting looking for my own wireless outlet signal and found the random signal of the peoples door bell next door. It was pretty entertaining for a few minutes.

    1. “Nothing is more important to us than the security of our customers, and we take all potential vulnerabilities seriously.”
      Well, right then! They’re taking it seriously, so nothing else to see here. Move along, laddies… move along…

    2. Wow, that response is miserable. Summed up:

      1) This attack is just too durn fancy, nobody’s going to possible have any patience or technical expertise.
      2) We haven’t seen it happen yet, so it’s never going to happen.
      3) No other manufacturer seems to have been dumb enough to have a similar ‘encryption’ system, and they apparently haven’t been broken into yet either, so it’s never going to happen.

        1. “If you have our Interactive plan, disarm your system with your smartphone or web app, which bypasses this issue.”
          — They were referring to the fact that the smart phone/web interface would not allow an attacker to intercept the code/signal to disarm the system.

          It’s still bad that the company does not really seem to take the security of the system seriously.
          “While we believe that the scenario described in the report is highly unlikely to occur, we are diverting engineering resources to investigate”
          Do they expect to find, that through an investigation, that the issue is not unlikely to occur.

          By this company’s logic —
          I should remove the deadbolt lock on my front door because it’s unlikely that someone would try to break-in.

    3. Oh dear God, that is pathetic. They’re basically having you carry on as if you don’t have an alarm system anyway.

      I was also reading that the earlier units may go offline as the cell carriers drop support for 2G. And to think, I was close to setting up a Simplisafe install a couple of years ago, I mostly stopped because the carrier service isn’t great around my house. Now I find out they’ve got a busted security model? Yeesh, glad I didn’t miss anything.

        1. Yeah. The density (i.e. maximum capacity) of 2G cells will probably drop a lot once voice-over-lte becomes common, but I predict that for the next 10 years atleast there will be pretty good 2G coverage in most places.

        2. At&t in the USA is turning off all 2g support soon. This means if you have a 2g device with their sim it will no longer see any network. I assume they are doing this as they want the bandwidth/frequency/coverage for 4g etc. You could swap sim to other provider

  3. I read this article and just shake my head. WHY, WHY, WHY !!!!!! I shout (in my head) And then a calm comes over me as I come up with the answer – because the “engineer” who designed it never, ever educated himself / herself with what SHOULD be required reading for anyone ever designing anything!! Hack A Day!!! — The real problem is that the “educated” never assume that there are passionate and smart people who LIVE to take things apart and dream in Hex. Once you come to the realization that there are people (like present company) you tend to think with more of a security perspective, and you stop believing the lie that Mommy told you “You are a special Genius”

    The other part that KILLS me is that the radio-ads I hear for “Simply Safe” goes on and on about how this “smart college engineer” developed this revolutionary security technology. What an epic failure, You would think that someone in the damn company might have had some sort of security review on the system. F-A-I-L !!!

    1. Oh, and I have to add to my own comment !!! a simple streaming Rijndael cipher is so damn easy and FREE to use and EASILY works on an 8 bit chip!!!!! The “engineer” that designed this should hang his head in shame!!!!

  4. I like the closed systems without wireless just because the criminal has to disable the IR and pressure sensors by splicing signal wires.

    Most systems I see in the wild have NO wireless and protected lines.

  5. So how many of you are going to gather the equipment then go hunting for people who use this then use the codes to commit a B&E and rob them blind?

    Any takers?

    Yes, the system is a joke. But most theives would rather smash a window and take a 60 second tour of the house than go through the trouble to snoop the radio spectrum for security codes.

    Anyone using this system probably doesn’t have much to steal in the first place.

    1. Remember the Beechcraft V-tailed Bonanza?(airplane) It was labeled “The Doctor Killer” because it was more expensive than the regular Bonanza and had higher fatal accidents.
      Why do I bring this up? Well, I think it shows a flaw in the logic of your last line.
      Someone who buys a security system thinks they DO have something to protect… laptop, flat screen, DVD collection, clothes, art, furniture, and, like the doctors who bought the V-tail version, do not know that what they are buying could have a detrimental effect to their intention.

      1. Yeah, you make a point.

        But I still think it’s a lot of unnecessary effort for a B&E.

        Still a very bad system and I am glad there are people out there who act as white-hats. Now if there were only a way to let the people know…hmmm.

        1. To be honest I was thinking the same thing, then I read:

          “The system can be commanded to enter test mode even when the system is armed bypassing notifications to the owner.”

          I still have to read the source, but this sounds far quicker and easier than recording packets and replaying them later. If a burglar knows how to do this, then disabling ANY SimplySafe system would be as easy for him as for the people who owned the home!

        2. Sure, most burglars aren’t going to bother. But criminals get hold of devices that disable car alarms. Just needs some enterprising guy somewhere to put this solution in a box with 1 “Burgle” button to press. Some burglars do enough of it to make the effort.

          Still, security by “can’t be bothered” isn’t very good. What’s inexcusible, is there must be dozens of ways they could have put a simple bit of encryption in. There’s almost certainly a CPU in those boxes, just to read the keypad, it’s the cheapest way of doing it. Anything would be better than this nothing.

          1. “a box with 1 “Burgle” button to press” <- this.

            And it will be available on ebay with free international shipping. The folks installing credit-card skimmers aren't brainiacs. They're just buying hardware online. (Like the rest of us?!?)

            Bad security is everywhere, though. The real story here is that the company refused to acknowledge the problem and fix it.

    2. No need to hunt if you are in a populated area, plenty of signals to sniff. You may not want to break in, but if you are a young teen learning hacking, you may find amusement in setting off alarms in the early hours. I know because I used to do it, lol :-)- 30+ years ago, when there were very few rolling codes about (and the signals were on 418MHz in the UK).

  6. Cool hack! Yes it’s sad, but seriously, it’s the bottom of the barrel of security systems. If you spend $40 on a security system to protect the most expensive thing you own then you get what you paid for. The engineer who designed it had design constraints like cost and target market that led to what we have here. No need for condeming them. My house has been broken in-to multiple times and never once was my security system or my locks tampered with – the bloody door gets kicked in or the window smashed. If someone is targeting your security system with an SDR then you have bigger problems – so stop pissing off the wrong people.

  7. It’s absolutely asinine that a company whose purpose in life is to build security systems wouldn’t at least attempt to secure their system’s wireless communications. Any level of effort could’ve realized better security with minimal impact to their cost. The company’s press release about it further demonstrates their total lack of understanding and goes a long way towards explaining how they ended up in the situation they’re in.

  8. This makes me wonder just how secure my neighbor’s Vivint system is. Those systems use a touchscreen panel that appears to be a custom Android tablet for the base unit and cellular communication to their monitoring center which also allows personal remote control via their app.

    1. That’s not as easy as it sounds. Are you jamming GSM 1800, 1900 2400? GSM 450? CDMA? LTE? From the looks of it, its a GSM Telit module, and GSM can be put in to frequency hopping modes (depends on the provider) — Its not as simple as getting a continuous voice call to drop — this is packet data, and the system will try like hell to re send the packets. Inadvertently, I am sure, but “simply-stoopid” got the cell part at least partially right.

  9. What really bothers me about a lot of these vulnerabilities is that they’re all mitigable in pure software. They wouldn’t have had to increase the hardware costs a penny to even do a shitty job of anti-replay as opposed to doing NOTHING AT ALL.

  10. I spoke to these guys. The reply was: It require a specialist to break into. Average person won’t do it. I guess they are waiting for someone to be robbed, and then sue the company.

  11. This is a prime example of engineers implementing stuff without A) Thinking for a second and B) Not maintaining their skill set. I’ve been a software engineer of over 20 years, I am now doing an IT degree for A) Fun and B) to update my skill set. It’s working, I have learnt a lot about basic security, enough to know that I could not make a system like this secure.

    1. I am a retired EE who worked in the field for 40+ years in telephony, process control, and HVAC systems design. I designed hardware; but, spent the vast majority of my later years in embedded software.
      When you state:
      This is a prime example of engineers implementing stuff without A) Thinking for a second and B) Not maintaining their skill set.
      I think that you are overlooking the fact that they tout this guy as either an MIT or Harvard engineering student.
      What I think is lacking is perspective and some oversight by a real engineer with some experience, perhaps because of the enthusiasm of a student who “thinks” he has solved a problem and can make a fortune, even before graduating.

  12. I found this hackaday article when researching reviews of SimpliSafe. Are there any home security systems that you’d recommend that are better and economical? We’re buying our first home and I’m not savvy at all when it comes to this subject (hence me researching SimpliSafe — the price seemed too good to be true, and I guess it is!)

  13. Funny, that motion detector can only transmit once every 4.75 minutes. So if someone just armed the system and left, you have enough time to run through, find the basestation and drop it into the back of any toilet. Save the $$$ on hacking it.
    Maybe that’s why they didn’t bother with any secure features.
    They are $150 to $350 per system they sell and clearing over $10/month (paying $3.22/month) for monitoring of probably 40%. All of the liability is on the installer. Surprise,surprise.surprise……
    300,000 have already funded them. They never said it couldn’t be circumvented by an eight year old.

  14. I heard about a system being hacked one time. Or maybe it was in a movie I saw. Seriously, the larger picture: traditional alarm systems are merely reactive. And the vogue camera systems are user-dependent.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.