Alarm System Defeated By $2 Wireless Dongle, Nobody Surprised

It seems a bit unfair to pile on a product that has already been roundly criticized for its security vulnerabilities. But when that product is a device that is ostensibly deployed to keep one’s family and belongings safe, it’s plenty fair. And when that device is an alarm system that can be defeated by a two-dollar wireless remote, it’s practically a responsibility.

The item in question is the SimpliSafe alarm system, a fully wireless, install-it-yourself system available online and from various big-box retailers. We’ve covered the system’s deeply flawed security model before, whereby SDRs can be used to execute a low-effort replay attack. As simple as that exploit is, it looks positively elegant next to [LockPickingLawyer]’s brute-force attack, which uses a $2 RF remote as a jammer for the 433-MHz wireless signal between sensors and the base unit.

With the remote in close proximity to the system, he demonstrates how easy it would be to open a door or window and enter a property guarded by SimpliSafe without leaving a trace. Yes, a little remote probably won’t jam the system from a distance, but a cheap programmable dual-band transceiver like those offered by Baofeng would certainly do the trick. Not being a licensed amateur operator, [LockPickingLawyer] didn’t test this, but we doubt thieves would have the respect for the law that an officer of the court does.

The bottom line with alarm systems is that you get what you pay for, or sadly, significantly less. Hats off to [LockPickingLawyer] for demonstrating this vulnerability, and for his many other lockpicking videos, which are well worth watching.

Thanks to [fede.tft] for the tip.

71 thoughts on “Alarm System Defeated By $2 Wireless Dongle, Nobody Surprised

  1. Should be an easy fix for the door sensor to send the door was opened as soon as the communication is restored.. provided it’s 2 way communication and the door sensor knows it’s being received by the base station ..

      1. I worked as telephone tech support for a security system company, and none of the sensors were wired. Furthermore the system used primarily wifi with cellular as a fallback. Anyone with a 345mhz jammer can break in without setting off the alarm. Or just jam the wifi and cellular. Either one renders the system useless. I got frequent calls from people without wifi because the phone company was doing maintenance on the nearest tower. Too many single points of failure for me.

        1. Not with Xfinity. It is constantly monitored, the second something is not right it alerts Comcast, even if both WiFi and cellular are unavailable, they are alerted. I know this because I work for them.

          1. You work for them is not a proof that you know how Xfinity alarm system works. In fact you just proved that you do not know. I hope you clean toilets for Xfinity and have nothing to do with the alarms.

        1. Not correct there are anti jamming countermeasures which involve both aerial diversity, spread spectrum frequency hopping , coherent detection, auto corelation techniques and fast fourier analysis all done in software and hardware and in integrated circuits. Signals are automatically extracted even when buried in noise.

      1. A dense neighbor with a grey market imported Chinesium remote for something on the same frequency band is gonna make you switch to a wired security system or binning it altogether.

    1. Well honestly how many times will a Simplisafe Base Station (which is meant to be placed near the very interior center of the house) 1. be placed immediately beside a window with no curtains so it is visible to the whole world as to where it is in which window of the house when it’s meant to be placed in the middle of the house, so that a crook can easily see it from the road and know which house to jack and 2. be a genius enough crook to know that he can use a 433 MHz blocker to stand by the ridiculously unusually visible Simplisafe base station placed in a window instead of at the center of the home as called for, and jam the system. If the installer was dumb enough to put the Simplisafe even near a window, especially one with no curtains, and B. the crook is smart enough to know radio frequency jamming techniques, then congratulations you’re in the presence of famous people, because Lloyd from “Dumb and Dumber” installed the system and Ethan Hunt from “Mission Impossible” is trying to defeat it.

      Any alarm system is only as smart as the person who installs it.

      1. The point [lockpickinglawyer] is making is that you DON’T have to get close to the basestation. A Baofeng transceiver has enough power to overwhelm the signals even from the front door, no matter where you put the basestation. He’s demonstrating with the little remote control because that is legal for him to have, while broadcasting at 433 MHZ at 5W power is not.

        1. Or even use a mobile 70cm (430-440 MHz) radio in your car. Even the basic mobile radios provide 20+ W of power. More than enough to completely blind most 433.92 MHz receivers within a few hundred meters/yards.

    2. “door sensor to send the door was opened as soon as the communication is restored” Ummm the door sensor is just a sensor… it does not have memory or a processor or the ability to keep track of data and then send it at a later time. Please stop attempting to provide “easy fixes” when you clearly do not understand how the device operates.

        1. The question is:

          If you don’t have the money to spend on hiring a professional (not every “normal” person has enough income to afford something like that), is it better to have something like Simplysafe or nothing at all? I’d say Simplysafe is way too expensive for what it actually is, but it’s better than not having anything.

          1. Even if you have some kind of security system it helps.

            If you would be a burglar, would you choose the house with no security or with flawed security. My bet would be on the first one.

    1. A decent base station should have safeguards when is jammed or a sensor has a malfunction. If the base station polls the sensor and no answer is received, the alarm should activate, like on wired sensor where is detected if the cable is cut or shorted.

      1. We had a wireless alarm back in the day and it did, indeed, have Jam alerts, and they did indeed result in calls from the monitoring station. But even with that, the problem was that a wireless jam was essentially a lower priority event than an actual alarm. Had we been away from home and not expecting it, I’m not sure we would have pulled the trigger and sent the cops around to investigate.

        Nowadays we have a noisy chihuahua. That seems more useful, all told.

          1. I know someone who bought a Rottweiler as a guard dog.
            Turned out to be more like a affectionate teddybear, while their cats instead started meowing incessantly when strangers came to their house.

          2. Who’s gonna call the fire department to save your dog from a house fire? Who is going to wake you up in the middle of the night for a carbon monoxide leak? And at least the SimpliSafe system would require the crook to know that he needed a jammer…all they need at your house is raw meat…

      2. It has the problem that radio jams and interference happens all the time, so your alarm system is basically crying wolf for no reason most of the time.

        Plus, if the -wireless- base station is being radio-jammed, how will it call you? It won’t hear the cellular tower either, so it can’t make a call.

        1. The fact is that an interference should be momentary, and of course one thing is jamming a ISM transmitter, another a GSM/UMTS/4G signal, not to mention that one could use a landline or activate a big siren *inside* the house anyway.

          For the problem of cry wolf everyone had Gunn diode doppler effect motion sensor know that they have to be tuned to the area or they will trigger for random reasons.

          Big dog is useful of course.

          My idea of burglar alarm is that a determined thief will enter anyway, but scaring away junkies or the like it’s sufficient a reasonable basic system.

          1. You don’t need to jam any specific frequency, just blast the receiver with enough noise that the input amplifier saturates. Then it won’t hear anything.

            How cellphone networks work, you have to handshake with the tower to be able to transmit. If you can’t hear the tower, you can’t transmit.

      3. Or if the battery in the sensor dies.

        I had the Scout system. It devoured lithium batteries, and part of their subscription was just sending brown envelopes in the mail with as many lithium cells you a asked for.

        I don’t think they’d offer the alarm at loss of communication function.

  2. I don’t think he would have required a ham license to use a Part 15 433 MHz transmitter. And any lawyer could do sufficient exam prep in about an hour to pass the Technician test. It’s not that high a bar (see what I did there?).

    1. If he gets an amateur radio license, he’s bound by the FCC rules, Part 97.101(d), which says that no amateur operator shall willfully interfere with or cause interference to any radio communication or signal.

  3. I tested this with a Baofeng 5 watt hand-held transceiver from outside a residence, and was reliably able to jam sensor signals on an Abode security system.

    The base station did not produce any interference alerts, even when I got right up to it and held the x-mit button down for many seconds.

    Would a spread spectrum wireless security system be so easily defeated? If so, are there any such systems available in the DIY security market?

  4. I’m not expecting my DYI security system to protect me against the CIA or even someone with moderate hacking skills. I buy it to protect me against a meth head or heroine addict going from house to house looking for cash.

  5. The “breaks” of using a wireless system like this is that jamming is a possibility. However it seems like a pretty good cost vs risk calculation for mid-to-low tier homes as the types of thieves hitting those houses aren’t likely to jam wireless signals as part of their B&E practice. More expensive homes and property should use a traditional system, but then, they can probably afford the installation costs. Of course, part of this could be mitigated with routine polling or check-ins of the sensors, but these sensors are battery operated, and that kind of polling is both prone to significant false positives and a huge hit to the battery life of the sensors. What is unforgivable, is the previously reported SimpliSafe unencrypted, non-rolling code, pin-code reply attacks that were previously discovered by researchers (linked in article) and dismissed by these charlatans.

  6. No offense but most thieves are not that smart! Most are smash and grab, etc…. Security systems are simply a deterrent to keep someone from breaking in or to alert you if someone does. If it’s the government then it does not matter what you have! If someone has the tech to defeat your alarm and your not home, then he is no run of the mill thief and most likely has not picked your house at random! This is why they make safes! Any security plan should have more than one level of difficulty and should be well though out in stages from your alarm, to securing your valuables, to personal protection. Never put all your eggs in one basket!!

    1. The people who broke into my rental house while we were in the middle of renovation broke a patio door by throwing bricks at the alarm company sign on it! So, I have to agree with the idea that many are not so smart.

    2. One problem with the “thieves are not that smart” meme that recurs throughout this comment section is that thieves often know other thieves, and techniques spread through networks. Especially easy-to-use ones like pressing the button on a commonly-obtainable device. The thief breaking in to your house doesn’t have to be a genius, they merely need to have someone in their network just smart enough to be dangerous.

      Is it true that most are smash and grab? There are plenty of cases where burglars observe a residence over a period of time, before pulling up with some buddies and a moving truck while the family is on vacation.

      1. “Professional” burglars are pretty rare. Any person who is intelligent enough to make a career out of breaking into houses has an easier time doing any other trade – so it requires a certain rare mentality to become a cat burglar.

        That’s why most people who do break into homes are druggies, teenage gangsters, or otherwise impaired. They won’t be affiliated with the “pros” because the people who know anything about anything will keep well clear of these people.

      2. When they go the jail they tend to learn new stuff from the other convicts if there’s anything the US prison system is good at it’s educating convicts at being better criminals.
        They don’t call prisons crime universities for nothing.

  7. I am a Simplisafe customer as well as a licensed HAM radio operator (though inactive), and like many operators I do own one of those el-cheapo Baofeng UV-5R radios to keep in my car for emergencies. I have confirmed that transmitting on 433.92 Mhz at 5W anywhere near my home does prevent the system from detecting a change in sensor status; however, to Simplisafe’s credit it did announce a wireless interference warning as well as sent a notification to my phone when the interference occurred AND when it the interference stopped. I do have video surveillance around the inside and outside of my home (also wireless and likely susceptible to the same attack), but I know better than to hang signage around my property advertising brand names for this very reason and instead use generic signage as a warning. I am not thrilled about this but also not surprised. Kudos to fede.tft and Dan Maloney for reporting this, I will likely go with a different brand of security in the near future.

      1. Wired systems are few and far between today unless you want to break the bank. Even ADTs most popular system is wireless. Simplisafe already detects the interference and sends a notification to your phone. It’s a simple firmware update to have it trigger an alarm instead which they are working on.

  8. even better yet a $30 illegal baofang radio could jame every device in its range.

    a fix could be to instead of a simple on or off (1 or 0) being sent it should communicate a constant data stream so if the wireless signal is lost then the alarm can assume someone is jamming it and activate.

  9. I think SimpliSafe would say that it will send some kind of “interference” message to your phone when it happens so you can drive home and check ;).

    I have to check the surplus electronic dealers. I already have a bunch of 315MHz that with the right 1/4 5th harmonic will kill all GPS – and ande 315MHz remote when using a 9v, and IIRC they were less than $1 each, though the 9v clips may have made them a bit more costly.

    I think they too have a doorbellcam but then you need one of those ESP deauthers.

    The fun thing would be to create a $10 disable kit. You could even send it via UPS or FedEx so when it arrives at the door it kills the security system.

    See market-ticker.org – Karl Denniger has something much better running on a Raspi using one of the BSD variants. He calls it HomeDaemon.

  10. It is amazing the number of people who are willing to provide excuses for the failure of a cheap unit, rather than spend the money to actually protect their property.

    Just remember, its not always “methheads” kicking in your door for a snatch and grab. It could be your wife or daughters stalker, a vandal or someone who actually intends to search your house for real valuables.

    I would also offer that getting endless “interferance signal notifications” will rapidly add up and force you to ignore them totally. Likewise, false alarms (however caused) rapidly desensitivize both you, your family, the neighbors and the police from responding. Theives know this and use it to their advntage. . . spend a few days setting off false alarms, drive everyone crazy and then brek in, everyone assumes its a false alarm.

    As for Rotweillers, other dogs, expensive locks etc, ever seen how quickly a dog will go after and eat a lump of hamburger meat. . . even with nasty chemicals inside,. . . Or how easy it is to kick in most regular doors?

    Long story short, if you want to buy false protection and assure youreslf that it will work on some level, knock yourself out, but understand you are only fooling yourself.

    1. Oh please. Even ADT uses a wireless system these days. It sets off the alarm when communication to the base station is lost when armed. Simplisafe is working on an update to do the same. Most thieves will bypass any house with an alarm system or cameras. That is a known fact. Your other examples are extreme and rare.

  11. I have an ADT system with wireless. I added a wireless chime from Amazon to the door and put the transmitter about 2 feet away from the ADT one on the door. The ADT system would no longer work, but the door chime worked fine. So even the expensive system can be stopped with rf noise, not just the cheap ones. RF is pretty much always possible to knock offline.

  12. Lots of new security systems installed by a professionals have encryption now. ADT’s new system ADT Command https://zionssecurity.com/new-equipment-and-features/adt-releases-new-security-system-platform-adt-command/ made by Honeywell using encryption and other systems use a technology called power G, which is also encrypted. https://zionssecurity.com/new-equipment-and-features/what-is-powerg/

    You will not be jamming those wireless signals very easily.

    I would recommend that new installations only get encrypted sensors and that legacy system owners consider updating or upgrading when the time is appropriate.

      1. That is not correct. First off the system detects it. Second these run a specific frequency. They’d have to know what system you have and what version as well as the correct frequency. Basically if they have this info then your probably friends with the wrong kind of people. If you’ve chosen your company well then only strangers will be breaking in and it would be a guessing game as to what the correct frequency is for the specific system. Guess wrong and the police are on the way. Most thieves are paranoid and this isnt a chance they are going to take. Fact is there’s a very small possibility this could happen. It could happen with any security system as long as it’s the correct frequency. Simplisafe chooses not to send police for this because it could be construction work causing it to. They also give you a free camera that when you see this jamming you can go into the camera which doesnt run off the same system as the base. Ei

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.