Unfixable SimpliSafe Security Flaw Warns Security Expert
SimpliSafe is making headlines this week with news that should have customers deeply disturbed and concerned.
Two days ago, Dr. Andrew Zonenberg, senior security consultant at IOActive, issued an advisory warning of a vulnerability in SimpliSafe’s system that can be exploited using equipment that costs less than $250. With the right equipment, criminals can initiate a replay attack, capturing and recording the unencrypted PIN sent from the keypad to the base station. Once the PIN is captured, the attacker can issue fraudulent commands to the system, sending false signals or disabling it completely.
In order to attack a system and capture a PIN, the device needs to be within 100 feet of the keypad to intercept the unencrypted data sent from the keypad to the base station. So if the criminal needs to be close to the home, doesn’t that minimize the risk? Not really. Homeowners frequently post yard signs from their security company to discourage potential robbers. For SimpliSafe customers, those yard signs are now beacons advertising the home’s vulnerability.
Here’s where it gets really, really ugly for SimpliSafe’s customers (estimated to be over 300,000): The security flaw cannot be fixed with an OTA (over-the-air) update like those pushed out to mobile phones by cell providers because SimpliSafe uses a one-time programmable chip in their system.
So What Can SimpliSafe Customers Do?
Not much. If they continue to use their SimpliSafe alarm system, they can mitigate the risk by changing their PIN frequently, but short of replacing the keypad and base station, the risk will remain according to IOActive. We contacted SimpliSafe to see what they had to say. Considering IOActive multiple failed attempts to contact the company since September 2015 when the flaw was discovered, we weren’t expecting much. (You can read IOActive’s complete security advisory.)
The representative we spoke with was aware of the recent press around this vulnerability but downplayed the risk, echoing SimpliSafe’s response as published by Ars Tecnica:
While any wireless system is susceptible to this type of attack from a sufficiently savvy and motivated intruder, our systems can be backed up with with a land line or an internet connection for no additional cost. Also, this type of attack represents such a small percentage of total break-ins that the FBI does not even keep a count. This is because the majority of break-ins are a quick forced entry and not the sophisticated type of attack that requires diligent planning as well as highly illegal and cost-prohibitive equipment. Assuming an intruder has the requisite technology, he would need to know the frequency ranges he needs to jam, and also know the layout of your home beforehand, as he would have to avoid motion detectors even in the unlikely event that he bypassed a door sensor.
This cookie-cutter response reads as dismissive and unsympathetic to the legitimate concern of their customers. It’s also disturbing that they recommend adding a landline or internet connection to reduce the system’s susceptibility to attack. Both of these communication methods are inherently at risk: A novice intruder with wire cutters can disable the system by cutting exposed telephone and cable lines before breaking into the home.
Is There Any Good News for SimpliSafe Customers?
That depends what your definition of “good” is. SimpliSafe spokesperson Melina Engel told Forbes the company was “planning on releasing hardware with over-the-air firmware updates and that customers would be given a discount on those once they were available.”
Some customers have taken to Twitter to express themselves:
@Forbes I want to hear from a class action attorney unless SimpliSafe sends me a new encrypted base station and keypad immediately!
— Dr. Jeff Bauman (@WestonChildPsyc) February 19, 2016
All of this begs the question: Does SimpliSafe really care about the safety and security of their customers?
It’s hard to believe they do when a flaw like this is exposed and the company’s response dismisses valid concerns and their solution is a “discount” to current customers for security equipment that’s actually secure — but not yet available.
Our recommendation to SimpliSafe customers (and anyone else looking for a home security solution): Select an alarm system from a company that takes protecting your home and family seriously.
Simple isn’t always easy. In this case, it’s simply unfixable.