Update on Simplisafe….

A couple of years ago I wrote this piece warning about snake oil in sales pitches.  I wasn’t able to get my hands on the hardware to do my test but I knew there were most likely going to be serious flaws. I had stated I was more than willing to do an analysis for free if sent a sample product. Honestly I kind of wish I had bought one, because this shit is gold:

It appears SimpliSafe’s systems send messages unencrypted in the clear over the air. That means it’s trivial to send spoofed sensor readings – such as back-door closed – to fool alarm control boxes into thinking no break-in is happening, and replay PIN codes from keypads to activate or deactivate security systems.

blink This shit’s a joke right? An honest to god joke. This is so blatantly bad it is obvious someone made a proof of concept and then shipped it as a product.

The only thing that is worse is their canned response to the problem:

Thanks for writing in.
Please read this information below there hasn’t been any cases or situations.

Good freaking god, that’s as bad as the incident I had with Dreamhost.

If you have Simplisafe, ditch it. You’re keys are being broadcast to the world.

 

Barron is the owner, editor, and principal author at The Minuteman, a competitive shooter, and staff member for Boomershoot. Even in his free time he’s merging his love and knowledge of computers and technology with his love of firearms.

He has a BS in electrical engineering from Washington State University. Immediately after college he went into work on embedded software and hardware for use in critical infrastructure. This included cryptographic communications equipment as well as command and control devices that were using that communications equipment. Since then he’s worked on just about everything ranging from toys, phones, other critical infrastructure, and even desktop applications. Doing everything from hardware system design, to software architecture, to actually writing software that makes your athletic band do its thing.

About Barron

Barron is the owner, editor, and principal author at The Minuteman, a competitive shooter, and staff member for Boomershoot. Even in his free time he’s merging his love and knowledge of computers and technology with his love of firearms. He has a BS in electrical engineering from Washington State University. Immediately after college he went into work on embedded software and hardware for use in critical infrastructure. This included cryptographic communications equipment as well as command and control devices that were using that communications equipment. Since then he’s worked on just about everything ranging from toys, phones, other critical infrastructure, and even desktop applications. Doing everything from hardware system design, to software architecture, to actually writing software that makes your athletic band do its thing.
Tagged . Bookmark the permalink.

2 Responses to Update on Simplisafe….

  1. lucusloc says:

    “Also, this type of attack represents such a small percentage of total break-ins that the FBI does not even keep a count.”

    But if your system gains a decent market share, they may have to start. You can set up a device to do a simple plain test replay attack with an arduino.