A couple of years ago I wrote this piece warning about snake oil in sales pitches. I wasn’t able to get my hands on the hardware to do my test but I knew there were most likely going to be serious flaws. I had stated I was more than willing to do an analysis for free if sent a sample product. Honestly I kind of wish I had bought one, because this shit is gold:
It appears SimpliSafe’s systems send messages unencrypted in the clear over the air. That means it’s trivial to send spoofed sensor readings – such as back-door closed – to fool alarm control boxes into thinking no break-in is happening, and replay PIN codes from keypads to activate or deactivate security systems.
blink This shit’s a joke right? An honest to god joke. This is so blatantly bad it is obvious someone made a proof of concept and then shipped it as a product.
The only thing that is worse is their canned response to the problem:
As our systems use wireless technology, there is an understandable concern over the potential to hack or jam our signal. Much of it comes from a certain video online that fails to depict the equipment used or the number of attempts made to compromise that signal. While any wireless system is susceptible to this type of attack from a sufficiently savvy and motivated intruder, our systems can be backed up with with a land line or an internet connection for no additional cost. Also, this type of attack represents such a small percentage of total break-ins that the FBI does not even keep a count. This is because the majority of break-ins are a quick forced entry and not the sophisticated type of attack that requires diligent planning as well as highly illegal and cost-prohibitive equipment. Assuming an intruder has the requisite technology, he would need to know the frequency ranges he needs to jam, and also know the layout of your home beforehand, as he would have to avoid motion detectors even in the unlikely event that he bypassed a door sensor. Furthermore, our systems use a proprietary algorithm that helps the system distinguish between everyday interference from nearby household electronics, and unusual, possibly targeted interference.
Good freaking god, that’s as bad as the incident I had with Dreamhost.
If you have Simplisafe, ditch it. You’re keys are being broadcast to the world.