Update on Simplisafe….

A couple of years ago I wrote this piece warning about snake oil in sales pitches.  I wasn’t able to get my hands on the hardware to do my test but I knew there were most likely going to be serious flaws. I had stated I was more than willing to do an analysis for free if sent a sample product. Honestly I kind of wish I had bought one, because this shit is gold:

It appears SimpliSafe’s systems send messages unencrypted in the clear over the air. That means it’s trivial to send spoofed sensor readings – such as back-door closed – to fool alarm control boxes into thinking no break-in is happening, and replay PIN codes from keypads to activate or deactivate security systems.

blink This shit’s a joke right? An honest to god joke. This is so blatantly bad it is obvious someone made a proof of concept and then shipped it as a product.

The only thing that is worse is their canned response to the problem:

Thanks for writing in.
Please read this information below there hasn’t been any cases or situations.

As our systems use wireless technology, there is an understandable concern over the potential to hack or jam our signal. Much of it comes from a certain video online that fails to depict the equipment used or the number of attempts made to compromise that signal. While any wireless system is susceptible to this type of attack from a sufficiently savvy and motivated intruder, our systems can be backed up with with a land line or an internet connection for no additional cost. Also, this type of attack represents such a small percentage of total break-ins that the FBI does not even keep a count. This is because the majority of break-ins are a quick forced entry and not the sophisticated type of attack that requires diligent planning as well as highly illegal and cost-prohibitive equipment. Assuming an intruder has the requisite technology, he would need to know the frequency ranges he needs to jam, and also know the layout of your home beforehand, as he would have to avoid motion detectors even in the unlikely event that he bypassed a door sensor. Furthermore, our systems use a proprietary algorithm that helps the system distinguish between everyday interference from nearby household electronics, and unusual, possibly targeted interference.

Best,
Mikaela
——————-
SimpliSafe, Inc.
[email protected]
1-888-95-SIMPLI (1-888-957-4675)

Good freaking god, that’s as bad as the incident I had with Dreamhost.

If you have Simplisafe, ditch it. You’re keys are being broadcast to the world.

 

Barron is the owner, editor, and principal author at The Minuteman, a competitive shooter, and staff member for Boomershoot. Even in his free time he’s merging his love and knowledge of computers and technology with his love of firearms.

He has a BS in electrical engineering from Washington State University. Immediately after college he went into work on embedded software and hardware for use in critical infrastructure. This included cryptographic communications equipment as well as command and control devices that were using that communications equipment. Since then he’s worked on just about everything ranging from toys, phones, other critical infrastructure, and even desktop applications. Doing everything from hardware system design, to software architecture, to actually writing software that makes your athletic band do its thing.

About Barron

Barron is the owner, editor, and principal author at The Minuteman, a competitive shooter, and staff member for Boomershoot. Even in his free time he’s merging his love and knowledge of computers and technology with his love of firearms. He has a BS in electrical engineering from Washington State University. Immediately after college he went into work on embedded software and hardware for use in critical infrastructure. This included cryptographic communications equipment as well as command and control devices that were using that communications equipment. Since then he’s worked on just about everything ranging from toys, phones, other critical infrastructure, and even desktop applications. Doing everything from hardware system design, to software architecture, to actually writing software that makes your athletic band do its thing.
Tagged . Bookmark the permalink.

2 Responses to Update on Simplisafe….

  1. lucusloc says:

    “Also, this type of attack represents such a small percentage of total break-ins that the FBI does not even keep a count.”

    But if your system gains a decent market share, they may have to start. You can set up a device to do a simple plain test replay attack with an arduino.