Update on Simplisafe….

A couple of years ago I wrote this piece warning about snake oil in sales pitches.  I wasn’t able to get my hands on the hardware to do my test but I knew there were most likely going to be serious flaws. I had stated I was more than willing to do an analysis for free if sent a sample product. Honestly I kind of wish I had bought one, because this shit is gold:

It appears SimpliSafe’s systems send messages unencrypted in the clear over the air. That means it’s trivial to send spoofed sensor readings – such as back-door closed – to fool alarm control boxes into thinking no break-in is happening, and replay PIN codes from keypads to activate or deactivate security systems.

blink This shit’s a joke right? An honest to god joke. This is so blatantly bad it is obvious someone made a proof of concept and then shipped it as a product.

The only thing that is worse is their canned response to the problem:

Thanks for writing in.
Please read this information below there hasn’t been any cases or situations.

Good freaking god, that’s as bad as the incident I had with Dreamhost.

If you have Simplisafe, ditch it. You’re keys are being broadcast to the world.

 

Tagged . Bookmark the permalink.

About TMM

TMM is the owner, editor, and principal author at The Minuteman, a competitive shooter, and staff member for Boomershoot. Even in his free time he’s merging his love and knowledge of computers and technology with his love of firearms. Many know his private name and information however due to the current political climate, many are distancing themselves due to the abandonment of Due Process.

2 Responses to Update on Simplisafe….

  1. lucusloc says:

    “Also, this type of attack represents such a small percentage of total break-ins that the FBI does not even keep a count.”

    But if your system gains a decent market share, they may have to start. You can set up a device to do a simple plain test replay attack with an arduino.