Researchers claim they can remotely disable SimpliSafe's wireless security system

With about $250 worth of equipment and a little coding know-how, security consultants with IOActive claim to have built a device that can capture a SimpliSafe system's PIN, then replay it to disarm the system.

Ry Crist Senior Editor / Reviews - Labs
Originally hailing from Troy, Ohio, Ry Crist is a writer, a text-based adventure connoisseur, a lover of terrible movies and an enthusiastic yet mediocre cook. A CNET editor since 2013, Ry's beats include smart home tech, lighting, appliances, broadband and home networking.
Expertise Smart home technology and wireless connectivity Credentials
  • 10 years product testing experience with the CNET Home team
Ry Crist
3 min read

EDITOR'S NOTE, 2/17/16, 8:09 PM EST: Updated to include additional comment from SimpliSafe.

Researchers with the Seattle-based security consulting firm IOActive have released an advisory regarding SimpliSafe's wireless home security systems, claiming that the system doesn't adequately protect its transmissions from being recorded and reused.

To this end, IOActive claims to have developed a device that can observe and record wireless transmissions between SimpliSafe's system components. This includes PIN entries from the system's keypad -- the device can't decrypt the specific code you're using to arm and disarm your system, but it can record the encrypted transmission itself, then replay it to the base station in order to disarm the system.

The device wires two SimpliSafe system components to a set of external microcontrollers, and cost about $250 for IOActive to assemble. With the right coding, the device can listen in to the wireless transmissions between SimpliSafe's system components and log them. A potential intruder would need to leave the device within 100 feet of your home's keypad, then basically press record and wait for you to disarm the system with your code.

Enlarge Image

The log of captured system transmissions includes data packets that disarm the system.


At that point, they'd have a record of the data packet that gets transmitted whenever you punch your code in. The packet doesn't tell them what the code actually is, but that doesn't matter -- all they'd need to do is use the device to resend the packet in order to disarm your system.

IOActive's researchers built and tested the device in August of 2015. After confirming that it worked, they say that they attempted to share their findings with SimpliSafe on multiple occasions, but received no reply. At that point, they filed a vulnerability report with federal security regulators.

This isn't the first time researchers have claimed to find vulnerabilities with SimpliSafe. In January of last year, contributors to Forbes claimed that SimpliSafe setups were vulnerable to jamming attacks. In our own tests, we were able to confirm that SimpliSafe systems can be jammed (with the right equipment and know-how, any wireless transmission can be). However, we also found that SimpliSafe was able to detect jamming attacks and notify users.

The IOActive report is potentially more concerning, as it pertains specifically to SimpliSafe's data security measures and not to wireless transmissions in general. IOActive's report says that SimpliSafe's microcontrollers appear to be one-time programmable, meaning that there's no way to push a fix through via firmware update. Instead, IOActive says, SimpliSafe devices will need to be replaced with updated versions that do a better job of protecting against replay attacks. Suggested countermeasures include implementing rolling codes or adding two-way handshake authentication for the system's transmissions.

Founded in 1998, IOActive provides enterprise security guidance across a wide range of fields, from the financial and healthcare sectors to automotive tech and the Internet of Things. Its advisory board includes the former Chief Information Security Officer for eBay as well as Apple Computer co-founder Steve Wozniak.

A SimpliSafe spokesperson told Forbes that record-and-replay attacks are "theoretically possible but highly unlikely," and added that SimpliSafe isn't aware of the record-and-replay attack being used on any of its more than 300,000 customers. Daniel Miessler, director of client advisory services for IOActive told us that it's possible SimpliSafe wouldn't be aware that these attacks were happening.

"We don't have data, but that's largely because the data itself is highly elusive," Miessler said. "What we can say is that this can be done very cheap, and that victims of the crimes are unlikely to know anything technical was done. So it could have happened many times and we likely would not know."

Melina Engel, SimpliSafe's VP of Marketing, points out that each system includes a log entry each time you enter your passcode, and says that SimpliSafe has no record of customers reporting break-ins with logs that show an unexplained disarm event prior to the burglary.

Engel also notes that disarming the system using the web or app interface would not be exploitable by the IOActive method.

"All major alarm systems face similar concerns. Nonetheless, we are actively working to address [them]," Engel said, adding that SimpliSafe is updating its hardware to include remotely upgradeable firmware.

SimpliSafe's engineers were unavailable to comment on the technical points that IOActive raised, but we'll update this piece if we hear more from them.