Hacker Shows How To Hack Wireless Burglar Alarm System Like A Pro

SimpliSafe Alarm Systems’ Inherent Vulnerability Exposes Hazards of Wireless Security Devices

Digital age has brought along countless blessings and conveniences for the consumers but there are quite a few dangers associated with the Internet of Things (IoT) that are hard to ignore. Wireless security systems are such a blessing indeed, we all feel so secure and relaxed after installing them. These are easier to install without needing professional help and tend to be a cost-effective DIY system in comparison to wired ones. However, wireless security systems aren’t as foolproof as we believe them to be. Probably, those high-tech movies that show hackers turning off security systems remotely to infiltrate buildings without getting noticed were actually pointing towards a grave vulnerability that plagues wireless security systems.

alarm london
Home alarm

IOActive’s Andrew Zonenberg discovered how in real life hackers can turn-off security systems by exploiting a crucial security flaw that most home security systems inherently have. Zonenberg identified a serious vulnerability in SimpliSafe alarm systems that allow anyone to listen to the PIN easily and repeatedly. This shows that SimpliSafe alarm systems aren’t just insecure but also vulnerable to even lowest level attacks. Firstly, let’s evaluate the elements of SimpliSafe home security systems.

Screen Shot 2016-02-20 at 1.41.29 PM
Keyboard and base of SimpliSafe alarm system

How had SimpliSafe wireless Home Security Systems Work?

SimpliSafe, as the name suggests, is the manufacturer of state-of-the-art and reliable radio-based home alarm systems. Reportedly, its products are being used by over one million homeowners in North America. There are basically two main components in a SimpliSafe wireless home security system: the keypad and base station. It is possible to combine them with a wide range of sensors extending from smoke detectors to motion detectors and magnet switches for creating a full-fledged home security system. Keypad and sensors are responsible for transmitting data towards the base station through the on-off keying in the 433 MHz ISM band while the reply comes from the base station via similar modulation at 315 MHz.

How SimpliSafe Wireless System can be Hacked?

Now let’s dig deep and find out how this wireless home security system can be hacked. The system is created around a star topology; the base station has to maintain state data and the keypad acquires events-related notifications from the base station as well as drives the buzzer and the LCD when required. Later, commands are sent back to the base station but since sensors only contain transmitters hence, these cannot receive messages.

There are randomly placed test points on all the boards, which can offer easy access to the raw baseband data that shifts between the MCU and RF upconverter circuit. Using a logic analyzer, it is possible to reverse engineer the protocol because when messages are sent repeatedly, the contents remain the same. This shows that messages can either be sent in cleartext or through some kind of cipher without salts or nonces. A few more reversing exercises unravel bits that convincingly distinguish a “PIN entered” packet from another packet.

Hacker Shows How To Hack Wireless Burglar Alarm Like A Pro
Sniffer used by the hacker

Thus, Zonenberg identified that the attack can be conducted by simply disconnecting the MCUs from the keypad and the base station and joining wires from the RX and TX basebands to any other microcontroller board. After generation of a few hundred ‘C’ lines, it becomes possible to listen to the incoming 433 MHz radio traffic passively. Eventually, it leads to a SimpliSafe “PIN entered” packet that is recorded in RAM. An LED light indicates that the PIN has been successfully recorded and can now be played. Then, it becomes possible to push the button to listen to the same packet again and again in order to attack the alarm system.

Demo video


An Inexpensive but Effective Attack Indeed:

It is evident that this particular hack is very inexpensive to conduct and, on the whole, it requires a one-time investment of around $250. You need to buy a commodity microcontroller board, SimpliSafe base station, and SimpliSafe keypad to target the alarm system. It is also possible that the attacker hides the device anywhere within a hundred feet radius of the target system’s keypad until the time the alarm is disarmed successfully and the code gets recorded. Afterward, the attacker can retrieve the device and can play back the code whenever he wants to disable the alarm and conduct burglary without getting detected. The vulnerability identified in SimpliSafe alarm systems is quite alarming because it is a security ensuring product and is already installed in over a million homes in America. Moreover, it lets the attacker take control of the system completely and can reveal information about how and for what purpose the system is being used by the consumer. This can potentially make the home a target for attackers.

What’s the Solution?

It is being speculated that other SimpliSafe sensors like entry sensors can also be spoofed in a similar fashion. The issue currently does not have a simpler solution since the keypad can send out encrypted PINs to anyone. This vulnerability cannot be fixed by the manufacturer with new firmware versions that add cryptography to the protocol. This cannot be done with the vulnerable SimpliSafe products since their microcontrollers that have been shipped with the hardware already are programmable only once. Zonenberg explains:

“Normally, the vendor would fix the vulnerability in a new firmware version by adding cryptography to the protocol. However, this is not an option for the affected SimpliSafe products because the microcontrollers in currently shipped hardware are one-time programmable.”

Thus, field upgrades of current systems aren’t possible and the only solution is to replace all the existing base stations and keypads. When contacted by IOActive, SimpliSafe did not respond at all. Then IOActive informed CERT about this flaw in SimpliSafe products. 

HackRead has contacted Zoneberg for an exclusive statement, stay tuned!

Agan Uzunovic

Agan Uzunovic is a Bosnian journalist who is working for the country’s largest newspaper. He has a keen interest in reporting on activism and hacktivism. He is also a contributor at U.S based Revolution News media. Agan reports and writes for HackRead on IT security related topics.