The internet of things continues to widen the attack surface: A vulnerability in SimpliSafe’s home security system gives an attacker full access to the alarm at a time of his/her choice in the future.
According to IOActive, due to the design of the home security system, all keypads and base stations will need to be replaced in order to secure the system.
“We are seeing a growing trend where companies launching ‘internet of things’–enabled products to market either forget or choose to exclude security as part of the product’s design and development,” said IOActive researcher Andrew Zonenberg, in an analysis. “The end result is that these products can be easily compromised by hackers with malicious intentions in mind. This is particularly alarming when the products are intended and marketed for security purposes.”
The SimpliSafe system consists of two core components, a keypad and a base station. These can be combined with a wide array of sensors, ranging from smoke detectors to magnet switches to motion detectors, all connected wirelessly.
An attacker armed with a commodity microcontroller board, SimpliSafe keypad and SimpliSafe base station (an investment of about $250) can build a device that records the code that’s used to unlock communications between the elements. It can then spoof the legitimate device to arm or unarm the system.
“The attacker can hide the device anywhere within about a hundred feet of the target’s keypad until the alarm is disarmed once and the code recorded,” Zonenberg explained. “Then the attacker retrieves the device. The code can then be played back at any time to disable the alarm and enable an undetected burglary, or worse.”
Normally, the vendor would fix the vulnerability in a new firmware version by adding cryptography to the protocol used. But that’s not an option for the affected SimpliSafe products because the microcontrollers in currently shipped hardware are one-time programmable, the researcher explained.
“This means that field upgrades of existing systems are not possible; all existing keypads and base stations will need to be replaced,” he said. Considering that SimpliSafe says that there are 1 million+ systems already installed, the cost to mitigate this for the vendor is not going to be cheap.
Zonenberg that he tried several times to contact the vendor with no response, and that IOActive reported the issue to CERT.
SimpliSafe is not the only home security system in the spotlight of late. Earlier in the year, a vulnerability was discovered in Comcast XFINITY’s Home Security System that could open the door—literally—to intruders.
Photo © Alexander Kirch