Today I am publicly disclosing my research on 4 confirmed serious vulnerabilities (Security Advisory) found in the “SimpliSafe revision 2” or also known as the “SimpliSafe Original” home security system. These disclosures are extensions of work previously conducted and published in 2015/2016 by Dr. Andrew Zonenberg of IOActive and Mr. Michael Ossmann of Great Scott Gadgets.
The vulnerabilities essentially allow an attacker to decode your pin code, alarm status, and sensor status leveraging a relatively inexpensive Software Defined Radio (SDR) dongle and a computer (PC or Raspberry PI). For more details please review the Security Advisory.
SimpliSafe is a DIY no-contract home security company based in Boston, MA, USA that claims to protect over 2 million Americans with their products and services. It leverages wireless sensors and keypads to communicate with a base station which has a cellular modem connection to their monitoring center.
Building off the public disclosures by Zonenberg and Ossmann I essentially followed the “Rapid Radio Reversing” paper by Michael Ossmann to capture, record, and analyze the signals from the keypad and sensors.
Working through the capture and analysis phase I was able to manually reverse engineer the PiWM signal into 1’s and 0’s which is where I hit a brick wall for nearly 2-3 weeks. I could easily see what was changing whenever the pin code was changed, however I could not see how the 1’s and 0’s I saw turned into the actual data.
I then turned to the rtl_433 team and they worked with me to develop the PiWM decoding capability which allowed me to do more extensive capture and analysis of the raw data. Then all of a sudden I realized it was just the bits are backwards. Essentially normally the number 1 would be represented as 00000001, but in their transmissions it was 10000000.
Once I had that figured out it was easy to write code which could decode in realtime the serial number, pin codes, and status codes transmitted by the sensors and keypads.
After getting functional code written I promptly reported my findings to SimpliSafe’s security mailer and received a very prompt response to all of my concerns. In our conversations with SimpliSafe they have assured me that the next generation system doesn’t suffer from the same vulnerabilities, however to date I have not had a next generation system available to test against.
Using the software or the techniques outlined in the security advisory an attacker could bypass your home security controls without your knowledge leading to an experience not meeting your expectations of a home security company.
Update 5/18/2018: The source code has been committed to the rtl_433 master branch in GitHub located here.