SimpliSafe Security Advisory – Simple or Secure Security Blog

Security Advisory

Title	Wireless Capture and Decoding of SimpliSafe Original Security Systems
Severity	High
Discovered By	Original Researcher: Dr Andrew Zonenberg of IOActive Subsequent Researcher: Michael Ossmann of Great Scott Gadgets Advisory Author: Adam Callis adam@simpleorsecure.net
Advisory Date	21-March-2018

Affected Products

CONFIRMED: SimpliSafe Original home security system

Please note – No testing has been performed against the next generation system released in 2017.

Overview

The SimpliSafe Original system suffers from multiple vulnerabilities which when exploited could result in a consumer’s expectations of their service being unmet by SimpliSafe. These vulnerabilities have previously been reported by security researchers but have been downplayed by Simplisafe as “sophisticated” or “highly unlikely” attacks in their blog post “Our Commitment to Your Security” in 2016. Making matters worse, the devices which are compatible with the system are NOT upgradable over the air, as a result until they are replaced the home is vulnerable to attack.

Vulnerabilities

Table 1: Vulnerability List

Vulnerability ID	Vulnerability Description	Vulnerability Type
CVE-2018-11402	Unencrypted Keypad Transmissions	Information Disclosure
CVE-2018-11399	Unencrypted Sensor Transmissions	Information Disclosure
CVE-2018-11401	RF Interference Disables Alarm	Denial of Service
CVE-2018-11400	Base station fails to detect tamper attempt	Denial of Service

CVE-2018-11402 – Unencrypted Keypad Transmissions

The SimpliSafe keypad (U9K-KP1000) transmits data including PIN, Arm, Disarm, and test mode commands to the SimpliSafe base station (U9K-BS1000) leveraging the frequency of 433.92Mhz. These transmissions are completely unencrypted and leverage an Amplitude Shift Keying (ASK) modulation of Pulse Interval Width Modulation (PiWM) at an approximate symbol rate of 2000 symbols per second to encode the data transmissions.

Leveraging a Software Defined Radio (SDR) USB Dongle and the popular RTL-SDR Software known as “rtl_433” with a custom module we were able to capture and decode in real time all messages sent to the base station including the most sensitive key data fields of

KeyPad Serial Number
Command (Arm, Disarm, Test Mode)
Pin Code

Update 5/19/18: The Stable Master Branch of rtl_433 now includes the SimpliSafe decoder module by default. To get rtl_433 visit their GitHub Repo located here – https://github.com/merbanan/rtl_433

Leveraging the standard omni-directional antenna that comes with the SDR Dongle the the keypad transmissions can be received from approximately 100 feet in free space (i.e. no walls, trees, or obstructions between keypad and antenna) and approximately 50-60 feet when transmissions must penetrate walls.

Leveraging a more specialized High Gain YAGI Directional Antenna reception distances became 200+ feet in free space and approximately 115 feet when transmissions must penetrate walls. Given the 433.92mhz falls within the Amateur Radio frequency bands, antennas tuned to this frequency are relatively inexpensive and commercially available. In testing we used a Diamond brand Yagi available for $65.00USD.

Leveraging this vulnerability an attacker could remain safely on public property in a vehicle capturing the messages transmitted by your keypad gaining access to the status of your alarm and most importantly, capturing your security pin code.

CVE-2018-11399 – Unencrypted Sensor Transmissions

The SimpliSafe Entry Sensor (U9K-ES1000), KeyChain Remote (U9K-KR1), Motion Sensor (U9K-MS1000) and Water Detector (U9K-WT1000) have all been confirmed to leverage the the same 433.92Mhz frequency and encoding methods as the SimpliSafe Keypad (U9K-KP1000) described in SS01.

Leveraging a Software Defined Radio USB Dongle and the popular RTL-SDR Software known as “rtl_433” with a custom module we were able to capture and decode in real time all messages sent to the base station including the key data fields of

Sensor Serial Number
Command (Arm, Disarm, Panic) – KeyChain Remote
Status (Active/Open, Inactive/Closed) – Sensors

Unlike the Keypad which appears to transmit quite a strong signal, the sensors appear to have a much weaker signal which limits reception to approximately 50-75% of the distance which a keypad could be received. It should be noted, sensors with new batteries appeared to have the furthest signal propagation while sensors with older batteries had the most limited distance.

Leveraging this vulnerability an attacker could (in most cases) remain safely on public property in a vehicle capturing the messages transmitted by your SimpliSafe sensors. This data can then be used to profile a home alerting the would be attacker of when there is motion, doors open / closed, and any other sensor alerts. This combined with the keypad vulnerability and any rudimentary amount of surveillance could allow the would be attacker to identify optimal times to attempt to compromise your system.

CVE-2018-11401 – RF Interference Disables Alarm

The SimpliSafe system operates on the Unlicensed ISM Frequencies of 433.92Mhz (for transmissions to the Base Station), and 315Mhz (for base station to keypad status transmissions). The 433.92Mhz portion of the ISM band also falls within the Amateur (HAM) radio frequency allocation of the 70cm band. As a result HAM radio operators can and do legally transmit on these frequencies using much higher power (25-50 Watts) which while transmitting overruns the receiver of the base station making it impossible for it to hear the weaker signals of the sensors. It is akin to trying to whisper next to an extremely loud speaker.

While the RF Noise is not by itself a vulnerability, the fact that the base station does not report this noise to the monitoring center creates a scenario where an attacker could intentionally transmit noise on the receivers frequency making it impossible for it to hear the sensors, thereby able to bypassing the security without the monitoring center becoming aware of a possible attack.

CVE-2018-11400 – Base Station fails to detect tamper attempt

The SimpliSafe Base station (U9K-BS1000) provides the key gateway from the RF sensors to the monitoring center via a cellular connection. Breaking this units ability to relay messages from the sensors or keypad to the monitoring center effectively defeats the entire security system.

As has been demonstrated on YouTube by JaySecurity the base station can be easily disabled within the typical 30 second timeout from sensor trip to transmission to monitoring center by removing the battery and external power from the system.

Furthermore there are no tilt sensors to detect the unit being turned over to remove the batteries.

This attack vector could be leveraged by itself or in combination with the RF Noise to allow an attacker to disable the SimpliSafe security monitoring.

Prior Works

As previously reported in February of 2016 by Dr. Zonenberg and Mr. Ossmann the SimpliSafe system relies heavily on the unlicensed ISM bands to allow the sensors to report status to the base unit and for the base unit to communicate back to the keypads. These communications are all UNENCRYPTED and sent in easily decoded plaintext transmissions.

Dr. Zonenberg found that when he leveraged modified SimpliSafe hardware and a PC microcontroller he could record and replay the transmissions from the legitimate SimpliSafe keypad. Effectively allowing him to turn off the alarm without knowing the pin code. While this attack is quite effective, it does require one to purchase a few hundred dollars of equipment and a level of engineering knowledge above that of a common intruder.

The write up by Dr. Zonenberg can be found here:

https://ioactive.com/remotely-disabling-a-wireless-burglar-alarm/

As a followup to Dr. Zonenberg’s research, Mr. Michael Ossmann of Great Scott Gadgets leveraged a Software Defined Radio approach using the HackRF One and YardStick One devices to capture and analyze the signal allowing him to isolate and decode the pin code in realtime. This approach could be done with only a $100 YardStick One (Actually Manufactured by Great Scott Gadgets) and working knowledge of Python software development. Again, while this approach is significantly easier than Dr. Zonenberg’s, it does still require a level of engineering knowledge above that of a common intruder.

The write up by Mr. Michael Ossmann can be found here:

https://greatscottgadgets.com/2016/02-19-low-cost-simplisafe-attacks/

SimpliSafe’s response to these researchers findings were published on their blog located here:

https://simplisafe.com/blog/our-commitment-to-your-security

In their blog response they make several claims which were designed to engender consumer confidence by highlighting the unlikelihood of such an attack and how their system has features which help mitigate the risk. As a security researcher and a SimpliSafe customer myself, I was shocked that there were no changes to the SimpliSafe product from this disclosure in 2016 until January 2018 when SimpliSafe released new equipment that presumably closes this security hole. It should be noted however, at the time of writing the “SimpliSafe Original” is still widely sold and according to SimpliSafe’s website will continue to be available.

SimpliSafe Claim 1: The hack described is sophisticated and highly unlikely.

While Dr. Zoenberg’s path of modifying hardware and custom PC microcontroller would be both sophisticated and unlikely to a common intruder, his initial findings coupled with Mr Ossmann’s findings provided a sufficient starting point to develop a device handler for the popular Software Defined Radio (RTL-SDR) program called “rtl_433” which decodes common ISM band devices. This software can run on any common PC or Raspberry PI device leveraging a relatively inexpensive SDR Dongle (rt2832u ~ $20 on Amazon). Once installed, the software allows even the more basic computer user to capture and decode the SimpliSafe Sensors, KeyPads, KeyFobs, and Base Station transmissions. The data extracted includes the Serial Number, command or status, and the Pin Code (in the case of KeyPad disarm requests).

Why does this matter?

For the low cost $30 an attacker can setup a listening device which fits in his or her pocket and will receive the Keypad transmissions from nearly 100ft away without any issue. This will allow them to gain access to your PIN and also your arming / disarming habits.

This software effectively makes the attack vector quite simple to execute without prior electrical engineering or background in RF hacking.

SimpliSafe Recommendation 1: Change your pin regularly is a good security practice.

Changing your PIN is a good practice that everyone should follow, however doing so needs to be done in a secure way. Changing your pin from the keypad will transmit your new pin over the air in the clear also easily recoverable with this software. Changing your pin via the website or app is slightly more secure, however the first time you use this pin it will become known by the attacker.

SimpliSafe Recommendation 2: Monitor notifications of your alarm being disarmed for any unexpected activity.

Unfortunately this requires customers to be on the higher paid plan which includes text messaging and application push notifications to alert the consumer. An attacker could simply keep arming and disarming the system remotely until the owner is tired of getting the messages and starts ignoring them as a course of normal human behavior.

SimpliSafe Recommendation 3: Take note of any suspicious person or unidentified equipment located very near to your home as you come and go, as the concern raised requires close proximity.

In our testing we discovered that a work truck with a simple ham radio mag mount antenna as shown below was able to receive disarming sequences from from between 60 and 100 feet away depending on the amount of blockages in the path.

Using a more specialized Yagi antenna concealed within the truck effectively doubled the range of the reception.

In either case an attacker could be off your property yet be receiving your very sensitive transmissions from your SimpliSafe system without your knowledge.