I did a similar project with Simplisafe, but I went the SDR route and figured out their protocol, so I can forge sensor/keypad messages or decode PIN entries from keypads. (I'm in contact with the IOActive researcher, Andrew, to share this information.) It was a fun learning experience. My original goal was to just get the damn system to reach my detached garage (which is about 25 feet from my house).
In his blog post, Andrew said he didn't bother to reverse-engineer the protocol because if you can replay a "disarm" command with the correct PIN, that's everything you need. That's probably true, but it could also profit an attacker to record someone's PIN in case they use it for other things. And depending on the limits of the Simplisafe base station, you could potentially brute-force a "disarm" from every possible device ID - most likely, you'll eventually use the ID of a keyfob associated with the system, so it will disarm. Then you'd have control without the user ever entering their PIN.
These things are largely academic, I think. It's been known for a while that you can just jam the system by transmitting at 433MHz while you kick down the doors or whatever. Very cool anyway.
On the other hand, now I can build my own sensors and add them to my system, if I want. Or build a repeater so I can finally have a keypad in my garage. :)
Can you write more about how you reversed the RF protocol? I'd really like to hear more about it. I've noticed that virtually all major published vuln research targeting RF systems like this starts by hijacking and endpoint and turning it into a modem.
I think there are a lot of people interested in learning more about the process of attacking RF systems from an SDR.
I'd like to, but I'm not sure how to proceed. I don't know if I should try notifying Simplisafe, and/or give people more time to get rid of the system. I also don't have a good way to publish - I don't have a personal website or anything. Any suggestions?
I'm glad places like IOActive exist. Reading up on their procedure (http://www.ioactive.com/pdfs/IOActive_Advisory_SimpliSafe-Re...), they gave the vendor 5 months to even respond before posting this. All and all a much better process than a "hacker" posting it to his blog because a company didn't respond to his email the day before.
There's no such thing as perfect security via alarm. However, if a company refuses to even respond to someone reporting a vulnerability, then the public should be informed.
As a simplisafe customer, I will be contacting them and demanding a fix to this vulnerability or full refund.
Same here, in fact I'm often blown away but the timelines at the bottoms of reports like this. Not in a "they should have released this sooner" type of way but more of a "wow, they were extremely patient with this vendor after numerous delays and all out of the goodness of their hearts". It would be just as easy for these researchers to say say "hmm interesting" and never alert the vendor or publish the findings.
I'm very interested in this space. Had a "break-in" at my storage/office warehouse recently, and my camera-based alarm system failed me. It really wouldn't have mattered because it was a smash-and-grab that was over before the cops could have responded anyway.
I think the basic problem most alarm systems have is that wireless systems are generally vulnerable, and wired systems are an order of magnitude more difficult/expensive to install. I don't think there is a straightforward solution to this problem.
The Simplisafe vulnerability is still considerably difficult for an average burglar to use. I would be fairly surprised that any burglar would use it, as there are so many more attack vectors that could be exploited.
Forgive my naivety (and I'm fully aware of IT people's tendency to declare all other fields "easy" and "why don't you just"), but why wouldn't the following work?
* Wireless system
* Active heartbeats saying "no alarm", with proper crypto (eg. signed message which contains a monotonic sequence number)
* If the sensor detects a problem, it sends an alarm message
* If the sensor is jammed and "no alarm" heartbeats can't get through, it's treated as an alarm.
The only unavoidable problem I can see would be that someone with a jammer could always jam your signal to generate alarms on demand.
1) An attacker (/ RF noise) can induce false alarms frequently enough that you no longer take the alarm seriously.
2) Can I get the crypto keys you're relying on by buying the hardware myself and dumping the firmware? What about by ripping an exterior sensor off the wall? What about by social engineering you into giving me an invoice with the serial number on it?
3) What happens if I power-cycle your building? Do the sequence numbers start over?
4) How are you going to communicate the alarm condition to anyone who can help? If I cut your phone/internet lines? If I bring a cell phone jammer?
Not an expert either, but I remember a fascinating chapter of a security engineering textbook from HN years ago talking about what goes into the design of robust alarm systems. The process is largely driven by the high-end valuables insurance industry, which has standards/certifications for the alarms you must buy to enjoy their protection. I'll see if I can dig it up.
Wireless isn't inherently impossible to secure, but it must be done very carefully.
I think we need more detail here concerning how sensors would get provisioned and (especially) de-provisioned. Also aren't many sensors on battery power? If so, battery failure mustn't trip the system-wide alarm.
The DOS with a jammer seems like less of an issue. Sure it's a fun prank, but police seem to respond aggressively to that sort of prank.
Part of the problem is that Renter's/Homeowner's insurance won't pay out if there's no signs of a "forced entry". Cases like above would mean that insurance wouldn't cover anything lost.
This is exactly why I put a different security alarm system sign in my yard than the one that's actually installed. Unfortunately, there are probably many homeowners who put SimpliSafe stickers in their windows letting anyone passing by know their home is vulnerable to this attack.
When I was a kid, my dad didn't want to spend money on an alarm system so he just added that magnetic glass breakage tape around all the first floor windows and installed a metal panel with a locking cover plate and a series of blinking LEDS on the front and back doors. It looked really authentic, and it seemed to work - other houses in our neighborhood got burgled once in a while, but ours was the only one with those scary red lights blinking back and forth on all the doors.
I am a SimpliSafe customer, and I emailed them about this. Here is the response:
"Thanks for writing in. As our systems use wireless technology, there is an understandable concern over the potential to hack or jam our signal.
Much of it comes from a certain video online that fails to depict the equipment used or the number of attempts made to compromise that signal. While any wireless system is susceptible to this type of attack from a sufficiently savvy and motivated intruder, our systems can be backed up with with a land line or an internet connection for no additional cost.
Also, this type of attack represents such a small percentage of total break-ins that the FBI does not even keep a count. This is because the majority of break-ins are a quick forced entry and not the sophisticated type of attack that requires diligent planning as well as highly illegal and cost-prohibitive equipment.
Assuming an intruder has the requisite technology, he would need to know the frequency ranges he needs to jam, and also know the layout of your home beforehand, as he would have to avoid motion detectors even in the unlikely event that he bypassed a door sensor.
Furthermore, our systems use a proprietary algorithm that helps the system distinguish between everyday interference from nearby household electronics, and unusual, possibly targeted interference. Our interactive monitoring plan for $24.99/month can be set up to notify you if your system detects abnormal RF interference.
Ultimately, no system is impenetrable, and it would be unfair for us or any company to tell you otherwise, but SimpliSafe has measures in place to protect you against this type of intrusion, and with the likelihood of cellular jamming being as slim as it is, the odds are more than in your favor."
Note they are trying to sell me on their most expensive plan and that they never mentioned the attack that is referenced in the article (which I linked to)."
I am selling my house and literally five minutes ago just got off the phone with my realtor telling her to make a counter offer to a buyer and to include in the counter offer that our security system isn't included. We have intended on taking our SimpliSafe security system to our new house.
Yes, there's a full machine-learning stack you can buy. Has auto-mapping, heuristics, active listening, voice commands, and can easily move from room to room. Also equipped with weapons platform to deter people who shouldn't be there.
I own a dog, and I can tell you that the machine-learning features are generally overrated. It tends to learn what you don't want it to learn and tends to forget about the things you want it to learn. It's also high-maintenance and can't be left alone for extended periods of time. It's also vulnerable to a "replay offer steak" attack. (12/10 for enriching my life, would do again)
It depends on what one means by "garbage", but I've found that hard-wired systems (i.e. wires for all sensors) backed by something like the standard Honeywell Ademco Vista series attached to a real cellular uplink works most reliably. We use them at home and at business, and for what a home security system is supposed to do (make noise when an intrusion occurs and send a signal out so that you know about it) its the most reliable setup I've ever used. (Not to mention, provides a ton of options for "hacking" your system to your needs.)
Just, whatever you do, do NOT let some crazy internet-connected service, like XFinity Home hook up to it. All of your reliability goes out the window the second they hook up their stupid takeover devices.
I do not believe so. Perhaps commerical grade stuff? But in the consumer space, it is all overpriced and "bad."
But consumer electronics are generally insecure: garage doors, baby monitors, electronic door locks, even cars historically.
They all ultimately rely on security through obscurity because convenience sells. Nobody wants their garage to lock them out because the clocks got misaligned, or firmware update the clicker because the encryption protocol from the 1990s is trivially broken.
Frequency hopping would be more common, but many consumer electronics only utilise two frequencies because that is all that is allocated. So that is out. And while they could use fixed key encryption (e.g. serial number), it doesn't defend against a replay attack (and if defence is added, like a counter, it can break the system in a number of fun ways (e.g. batteries running out, signals being lost, cross-device interference, etc)).
I did a lot of research on this a while back and concluded that, no, there don't appear to be. I was hoping that Nest, despite some of their shortcomings, would try to tackle this market. Seemed like a more obvious market for them to move into, as opposed to smoke alarms.
You could make one. A bunch of ESP8266 modules connecting back to a rasberrypi via SSL with a strict sensor timeout would mitigate the comcast alarm style bypasses. As for a remote, key fobs are so 1990s! Connect your smart phone using an app.
You're missing the security of calling the cops. Your system won't have that. Noise-makers are the "easy" part of security (they sell off the shelf ones for pretty cheap, no need for homemade).
Readit News
In his blog post, Andrew said he didn't bother to reverse-engineer the protocol because if you can replay a "disarm" command with the correct PIN, that's everything you need. That's probably true, but it could also profit an attacker to record someone's PIN in case they use it for other things. And depending on the limits of the Simplisafe base station, you could potentially brute-force a "disarm" from every possible device ID - most likely, you'll eventually use the ID of a keyfob associated with the system, so it will disarm. Then you'd have control without the user ever entering their PIN.
These things are largely academic, I think. It's been known for a while that you can just jam the system by transmitting at 433MHz while you kick down the doors or whatever. Very cool anyway.
On the other hand, now I can build my own sensors and add them to my system, if I want. Or build a repeater so I can finally have a keypad in my garage. :)
I think there are a lot of people interested in learning more about the process of attacking RF systems from an SDR.
There's no such thing as perfect security via alarm. However, if a company refuses to even respond to someone reporting a vulnerability, then the public should be informed.
As a simplisafe customer, I will be contacting them and demanding a fix to this vulnerability or full refund.
I actually never seen this happen.
I think the basic problem most alarm systems have is that wireless systems are generally vulnerable, and wired systems are an order of magnitude more difficult/expensive to install. I don't think there is a straightforward solution to this problem.
The Simplisafe vulnerability is still considerably difficult for an average burglar to use. I would be fairly surprised that any burglar would use it, as there are so many more attack vectors that could be exploited.
* Wireless system
* Active heartbeats saying "no alarm", with proper crypto (eg. signed message which contains a monotonic sequence number)
* If the sensor detects a problem, it sends an alarm message
* If the sensor is jammed and "no alarm" heartbeats can't get through, it's treated as an alarm.
The only unavoidable problem I can see would be that someone with a jammer could always jam your signal to generate alarms on demand.
2) Can I get the crypto keys you're relying on by buying the hardware myself and dumping the firmware? What about by ripping an exterior sensor off the wall? What about by social engineering you into giving me an invoice with the serial number on it?
3) What happens if I power-cycle your building? Do the sequence numbers start over?
4) How are you going to communicate the alarm condition to anyone who can help? If I cut your phone/internet lines? If I bring a cell phone jammer?
Not an expert either, but I remember a fascinating chapter of a security engineering textbook from HN years ago talking about what goes into the design of robust alarm systems. The process is largely driven by the high-end valuables insurance industry, which has standards/certifications for the alarms you must buy to enjoy their protection. I'll see if I can dig it up.
Wireless isn't inherently impossible to secure, but it must be done very carefully.
The DOS with a jammer seems like less of an issue. Sure it's a fun prank, but police seem to respond aggressively to that sort of prank.
[1] http://www.betaboston.com/news/2014/05/21/simplisafe-raises-...
"Thanks for writing in. As our systems use wireless technology, there is an understandable concern over the potential to hack or jam our signal.
Much of it comes from a certain video online that fails to depict the equipment used or the number of attempts made to compromise that signal. While any wireless system is susceptible to this type of attack from a sufficiently savvy and motivated intruder, our systems can be backed up with with a land line or an internet connection for no additional cost.
Also, this type of attack represents such a small percentage of total break-ins that the FBI does not even keep a count. This is because the majority of break-ins are a quick forced entry and not the sophisticated type of attack that requires diligent planning as well as highly illegal and cost-prohibitive equipment.
Assuming an intruder has the requisite technology, he would need to know the frequency ranges he needs to jam, and also know the layout of your home beforehand, as he would have to avoid motion detectors even in the unlikely event that he bypassed a door sensor.
Furthermore, our systems use a proprietary algorithm that helps the system distinguish between everyday interference from nearby household electronics, and unusual, possibly targeted interference. Our interactive monitoring plan for $24.99/month can be set up to notify you if your system detects abnormal RF interference.
Ultimately, no system is impenetrable, and it would be unfair for us or any company to tell you otherwise, but SimpliSafe has measures in place to protect you against this type of intrusion, and with the likelihood of cellular jamming being as slim as it is, the odds are more than in your favor."
Note they are trying to sell me on their most expensive plan and that they never mentioned the attack that is referenced in the article (which I linked to)."
Time to look into a new company.
Now I read this.
A dog.
Just, whatever you do, do NOT let some crazy internet-connected service, like XFinity Home hook up to it. All of your reliability goes out the window the second they hook up their stupid takeover devices.
But consumer electronics are generally insecure: garage doors, baby monitors, electronic door locks, even cars historically.
They all ultimately rely on security through obscurity because convenience sells. Nobody wants their garage to lock them out because the clocks got misaligned, or firmware update the clicker because the encryption protocol from the 1990s is trivially broken.
Frequency hopping would be more common, but many consumer electronics only utilise two frequencies because that is all that is allocated. So that is out. And while they could use fixed key encryption (e.g. serial number), it doesn't defend against a replay attack (and if defence is added, like a counter, it can break the system in a number of fun ways (e.g. batteries running out, signals being lost, cross-device interference, etc)).
Ta-da! A custom alarm system that doesnt suck.
You now have 99% of the security offered by an alarm system, go buy an ADT yard sign from Amazon and you have 99.9%