Reverse Engineering the SimpliSafe Wireless Burglar Alarm
SimpliSafe is a home security system that relies on wireless radio communications between its various sensors and control panels. They claim that their system is installed in over 300,000 homes in North America. Unfortunately for SimpliSafe, earlier this week Dr. Andrew Zonenberg of IOActive Labs published an article showing how easy it is for an attacker to remotely disable their system. By using a logic analyser he was able to fairly easily reverse engineer enough of the protocol to discover which packets were the “PIN entered” packets. He then created a small electronic device out of a microcontroller that would passively listen for the PIN entered packet, save the packet into RAM, and then replay it on demand, disarming the alarm.
A few days later Micheal Ossmann (wireless security researcher and creator of the HackRF SDR and YardStick One) decided to have a go at this himself, using a YARD Stick One and a HackRF SDR. First he used the HackRF to record some packets to analyze the transmission. From the analysis he determined that the protocol was an Amplitude Shift Keying (ASK) encoded signal. With this and some other information he got from the recorded signal, he could then use his Yardstick One to instantly decode the raw symbols transmitted by the keypad and perform a replay attack if he wanted to.
Next, instead of doing a capture and replay attack like Andrew did, Micheal decided to take it further and actually decode the packets. This took him a few hours but it turned out to not be too difficult. Now he is able to recover the actual PIN number entered by a home owner from a distance without having to do any transmitting. With the right antenna someone could be gathering 100’s of PINs over a distance of many miles. Also, an expensive radio is not required, Micheal notes that the gathering of PIN numbers could just as easily be done on a cheap $10-$20 RTL-SDR dongle.
Micheal notes that the SimpliSafe alarm seems to lack even the most basic cryptographic protection, and that this is a problem that is seen all too often in wireless alarm systems. Rightly so, Micheal and Andrew are not publishing their code, although it seems that anyone with some basic knowledge could repeat their results.