Hopelessly broken wireless burglar alarm lets intruders go undetected

Enlarge (credit: SimpliSafe.com)

A security system used in more than 200,000 homes has an unfixable flaw that allows tech-savvy burglars to disarm the alarm from as far away as a few hundred feet.

The wireless home security system from SimpliSafe is marketed as costing less than competing ones and being easier to install, since it doesn’t use wires for one component to communicate with another. But according to Andrew Zonenberg, a researcher with security firm IOActive, the system’s keypad uses the same personal identification number with no encryption each time it sends a message to the main base station. That opens the system to what’s known as a replay attack, in which an attacker records the authentication code sent by the valid keypad and then recycles it when sending rogue commands transmitted over the same radio frequency.

“Unfortunately, there is no easy workaround for the issue since the keypad happily sends unencrypted PINs out to anyone listening,” Zonenberg wrote in a blog post published Wednesday. “Normally, the vendor would fix the vulnerability in a new firmware version by adding cryptography to the protocol. However, this is not an option for the affected SimpliSafe products because the microcontrollers in currently shipped hardware are one-time programmable. This means that field upgrades of existing systems are not possible; all existing keypads and base stations will need to be replaced.”