I did a lot of research on this a while back and concluded that, no, there don't appear to be. I was hoping that Nest, despite some of their shortcomings, would try to tackle this market. Seemed like a more obvious market for them to move into, as opposed to smoke alarms.
You could make one. A bunch of ESP8266 modules connecting back to a rasberrypi via SSL with a strict sensor timeout would mitigate the comcast alarm style bypasses. As for a remote, key fobs are so 1990s! Connect your smart phone using an app.
You're missing the security of calling the cops. Your system won't have that. Noise-makers are the "easy" part of security (they sell off the shelf ones for pretty cheap, no need for homemade).
Yep, that is the difficult piece. It would be nice if there was company that does that for consumers. Essentially DIY security system + A company that a consumer can sign up for monitoring the alerts and calling cops etc. A cheap cell phone plan would also be needed as well.
Calling the cops really does no good depending on where you live. I had a false alarm a few years back while I was away from home. Three hours later and about an hour after I had returned home, an officer came by to check on the alarm.
No, I had never had any false alarms prior to this one. I live in a moderately sized suburb, not Detroit.
I do not believe so. Perhaps commerical grade stuff? But in the consumer space, it is all overpriced and "bad."
But consumer electronics are generally insecure: garage doors, baby monitors, electronic door locks, even cars historically.
They all ultimately rely on security through obscurity because convenience sells. Nobody wants their garage to lock them out because the clocks got misaligned, or firmware update the clicker because the encryption protocol from the 1990s is trivially broken.
Frequency hopping would be more common, but many consumer electronics only utilise two frequencies because that is all that is allocated. So that is out. And while they could use fixed key encryption (e.g. serial number), it doesn't defend against a replay attack (and if defence is added, like a counter, it can break the system in a number of fun ways (e.g. batteries running out, signals being lost, cross-device interference, etc)).
It depends on what one means by "garbage", but I've found that hard-wired systems (i.e. wires for all sensors) backed by something like the standard Honeywell Ademco Vista series attached to a real cellular uplink works most reliably. We use them at home and at business, and for what a home security system is supposed to do (make noise when an intrusion occurs and send a signal out so that you know about it) its the most reliable setup I've ever used. (Not to mention, provides a ton of options for "hacking" your system to your needs.)
Just, whatever you do, do NOT let some crazy internet-connected service, like XFinity Home hook up to it. All of your reliability goes out the window the second they hook up their stupid takeover devices.
Yes, there's a full machine-learning stack you can buy. Has auto-mapping, heuristics, active listening, voice commands, and can easily move from room to room. Also equipped with weapons platform to deter people who shouldn't be there.
I own a dog, and I can tell you that the machine-learning features are generally overrated. It tends to learn what you don't want it to learn and tends to forget about the things you want it to learn. It's also high-maintenance and can't be left alone for extended periods of time. It's also vulnerable to a "replay offer steak" attack. (12/10 for enriching my life, would do again)
I am selling my house and literally five minutes ago just got off the phone with my realtor telling her to make a counter offer to a buyer and to include in the counter offer that our security system isn't included. We have intended on taking our SimpliSafe security system to our new house.
I'm glad places like IOActive exist. Reading up on their procedure (http://www.ioactive.com/pdfs/IOActive_Advisory_SimpliSafe-Re...), they gave the vendor 5 months to even respond before posting this. All and all a much better process than a "hacker" posting it to his blog because a company didn't respond to his email the day before.
There's no such thing as perfect security via alarm. However, if a company refuses to even respond to someone reporting a vulnerability, then the public should be informed.
As a simplisafe customer, I will be contacting them and demanding a fix to this vulnerability or full refund.
Same here, in fact I'm often blown away but the timelines at the bottoms of reports like this. Not in a "they should have released this sooner" type of way but more of a "wow, they were extremely patient with this vendor after numerous delays and all out of the goodness of their hearts". It would be just as easy for these researchers to say say "hmm interesting" and never alert the vendor or publish the findings.
This is exactly why I put a different security alarm system sign in my yard than the one that's actually installed. Unfortunately, there are probably many homeowners who put SimpliSafe stickers in their windows letting anyone passing by know their home is vulnerable to this attack.
When I was a kid, my dad didn't want to spend money on an alarm system so he just added that magnetic glass breakage tape around all the first floor windows and installed a metal panel with a locking cover plate and a series of blinking LEDS on the front and back doors. It looked really authentic, and it seemed to work - other houses in our neighborhood got burgled once in a while, but ours was the only one with those scary red lights blinking back and forth on all the doors.
I'm very interested in this space. Had a "break-in" at my storage/office warehouse recently, and my camera-based alarm system failed me. It really wouldn't have mattered because it was a smash-and-grab that was over before the cops could have responded anyway.
I think the basic problem most alarm systems have is that wireless systems are generally vulnerable, and wired systems are an order of magnitude more difficult/expensive to install. I don't think there is a straightforward solution to this problem.
The Simplisafe vulnerability is still considerably difficult for an average burglar to use. I would be fairly surprised that any burglar would use it, as there are so many more attack vectors that could be exploited.
Forgive my naivety (and I'm fully aware of IT people's tendency to declare all other fields "easy" and "why don't you just"), but why wouldn't the following work?
* Wireless system
* Active heartbeats saying "no alarm", with proper crypto (eg. signed message which contains a monotonic sequence number)
* If the sensor detects a problem, it sends an alarm message
* If the sensor is jammed and "no alarm" heartbeats can't get through, it's treated as an alarm.
The only unavoidable problem I can see would be that someone with a jammer could always jam your signal to generate alarms on demand.
I think we need more detail here concerning how sensors would get provisioned and (especially) de-provisioned. Also aren't many sensors on battery power? If so, battery failure mustn't trip the system-wide alarm.
The DOS with a jammer seems like less of an issue. Sure it's a fun prank, but police seem to respond aggressively to that sort of prank.
1) An attacker (/ RF noise) can induce false alarms frequently enough that you no longer take the alarm seriously.
2) Can I get the crypto keys you're relying on by buying the hardware myself and dumping the firmware? What about by ripping an exterior sensor off the wall? What about by social engineering you into giving me an invoice with the serial number on it?
3) What happens if I power-cycle your building? Do the sequence numbers start over?
4) How are you going to communicate the alarm condition to anyone who can help? If I cut your phone/internet lines? If I bring a cell phone jammer?
Not an expert either, but I remember a fascinating chapter of a security engineering textbook from HN years ago talking about what goes into the design of robust alarm systems. The process is largely driven by the high-end valuables insurance industry, which has standards/certifications for the alarms you must buy to enjoy their protection. I'll see if I can dig it up.
Wireless isn't inherently impossible to secure, but it must be done very carefully.
Part of the problem is that Renter's/Homeowner's insurance won't pay out if there's no signs of a "forced entry". Cases like above would mean that insurance wouldn't cover anything lost.
I did a similar project with Simplisafe, but I went the SDR route and figured out their protocol, so I can forge sensor/keypad messages or decode PIN entries from keypads. (I'm in contact with the IOActive researcher, Andrew, to share this information.) It was a fun learning experience. My original goal was to just get the damn system to reach my detached garage (which is about 25 feet from my house).
In his blog post, Andrew said he didn't bother to reverse-engineer the protocol because if you can replay a "disarm" command with the correct PIN, that's everything you need. That's probably true, but it could also profit an attacker to record someone's PIN in case they use it for other things. And depending on the limits of the Simplisafe base station, you could potentially brute-force a "disarm" from every possible device ID - most likely, you'll eventually use the ID of a keyfob associated with the system, so it will disarm. Then you'd have control without the user ever entering their PIN.
These things are largely academic, I think. It's been known for a while that you can just jam the system by transmitting at 433MHz while you kick down the doors or whatever. Very cool anyway.
On the other hand, now I can build my own sensors and add them to my system, if I want. Or build a repeater so I can finally have a keypad in my garage. :)
Can you write more about how you reversed the RF protocol? I'd really like to hear more about it. I've noticed that virtually all major published vuln research targeting RF systems like this starts by hijacking and endpoint and turning it into a modem.
I think there are a lot of people interested in learning more about the process of attacking RF systems from an SDR.
I'd like to, but I'm not sure how to proceed. I don't know if I should try notifying Simplisafe, and/or give people more time to get rid of the system. I also don't have a good way to publish - I don't have a personal website or anything. Any suggestions?
Well, not that I want to steal your thunder or anything (I don't think I can: no matter how many times you write this, it will be interesting) but how about just start here?
What SDR did you use?
Did you reverse the hardware or the software on the endpoints to figure out how to configure the SDR?
Oh! I was thinking of a much more detailed writeup. I actually didn't reverse any hardware or software; I guess this was a SIGINT-only effort. Parts of my approach were inefficient or redundant, but that's because I knew next to nothing about radio, SDR, etc. when I started. I basically found out that SDRs exist and thought they sounded cool, and decided to try to use one to see what I could see around my house. In brief:
Like Andrew, I looked up the FCC ID to find the right frequency for Simplisafe. I used a RTL2832 USB device ($25, from Amazon) and SDRSharp on Windows to record the signals. I used Audacity to look at the raw recordings and figure out that it was on-off keying, with a pulse length of about 5 microseconds.
I fed those raw recordings into a Gnuradio program I built (on Kali - I had trouble setting it up on Ubuntu so I gave up and just used a Kali image). I realize now that Gnuradio can interface directly with an SDR, but at the time, I already had all the recordings saved, so I just worked with those. I wanted to use Gnuradio's fancy clock sync module to convert the pulses directly to symbols, but I couldn't get it to work. So I used a threshold detector instead, with a rate limiter, so the output consisted of strings about 120 1s or 0s per pulse. I wrote a Python script to convert those into a text representation with just a single 1 or 0 for each pulse.
It was easy enough to identify a preamble that comes with each transmission, and then most of my effort went into comparing like transmissions from different devices (e.g. "door open" from my three door sensors), or different messages from the same device (e.g. "door open" vs. "door closed" from the same sensor). If their encoding scheme is a standard or well-known one, I certainly wasn't able to find it. It took a lot of frustrating dead-ends to finally figure it out.
With that done, I wrote more Python code to decode a recorded transmission, or put together a transmission representing any device ID I want, any message I want, etc. I used an Arduino and a cheap 433MHz transmitter/receiver device ($5 from Amazon) to send my transmission, and my base station heard and acknowledged it. I haven't done much more with it since then.
It does illustrate (duh) that by not encrypting their wireless coms, their system is vulnerable to straightforward reverse-engineering of the RF protocol.
It also illustrates that this vector isn't much of a threat for your average burglar.
However, between the two threats, it wouldn't take a genius entrepre-thief to make a simple device and sell it to thieves (like the ones that exist for some cars).
In general, people are not going to get rid of systems. SimpliSafe is $15 a month after equipment. For some, it's the only security system they can afford, or it's as much as they want to spend on it (disclaimer: me).
So one way you can help their security is
1) Don't publicize easy to follow step-by-step ways of how to do this. There's a big difference between disclosing a security issue and giving non-technical people an easy way to bypass a security system. The fact that a security weakness is known and publicized doesn't help xx% of thieves who don't have the resources to implement it. It does help the aware customer to make changes to their security and demand a fix from the vendor.
2) Responsibly disclose to Simplisafe like the linked post did is best. If they don't respond, then post what you were able to do in a similar manner. Going through ioactive would be a great idea as they're familiar with this process.
1 sounds like security by obscurity and it sounds like prevent information being made public knowledge that should impact customers' choices and might lead to better locking down the system. While the ideal rational consumer would be just as impacted by a standard disclosure, I've never met an ideal rational consumer. People will be much more aware if you can show them a web page that gives a step by step guide how to destroy their security system.
To give a comparison, consider all the NSA spying leaks and then consider that show host (John Oliver I believe) who went around asking people questions in a way that made them much more informed of what the implications of spying was, and in doing so changed their reaction.
Home security seems like one of those spaces where it's hard to be disruptive. By that, I mean Christensen's definition of offering a solution that would be judged "not good enough" by the existing market, in order to attract new customers at a lower price point.
Given the SDR hack described above, it seems they barely even tried to make the thing secure.
I guess anybody wanting to sell wireless IOT stuff better be advertising how their device pairing is robust or be getting heaps of criticism.
(I think it must be possible to robustly pair devices, I would be interested in discussion of why it wouldn't be possible, and in discussion of user friendly ways to do it)
I am a SimpliSafe customer, and I emailed them about this. Here is the response:
"Thanks for writing in. As our systems use wireless technology, there is an understandable concern over the potential to hack or jam our signal.
Much of it comes from a certain video online that fails to depict the equipment used or the number of attempts made to compromise that signal. While any wireless system is susceptible to this type of attack from a sufficiently savvy and motivated intruder, our systems can be backed up with with a land line or an internet connection for no additional cost.
Also, this type of attack represents such a small percentage of total break-ins that the FBI does not even keep a count. This is because the majority of break-ins are a quick forced entry and not the sophisticated type of attack that requires diligent planning as well as highly illegal and cost-prohibitive equipment.
Assuming an intruder has the requisite technology, he would need to know the frequency ranges he needs to jam, and also know the layout of your home beforehand, as he would have to avoid motion detectors even in the unlikely event that he bypassed a door sensor.
Furthermore, our systems use a proprietary algorithm that helps the system distinguish between everyday interference from nearby household electronics, and unusual, possibly targeted interference. Our interactive monitoring plan for $24.99/month can be set up to notify you if your system detects abnormal RF interference.
Ultimately, no system is impenetrable, and it would be unfair for us or any company to tell you otherwise, but SimpliSafe has measures in place to protect you against this type of intrusion, and with the likelihood of cellular jamming being as slim as it is, the odds are more than in your favor."
Note they are trying to sell me on their most expensive plan and that they never mentioned the attack that is referenced in the article (which I linked to)."
46 comments
[ 4.3 ms ] story [ 101 ms ] threadTa-da! A custom alarm system that doesnt suck.
You now have 99% of the security offered by an alarm system, go buy an ADT yard sign from Amazon and you have 99.9%
The utility of calling cops is vastly over-rated in most parts of the United States due to police response times being slow.
No, I had never had any false alarms prior to this one. I live in a moderately sized suburb, not Detroit.
But consumer electronics are generally insecure: garage doors, baby monitors, electronic door locks, even cars historically.
They all ultimately rely on security through obscurity because convenience sells. Nobody wants their garage to lock them out because the clocks got misaligned, or firmware update the clicker because the encryption protocol from the 1990s is trivially broken.
Frequency hopping would be more common, but many consumer electronics only utilise two frequencies because that is all that is allocated. So that is out. And while they could use fixed key encryption (e.g. serial number), it doesn't defend against a replay attack (and if defence is added, like a counter, it can break the system in a number of fun ways (e.g. batteries running out, signals being lost, cross-device interference, etc)).
Just, whatever you do, do NOT let some crazy internet-connected service, like XFinity Home hook up to it. All of your reliability goes out the window the second they hook up their stupid takeover devices.
A dog.
Now I read this.
There's no such thing as perfect security via alarm. However, if a company refuses to even respond to someone reporting a vulnerability, then the public should be informed.
As a simplisafe customer, I will be contacting them and demanding a fix to this vulnerability or full refund.
I actually never seen this happen.
I think the basic problem most alarm systems have is that wireless systems are generally vulnerable, and wired systems are an order of magnitude more difficult/expensive to install. I don't think there is a straightforward solution to this problem.
The Simplisafe vulnerability is still considerably difficult for an average burglar to use. I would be fairly surprised that any burglar would use it, as there are so many more attack vectors that could be exploited.
* Wireless system
* Active heartbeats saying "no alarm", with proper crypto (eg. signed message which contains a monotonic sequence number)
* If the sensor detects a problem, it sends an alarm message
* If the sensor is jammed and "no alarm" heartbeats can't get through, it's treated as an alarm.
The only unavoidable problem I can see would be that someone with a jammer could always jam your signal to generate alarms on demand.
The DOS with a jammer seems like less of an issue. Sure it's a fun prank, but police seem to respond aggressively to that sort of prank.
2) Can I get the crypto keys you're relying on by buying the hardware myself and dumping the firmware? What about by ripping an exterior sensor off the wall? What about by social engineering you into giving me an invoice with the serial number on it?
3) What happens if I power-cycle your building? Do the sequence numbers start over?
4) How are you going to communicate the alarm condition to anyone who can help? If I cut your phone/internet lines? If I bring a cell phone jammer?
Not an expert either, but I remember a fascinating chapter of a security engineering textbook from HN years ago talking about what goes into the design of robust alarm systems. The process is largely driven by the high-end valuables insurance industry, which has standards/certifications for the alarms you must buy to enjoy their protection. I'll see if I can dig it up.
Wireless isn't inherently impossible to secure, but it must be done very carefully.
In his blog post, Andrew said he didn't bother to reverse-engineer the protocol because if you can replay a "disarm" command with the correct PIN, that's everything you need. That's probably true, but it could also profit an attacker to record someone's PIN in case they use it for other things. And depending on the limits of the Simplisafe base station, you could potentially brute-force a "disarm" from every possible device ID - most likely, you'll eventually use the ID of a keyfob associated with the system, so it will disarm. Then you'd have control without the user ever entering their PIN.
These things are largely academic, I think. It's been known for a while that you can just jam the system by transmitting at 433MHz while you kick down the doors or whatever. Very cool anyway.
On the other hand, now I can build my own sensors and add them to my system, if I want. Or build a repeater so I can finally have a keypad in my garage. :)
I think there are a lot of people interested in learning more about the process of attacking RF systems from an SDR.
What SDR did you use?
Did you reverse the hardware or the software on the endpoints to figure out how to configure the SDR?
How did you get started with this?
What other tooling did you have?
Like Andrew, I looked up the FCC ID to find the right frequency for Simplisafe. I used a RTL2832 USB device ($25, from Amazon) and SDRSharp on Windows to record the signals. I used Audacity to look at the raw recordings and figure out that it was on-off keying, with a pulse length of about 5 microseconds.
I fed those raw recordings into a Gnuradio program I built (on Kali - I had trouble setting it up on Ubuntu so I gave up and just used a Kali image). I realize now that Gnuradio can interface directly with an SDR, but at the time, I already had all the recordings saved, so I just worked with those. I wanted to use Gnuradio's fancy clock sync module to convert the pulses directly to symbols, but I couldn't get it to work. So I used a threshold detector instead, with a rate limiter, so the output consisted of strings about 120 1s or 0s per pulse. I wrote a Python script to convert those into a text representation with just a single 1 or 0 for each pulse.
It was easy enough to identify a preamble that comes with each transmission, and then most of my effort went into comparing like transmissions from different devices (e.g. "door open" from my three door sensors), or different messages from the same device (e.g. "door open" vs. "door closed" from the same sensor). If their encoding scheme is a standard or well-known one, I certainly wasn't able to find it. It took a lot of frustrating dead-ends to finally figure it out.
With that done, I wrote more Python code to decode a recorded transmission, or put together a transmission representing any device ID I want, any message I want, etc. I used an Arduino and a cheap 433MHz transmitter/receiver device ($5 from Amazon) to send my transmission, and my base station heard and acknowledged it. I haven't done much more with it since then.
It does illustrate (duh) that by not encrypting their wireless coms, their system is vulnerable to straightforward reverse-engineering of the RF protocol.
It also illustrates that this vector isn't much of a threat for your average burglar.
However, between the two threats, it wouldn't take a genius entrepre-thief to make a simple device and sell it to thieves (like the ones that exist for some cars).
A million customers someone said?
So one way you can help their security is
1) Don't publicize easy to follow step-by-step ways of how to do this. There's a big difference between disclosing a security issue and giving non-technical people an easy way to bypass a security system. The fact that a security weakness is known and publicized doesn't help xx% of thieves who don't have the resources to implement it. It does help the aware customer to make changes to their security and demand a fix from the vendor.
2) Responsibly disclose to Simplisafe like the linked post did is best. If they don't respond, then post what you were able to do in a similar manner. Going through ioactive would be a great idea as they're familiar with this process.
To give a comparison, consider all the NSA spying leaks and then consider that show host (John Oliver I believe) who went around asking people questions in a way that made them much more informed of what the implications of spying was, and in doing so changed their reaction.
Alternative is using github pages with something like jekyll.
I guess anybody wanting to sell wireless IOT stuff better be advertising how their device pairing is robust or be getting heaps of criticism.
(I think it must be possible to robustly pair devices, I would be interested in discussion of why it wouldn't be possible, and in discussion of user friendly ways to do it)
[1] http://www.betaboston.com/news/2014/05/21/simplisafe-raises-...
"Thanks for writing in. As our systems use wireless technology, there is an understandable concern over the potential to hack or jam our signal.
Much of it comes from a certain video online that fails to depict the equipment used or the number of attempts made to compromise that signal. While any wireless system is susceptible to this type of attack from a sufficiently savvy and motivated intruder, our systems can be backed up with with a land line or an internet connection for no additional cost.
Also, this type of attack represents such a small percentage of total break-ins that the FBI does not even keep a count. This is because the majority of break-ins are a quick forced entry and not the sophisticated type of attack that requires diligent planning as well as highly illegal and cost-prohibitive equipment.
Assuming an intruder has the requisite technology, he would need to know the frequency ranges he needs to jam, and also know the layout of your home beforehand, as he would have to avoid motion detectors even in the unlikely event that he bypassed a door sensor.
Furthermore, our systems use a proprietary algorithm that helps the system distinguish between everyday interference from nearby household electronics, and unusual, possibly targeted interference. Our interactive monitoring plan for $24.99/month can be set up to notify you if your system detects abnormal RF interference.
Ultimately, no system is impenetrable, and it would be unfair for us or any company to tell you otherwise, but SimpliSafe has measures in place to protect you against this type of intrusion, and with the likelihood of cellular jamming being as slim as it is, the odds are more than in your favor."
Note they are trying to sell me on their most expensive plan and that they never mentioned the attack that is referenced in the article (which I linked to)."
Time to look into a new company.