In.Security Home

THE SIDEBAR: MARC WEBER TOBIAS

SimpliSafe WIRELESS ALARM SYSTEM: An Analysis of Security Vulnerabilities

INTRODUCTION

SimpliSafe sign

The SimpliSafe alarm package is a totally wireless system that can detect and transmit an intrusion, fire, or environmental alarm to a 24 hour monitoring center, via cellular connection. For many homeowners and renters, the system is all that is necessary to provide cost-effective detection and competes with the more expensive and traditional alarm reporting companies, such as ADT.

SimpliSafe is similar, but more sophisticated than the LaserShield system, which we also demonstrated could be easily defeated, initially in 2008, in an article on Engadget and then again in 2015.

These are DIY systems and can be easily installed by consumers. However, in our view, they are not secure, and dependent upon perceived threats that may be present to homeowners. That means that if burglars are at all knowledgeable as to methods of system attacks, the hardware can be defeated and entry into a residence accomplished without tripping the alarm. Before buying such systems, homeowners should assess the potential for knowledgeable thieves to bypass their systems.

This report is written in conjunction with an article by the author in Forbes.com,
and also an article on this site about LaserShield, with video showing how to defeat their system.

VIDEO SEGMENTS

NORMAL OPERATION OF THE SYSTEM

DEFEAT OF THE SYSTEM

DEFEAT OF THE MAGNETIC TRIPS IN THE SIMPLISAFE SYSTEM

SIMPLISAFE GATEWAY

A communications gateway receives signals from all of the wireless trips within the system and then processes that information through the wireless keypad. If an alarm is detected, that will be instantly transmitted to the 24/7 monitoring center via a cellular broadband connection, using Verizon as a carrier. Phone lines can be used as a backup but are not necessary for the system to function.

The gateway also announces alarm status when placed in test mode, so the homeowner can verify that all trips are working properly. The system can be programmed, via the web interface, to send email or text messages for alarms and unusual occurrences, such as radio interference which could be affecting the proper operation of the system.

The gateway is battery backed up and will run for at least 24 hours in the event of a power failure.

The SimpliSafe system can be armed and disarmed with the provided key fob, as well as a panic alarm transmitted.

SIMPLISAFE SYSTEM

The SimpliSafe system is supplied with a variety of different alarm sensors. Shown is the entry level kit that was used for testing of the system for this report. It includes a wireless keypad, a motion sensor, a magnetic door trip, and a key fob combination on/off control and panic button. More expensive SimpliSafe systems contain smoke detectors, carbon monoxide detectors and other alarm sensors.

MOTION SENSOR THAT HAS BEEN BYPASSED WITH A PIECE OF PAPER

One or more motion sensors are supplied with all systems from SimpliSafe. Shown in the photographs is a standard sensor, and one that has been covered with a white mailing label. The effect of this action is to block any recognition of motion, thereby defeating the sensor completely. This means, for example, that a visitor to the home or business could unobtrusively place a piece of paper over the detector to defeat it later when the alarm is set.

The reason that the action of the sensor can be blocked results from the failure to incorporate anti-masking software or hardware so that the system can determine whether the infrared element within the motion sensor is obstructed. In the more sophisticated alarm systems, blocking of the sensor should not be possible. In our tests, we defeated the sensor with paper, and also by pointing it at a solid object such as a wall, in the case where, for example, the detector was simply placed on a shelf, rather than hard-mounted.

This fact was never detected by the system.

INTERNAL CONSTRUCTION OF THE MAGNETIC TRIP

Magnetic trips are based upon simple reed switch technology, are not secure, and can be easily defeated by magnets, as shown in the video.

Kids and burglars have figured out how to circumvent the system by placing a small magnet next to the trip, which blocks the detection of the absence or the removal of the normal magnetic field that occurs when the door is opened.

Parents in Florida have found that after setting the alarm at night, their kids figured out the way to defeat the system and sneak out at night without setting off the alarm. Likewise, burglars can place very small magnets next to the door trip during business hours within a commercial facility, and then enter after hours. If no other detectors are in place for the protected area, then the door trips will not trigger an alarm.

The magnet that we used in the demonstration cost about $.25 at Home Depot. We placed it against the SimpliSafe trip with a piece of Scotch tape.

REED SWITCH WITHIN THE MAGNETIC TRIP

These photographs show the critical element in all non-high security magnetic trips: a reed switch. This is a sealed glass envelope that contains two metal leaves, spaced closely apart. They are normally biased by a magnetic field which causes them to touch each other and complete an electrical circuit. If the field is interrupted, the two leaves will separate and break the circuit, thereby triggering an alarm. We do not recommend the conventional reed switch magnetic trip for any significant security application because of the ease with which they can be defeated.

SECURITY VULNERABILITIES WITH WIRELESS SYSTEMS

Wireless systems like SimpliSafe and LaserShield can be easily defeated with an inexpensive transmitter, programmed to the operating frequency of the alarm system. If the transmitter is keyed, the receiver in the gateway unit will be blinded and will not detect any signal that is transmitted by the trips within the system.

In our tests of LaserShield and SimpliSafe, we were able to completely defeat these systems by keying a transmitter during our entry into the protected premises. In the case of SimpliSafe, the system detected the transmission after a predetermined period of time, which was easy for us to determined and defeat.

If the transmitter was keyed continually past this timing window that was set by SimpliSafe, a text message would be sent to the homeowner, advising of the detection of RF interference, and when such interference stopped. However, we could totally defeat this timing window and move through the protected premises without tripping any alarm, nor of the system ever knowing we were there. This is a fatal flaw within these types of systems, as shown in the accompanying video.

The security problem results from several factors, including a lack of “supervision” of the wireless trips. Normally, the trips communicate an alarm condition by a one-way transmission to the gateway. Presently, there is no method for the gateway to constantly interrogate all of the trips in the system to determine their operational status. When a radio signal is detected by the gateway, it will not see the transmissions from the individual trips, and thus, no alarm will be detected.

Compounding the problem: the operating frequencies of all of these wireless systems can be easily found on the FCC database on the Internet. It should be noted that even the latest home automation devices, also linked by wireless, can be defeated in similar fashion, or with radio jammers, which are illegal but are sold commercially.

CONCLUSION

In our view, all security systems should have hard-wired perimeter door trips which cannot be defeated by the transmission of radio frequency (RF) energy. Otherwise, these systems are vulnerable to attack. Unfortunately, even the largest alarm providers are using wireless because of the ease of installation. SimpliSafe has no way to integrate any hardwired trips, nor to connect to already installed alarm systems.

Unless the trips are two way and supervised, this is a prescription for insecurity. We tried contacting ADT repeatedly to discuss this matter, but they refused to return any calls.

When selecting an alarm system, it all comes down to what the consumer needs and expects with regard to an acceptable level of security. The SimpliSafe system is a good value to provide minimal protection for premises where wiring is impossible, and the homeowner wants some protection with minimal cost, without the necessity of contracts with an alarm company, and without the need for connection to a telephone line. SimpliSafe offers a viable solution, with several very clever enhancements, especially using their web interface. But all users must be aware of the potential security vulnerabilities that are inherent with such systems.

“Simply Safe” does not necessarily mean a high level of security. Clearly, the system is very simple and straightforward to install and operate. Each consumer must make a determination as to whether the methods of attack that we have demonstrated would be of concern. If they are not, then for many consumers, the system should provide adequate protection. The problem is that thieves may target premises protected with these kinds of wireless systems, especially when a homeowner advertises the use of an alarm by placing stickers on windows or doors or even in front of the residence, as shown in the photograph.

VIDEO SEGMENTS

SimpliSafe alarm system normal setup

Bypass of the SimpliSafe system with electronic countermeasures

Bypass of the wireless magnetic trip used by SimpliSafe

Comments are off for this post

Comments are closed.

Mexico