The home security system market is a large one, with dozens of companies vying for your attention. Some have higher monthly fees than others, which is one way that SimpliSafe stands out from the crowd. After purchasing equipment, you can pay as little as $14.99 a month.
Unfortunately, saving in monthly fees may end up costing you more in the long run. An encryption flaw in the system makes it possible for a tech-savvy burglar to gain access to your home without sounding the alarm. With over 200,000 homes in the United States using a SimpliSafe system, this one little flaw has the potential to cause real problems for people all across the country.
Exactly how does this flaw leave consumers vulnerable? It works like this:
The system’s keypad transmits a personal identification code every time it sends a message to the main base station. The trouble is, this code never changes, and the SimpliSafe system doesn’t use encryption technology to keep the code secure.
Because the code isn’t encrypted, a hacker can simply record the code, then use it over and over again to command the system to do whatever he wants. This is easier than it sounds, since the device can be hidden up to a few hundred feet away from the home and retrieved later. This is also known as a replay attack. In some ways, it’s very similar to the problems that have been experienced by credit card users, which is why the credit industry is the process of updating their technology to EMV cards.
In most cases, an update would be all that’s needed to amend the problem. The trouble is, updating the SimpliSafe system isn’t a possibility. Andrew Zonenberg, a contributor to IOActive says, “Normally, the vendor would fix the vulnerability in a new firmware version by adding cryptography to the protocol. However, this is not an option for the affected SimpliSafe products because the microcontrollers in currently shipped hardware are one-time programmable. This means that field upgrades of existing systems are not possible; all existing keypads and base stations will need to be replaced.”
A representative from SimpliSafe responds, “While any wireless system is susceptible to this type of attack from a sufficiently savvy and motivated intruder, our systems can be backed up with a land line or an internet connection for no additional cost. Also, this type of attack represents such a small percentage of total break-ins that the FBI does not even keep a count. This is because the majority of break-ins are a quick forced entry and not the sophisticated type of attack that requires diligent planning as well as highly illegal and cost-prohibitive equipment. Assuming an intruder has the requisite technology, he would need to know the frequency ranges he needs to jam, and also know the layout of your home beforehand, as he would have to avoid motion detectors even in the unlikely event that he bypassed a door sensor.”
They do have a point. Hacking the system requires an investment of about $250 in commodity hardware in order to get started. It’s also going to take quite a bit of knowledge on the hacker’s part, and most burglars are just looking for some easy cash. The question is, do you want to take the risk?