As security researchers turn their attention to the vulnerabilities in connected devices, they may have overlooked a simple ’90s-era attack that could make over 200,000 homeowners in the US vulnerable to thieves with a $250 gadget.
SimpliSafe was touted as a wireless alarm system that’s cheaper than a traditional system and easily installed, even by most consumers. It’s also claimed to be used in over 200,000 homes.
While looking for modern attacks, however, security experts overlooked a simple replay exploit that was common in the 1990s and used to cause havoc on garage doors.
The attack is a simple one that intercepts and records the unlock codes as they’re transmitted over the air. To thwart this, garage door openers started using a rolling code, which sends a different code each time it’s used.
The exploit, which was originally reported by Andrew Zoneberg, a security researcher with IOActive, takes advantage of this vulnerability with a readily-available device that “sniffs” the network for incoming 433 MHz radio traffic to capture the PIN packets from SimpliSafe key pads as they are used.
Recovering the actual PIN used to communicate between the keypad and base station isn’t necessary, as the intercepted packet can be replayed in whole because there’s no cryptographic authentication between the two SimpliSafe devices.
The attacker would then wait until the homeowner was away and send the packet to the base station, which disables the alarm.
Unfortunately for SimpliSafe, and its customers, there isn’t a fix for this.
The system would have to be removed and replaced with one that used authentication between the base and keypad in order to only accept trusted signals.