SimpliSafe Hack Exposes 300,000 Home Security Systems

PinIt

Could allow a hacker complete control of the system and a patch won’t fix it.

Researchers at I/OActive, a security firm, announced the discovery of a major security flaw in yet another IoT device. This time it’s the SimpliSafe Home Security System.

According to a report in InfoSecurity Magazine, the SimpliSafe system uses a variety of sensors that communicate with each other via radio. While it’s marketed as a simpler and more secure alternative to traditional systems, the radio interface is not encrypted nor does it use any sort of authentication. A hacker could easily intercept the transmissions and record them, then use the signals to turn off the system whenever he or she likes.

“We are seeing a growing trend where companies launching ‘internet of things’–enabled products to market either forget or choose to exclude security as part of the product’s design and development,” said IOActive researcher Andrew Zonenberg, in a blog post on the company’s site. “The end result is that these products can be easily compromised by hackers with malicious intentions in mind. This is particularly alarming when the products are intended and marketed for security purposes.”

In a report on their website, IOActive says all that is needed to hack the device  is a SimpliSafe base station and keypad, along with a cheap microcontroller board — a total investment of around $250. Then all a hacker has to do is place the device within 100 feet of the system to record the radio signals. The company says they have been trying to contact Simplisafe about the issue since September but have been ignored.

No Software Updates

The company shipped the system with microcontrollers that cannot be reprogrammed, so a patch isn’t going to work. That could leave exposed more than 300,000 customers with SimpliSafe systems. The company, however, has told Forbes that it is releasing hardware with a firmware update; that customers would be given a discount on the new hardware; and that for existing systems, they would be notified if the alarm were deactivated and could change PINs.

RTInsightsTake: SimpliSafe isn’t the first home security system to be found less than secure. Last month researchers at Rapid7 announced that Comcast’s Xfinity Home Security system had a flaw that would allow an attacker to fool the system into thinking everything was normal and secured when it wasn’t. The company said Comcast is working with them to resolve the issue.

The flaw in SimpliSafe systems could have been avoided with smart IoT testing. When Tesla, for instance, discovered that its vehicles were riding too close to the ground, it sent out a software update rather than recalling vehicles. That’s an approach IoT companies will need to take or risk losing their investments and alienating customers.

Recommended:


Want more? Check out our most-read content:

White Paper: How to ‘Future-Proof’ a Streaming Analytics Platform
Research from Gartner: Real-Time Analytics with the Internet of Things
E-Book: How to Move to a Fast Data Architecture
The Value of Bringing Analytics to the Edge
Preventing Downtime With Predictive Analytics
IoT Hacking: Three Ways Data and Devices Are Vulnerable

Liked this article? Share it with your colleagues!

Sue Walsh

About Sue Walsh

Sue Walsh is a freelance writer and social media manager living in New York City. Her specialties include tech, security and e-commerce. You can follow her on Twitter at @girlfridaygeek.

Leave a Reply