Houses of over 300,000 individuals in danger due to a flaw in SimpliSafe home alarm system
● Hackers can gain full access to the system and disable the alarm.
● The system could be exploited to harvest customer PINs and conduct burglaries.
A wireless home alarm system is meant to protect your home smartly, but this so-called ‘Smart Technology’ can be useless if hackers can actually get into your house without your knowledge. One such case related to home security hacks has come into the limelight due to a flaw in SimpliSafe Alarm.
The SimpliSafe security home alarm system which is used by more than 300,000 customers in the United States can easily be hacked by attackers. They can not only gain full access to the alarm but can also disable the security system, thus jeopardizing the safety of the house and resulting in unauthorized intrusion and thefts.
Well, the flip side of this security issue is that there is no workaround for this SimpliSafe hack fix!
Andrew Zonenberg, a senior security consultant at IOActive, who discovered the issue, said that this SimpliSafe security system can be exploited to harvest customer PINs and turn alarms off even at a distance of up to 200 yards away. He stated that the SimpliSafe hack can be executed by anyone using basic hardware and software of worth $50 to $250.
To quote Zonenberg on the alarming aspects of home security hacks: “1) It exists within a ‘security product’ that is trusted to secure over a million homes; 2) It enables an attacker to completely own the system (i.e., disable it, change PIN codes, etc.), and; 3) many unsuspecting consumers prominently display window and yards signs promoting their use of this system...essentially self-identifying their home as a viable target for an attacker.”
Since the SimpliSafe hack home alarm system uses unencrypted communication over the air, attackers loitering around the home could sniff the unencrypted PIN messages using some radio equipment. These unencrypted messages are the ones that are transferred from a keypad to the alarm control box.
The attackers can then record this PIN code on the microcontroller and later use the same to manipulate with the SimpliSafe security system. They can use the code to disable the alarm and carry out burglaries when the owner is not at home.
Moreover, the attacker could use this SimpliSafe hack fix to send spoofed alarms in an attempt to fool the owner, making them think that someone has broken into the house, which is actually not the case.
"Unfortunately, there's no easy workaround for the issue since the keypad happily sends unencrypted PINs out to anyone listening," Zonenberg said referring to the SimpliSafe hack fix.
"Normally, the vendor would fix the vulnerability in a new firmware version by adding cryptography to the protocol, but this isn't an option for the affected SimpliSafe security system because the microcontrollers in currently shipped hardware are one-time programmable."
Soon after the discovery of the issue, Zonenberg tried contacting the manufacturers for several times so that they could release some SimpliSafe hack fix. But, the providers failed to respond to the issue, following which the report has been forwarded to US-CERT.