It’s not unusual to hear of vulnerabilities in smart-home security systems these days, as security researchers turn their attention to the Internet of Things. It’s worrying, though, when a modern security system turns out to be vulnerable to a so-called replay attack, the kind of thing that worked against garage door openers back in the 1990s.
The latest example is SimpliSafe, a wireless alarm system that’s marketed as cheaper and easier to install than traditional wired home security systems. Its manufacturer claims that the system is used in over 200,000 homes in the U.S.
According to Andrew Zonenberg, a researcher with security consultancy firm IOActive, attackers can easily disable SimpliSafe alarms from up to 30 meters away, using a device that costs around $250 to create a replay attack.
SimpliSafe has two main components, a keypad and a base station, that communicate with each using radio signals. The base station also listens for incoming signals from a variety of sensors.
Zonenberg found that the confirmation signal sent by the keypad to the base station when the correct PIN is entered can be sniffed and then later played back to disarm the system. Recovering the actual PIN is not necessary, since the “PIN entered” packet can be replayed as a whole.
This is possible because there is no cryptographic authentication between the keypad and the base station.
To pull off the attack, Zonenberg bought a SimpliSafe key pad and base station and then soldered a generic microcontroller board to them. With a few hundred lines of C code the gadget can listen for incoming 433 MHz radio traffic and capture “PIN entered” packets from other SimpliSafe key pads located within 100 feet.
When the owner of a real SimpliSafe system enters the correct PIN, a device like Zonenberg’s that’s hidden in its vicinity will capture the confirmation packet and will store it in memory. The attacker can use the device to resend the packet to the base station at a later time, for example when the home owner is away. This will disarm the alarm.
[“source -cncb”]