301.519.9237 exdirector@nesaus.org

7.19 – The Veerge – By 

This flaw means you won’t be notified of a break-in,

SimpliSafe’s latest home security system can apparently be fooled by an affordable wireless emitter that mimics the frequency of its door and window contact sensors. The YouTube channel LockPickingLawyer posted a video demonstrating how it can be done, and, unfortunately, it looks very easy to do — as easy as pressing a button to make sure an alarm won’t go off when someone breaks into a house.

The host explains that SimpliSafe’s sensors communicate with the base on the 433.92MHz frequency, which is very popular among other consumer electronics, like garage door openers, baby monitors, and more. Most of those products aren’t powerful enough to interfere with SimpliSafe’s system, but a $2 emitter apparently is.

When one of these sensors is normally tripped, the system will initiate the alarm process. But as the video demonstrates, a powerful-enough emitter can block out that process, meaning that the base won’t receive a signal when, say, pushing open a door. It seems like this cheap, easy-to-acquire device is powerful enough to override what the sensor is communicating to the base.

SimpliSafe disputes that the device is vulnerable, telling The Verge that its base station isn’t actually fooled when the sensors are overwhelmed with wireless interference in this way — the company says that they should proactively send an alert to your phone when it detects interference. In fact, SimpliSafe claims the LockPickingLawyer is deliberately showing us an unusual and unlikely scenario where it’s possible to get through with a $2 device.

Here’s the company’s full statement:

The video is misleading, and it doesn’t apply to how security systems work in real life.

As the video demonstrates, SimpliSafe systems are engineered to detect this kind of interference.

In this video, the videomaker finds a precise frequency, signal strength, and orientation of system components in which they can thread the needle of blocking system communication without triggering an alert.

In real life, this is unlikely. Because signal strength degrades unpredictably depending on distance and landscape, it would be very difficult for anyone to hit on the “right” strength without triggering an alert.

In addition, the setup the videomaker demonstrates (in which the sensors, base, keypad and “jammer” are all close together) does not resemble the setup of an actual home. In other words, prior knowledge of the layout of the motion sensors, door sensors and base station in the customers home and a rehearsal of how to move about the home would be necessary to confidently select a strength that will both jam and not be detected. In order for a real bad actor to effectively interfere with the system in this way, they would likely have to already be inside the home and have had ample practice.

We take very seriously anything that might interfere with our mission of keeping every home secure. We have the ability to tune the detection parameters and regularly release security and usability updates, making it increasingly difficult for anyone to use this type of attack.

But speaking to The Verge, the LockPickingLawyer says he didn’t have to tune the $2 device in any way to get it to reliably bypass the alarm system — it did that right out of the box, and though it sometimes triggered an interference notification, it never triggered an alarm.

“The farthest from the base station I tested was about 60 feet (through two walls), and it worked the same as shown in my video,” he writes, when asked about SimpliSafe’s accusation that it wouldn’t work in a real life scenario where the sensors are spread out further apart.

He continues:

SimpliSafe takes issue with the system components being arranged close together during the video. That was a necessity of filmmaking, not a physical limit of the exploit. In my testing, I carried sensors away from the base station to the far reaches of my home, then conducted the same tests with the same device and obtained the same results. If anything, testing at realistic distances showed a more significant problem insofar as the SimpliSafe system was less likely to detect the interference.

SimpliSafe’s other criticism is that someone would need prior knowledge of the system’s arrangement to avoid the detection of interference. The company is attacking a straw man. What is necessary to avoid detection of this exploit was outside the scope of my testing. In fact, my video explicitly notes that SimpliSafe may detect the interference. Detection of interference, however, never triggered an alarm in my testing. It only sent an “alert” that the resident may or may not investigate. As such, my video specifically advised owners of this system to take these alerts seriously regardless of how many prior alerts they’ve received as a result of non-malicious interference. It’s also important to note that if the system owner doesn’t have security cameras with which to investigate, the alert is of very limited usefulness. This is why I recommend the system be used in conjunction with security cameras.

We’re still waiting for comment from other alarm companies, and we will continue to update this post once we hear back.

Update, August 7th at 11:50PM ET: Added comment from the LockPickingLawyer, in response to SimpliSafe.