clock menu more-arrow no yes

Filed under:

SimpliSafe’s home security system can be compromised by a $2 wireless emitter

New, 26 comments

This flaw means you won’t be notified of a break-in

Photo by Dan Seifert / The Verge

SimpliSafe’s latest home security system can apparently be fooled by an affordable wireless emitter that mimics the frequency of its door and window contact sensors. The YouTube channel LockPickingLawyer posted a video demonstrating how it can be done, and, unfortunately, it looks very easy to do — as easy as pressing a button to make sure an alarm won’t go off when someone breaks into a house.

The host explains that SimpliSafe’s sensors communicate with the base on the 433.92MHz frequency, which is very popular among other consumer electronics, like garage door openers, baby monitors, and more. Most of those products aren’t powerful enough to interfere with SimpliSafe’s system, but a $2 emitter apparently is.

When one of these sensors is normally tripped, the system will initiate the alarm process. But as the video demonstrates, a powerful-enough emitter can block out that process, meaning that the base won’t receive a signal when, say, pushing open a door. It seems like this cheap, easy-to-acquire device is powerful enough to override what the sensor is communicating to the base.

SimpliSafe disputes that the device is vulnerable, telling The Verge that its base station isn’t actually fooled when the sensors are overwhelmed with wireless interference in this way — the company says that they should proactively send an alert to your phone when they detect interference. In fact, SimpliSafe claims the LockPickingLawyer is deliberately showing us an unusual and unlikely scenario where it’s possible to get through with a $2 device.

Here’s the company’s full statement:

The video is misleading, and it doesn’t apply to how security systems work in real life.

As the video demonstrates, SimpliSafe systems are engineered to detect this kind of interference.

In this video, the videomaker finds a precise frequency, signal strength, and orientation of system components in which they can thread the needle of blocking system communication without triggering an alert.

In real life, this is unlikely. Because signal strength degrades unpredictably depending on distance and landscape, it would be very difficult for anyone to hit on the “right” strength without triggering an alert.

In addition, the setup the videomaker demonstrates (in which the sensors, base, keypad and “jammer” are all close together) does not resemble the setup of an actual home. In other words, prior knowledge of the layout of the motion sensors, door sensors and base station in the customers home and a rehearsal of how to move about the home would be necessary to confidently select a strength that will both jam and not be detected. In order for a real bad actor to effectively interfere with the system in this way, they would likely have to already be inside the home and have had ample practice.

We take very seriously anything that might interfere with our mission of keeping every home secure. We have the ability to tune the detection parameters and regularly release security and usability updates, making it increasingly difficult for anyone to use this type of attack.

But speaking to The Verge, the LockPickingLawyer says he didn’t have to tune the $2 device in any way to get it to reliably bypass the alarm system — it did that right out of the box, and though it sometimes triggered an interference notification, it never triggered an alarm.

“The farthest from the base station I tested was about 60 feet (through two walls), and it worked the same as shown in my video,” he writes, when asked about SimpliSafe’s accusation that it wouldn’t work in a real life scenario where the sensors are spread out further apart.

He continues:

SimpliSafe takes issue with the system components being arranged close together during the video. That was a necessity of filmmaking, not a physical limit of the exploit. In my testing, I carried sensors away from the base station to the far reaches of my home, then conducted the same tests with the same device and obtained the same results. If anything, testing at realistic distances showed a more significant problem insofar as the SimpliSafe system was less likely to detect the interference.

SimpliSafe’s other criticism is that someone would need prior knowledge of the system’s arrangement to avoid the detection of interference. The company is attacking a straw man. What is necessary to avoid detection of this exploit was outside the scope of my testing. In fact, my video explicitly notes that SimpliSafe may detect the interference. Detection of interference, however, never triggered an alarm in my testing. It only sent an “alert” that the resident may or may not investigate. As such, my video specifically advised owners of this system to take these alerts seriously regardless of how many prior alerts they’ve received as a result of non-malicious interference. It’s also important to note that if the system owner doesn’t have security cameras with which to investigate, the alert is of very limited usefulness. This is why I recommend the system be used in conjunction with security cameras.

In a response, SimpliSafe told The Verge that “We’re all on the same page that jamming is a technical reality in the wireless space,” suggesting that similar alarm systems from other manufacturers might also be affected.

Google, for one, claims its Nest Secure will actually sound the alarm when it detects jamming. The company gave us this statement:

We have designed Nest Secure with issues such as jamming in mind. For example, if we detect jamming while the system isn’t armed, the Info button will light up to alert the user and they will not be able to arm the system until it is resolved. If Nest Secure is armed and jamming occurs, the siren will sound instantly and the user will also be notified on their phone.

SimpliSafe says it plans to address concerns by 1) fine-tuning its detection algorithms to try to distinguish potential burglars from random interference, and 2) allowing SimpliSafe’s $25-a-month video monitoring service to investigate suspicious interference by checking your home’s cameras — assuming you pay for that service and have cameras installed.

When asked for a statement on whether the contact sensors included in its SmartThings Home Monitoring Kit were susceptible to jamming, Samsung declined to comment. However, SmartThings isn’t billed as a security system and it does not offer a professional monitoring services, like the others. We’re still waiting for comment from other alarm companies, and we will continue to update this post once we hear back.

Update, August 13th at 10:58AM ET: Added that Samsung declined to comment on the matter, as well as details about SimpliSafe’s next steps.