[Hogg]

I did a similar project with Simplisafe, but I went the SDR route and figured out their protocol, so I can forge sensor/keypad messages or decode PIN entries from keypads. (I'm in contact with the IOActive researcher, Andrew, to share this information.) It was a fun learning experience. My original goal was to just get the damn system to reach my detached garage (which is about 25 feet from my house).

In his blog post, Andrew said he didn't bother to reverse-engineer the protocol because if you can replay a "disarm" command with the correct PIN, that's everything you need. That's probably true, but it could also profit an attacker to record someone's PIN in case they use it for other things. And depending on the limits of the Simplisafe base station, you could potentially brute-force a "disarm" from every possible device ID - most likely, you'll eventually use the ID of a keyfob associated with the system, so it will disarm. Then you'd have control without the user ever entering their PIN.

These things are largely academic, I think. It's been known for a while that you can just jam the system by transmitting at 433MHz while you kick down the doors or whatever. Very cool anyway.

On the other hand, now I can build my own sensors and add them to my system, if I want. Or build a repeater so I can finally have a keypad in my garage. :)

[tptacek]

Can you write more about how you reversed the RF protocol? I'd really like to hear more about it. I've noticed that virtually all major published vuln research targeting RF systems like this starts by hijacking and endpoint and turning it into a modem.

I think there are a lot of people interested in learning more about the process of attacking RF systems from an SDR.

[Hogg]

I'd like to, but I'm not sure how to proceed. I don't know if I should try notifying Simplisafe, and/or give people more time to get rid of the system. I also don't have a good way to publish - I don't have a personal website or anything. Any suggestions?

[tptacek]

Well, not that I want to steal your thunder or anything (I don't think I can: no matter how many times you write this, it will be interesting) but how about just start here?

What SDR did you use?

Did you reverse the hardware or the software on the endpoints to figure out how to configure the SDR?

How did you get started with this?

What other tooling did you have?

[Hogg]

Oh! I was thinking of a much more detailed writeup. I actually didn't reverse any hardware or software; I guess this was a SIGINT-only effort. Parts of my approach were inefficient or redundant, but that's because I knew next to nothing about radio, SDR, etc. when I started. I basically found out that SDRs exist and thought they sounded cool, and decided to try to use one to see what I could see around my house. In brief:

Like Andrew, I looked up the FCC ID to find the right frequency for Simplisafe. I used a RTL2832 USB device ($25, from Amazon) and SDRSharp on Windows to record the signals. I used Audacity to look at the raw recordings and figure out that it was on-off keying, with a pulse length of about 5 microseconds.

I fed those raw recordings into a Gnuradio program I built (on Kali - I had trouble setting it up on Ubuntu so I gave up and just used a Kali image). I realize now that Gnuradio can interface directly with an SDR, but at the time, I already had all the recordings saved, so I just worked with those. I wanted to use Gnuradio's fancy clock sync module to convert the pulses directly to symbols, but I couldn't get it to work. So I used a threshold detector instead, with a rate limiter, so the output consisted of strings about 120 1s or 0s per pulse. I wrote a Python script to convert those into a text representation with just a single 1 or 0 for each pulse.

It was easy enough to identify a preamble that comes with each transmission, and then most of my effort went into comparing like transmissions from different devices (e.g. "door open" from my three door sensors), or different messages from the same device (e.g. "door open" vs. "door closed" from the same sensor). If their encoding scheme is a standard or well-known one, I certainly wasn't able to find it. It took a lot of frustrating dead-ends to finally figure it out.

With that done, I wrote more Python code to decode a recorded transmission, or put together a transmission representing any device ID I want, any message I want, etc. I used an Arduino and a cheap 433MHz transmitter/receiver device ($5 from Amazon) to send my transmission, and my base station heard and acknowledged it. I haven't done much more with it since then.

[creeble]

Um, wow. Nice work.

It does illustrate (duh) that by not encrypting their wireless coms, their system is vulnerable to straightforward reverse-engineering of the RF protocol.

It also illustrates that this vector isn't much of a threat for your average burglar.

However, between the two threats, it wouldn't take a genius entrepre-thief to make a simple device and sell it to thieves (like the ones that exist for some cars).

A million customers someone said?

[Hogg]

I'd better go file a patent. :)

[rubidium]

In general, people are not going to get rid of systems. SimpliSafe is $15 a month after equipment. For some, it's the only security system they can afford, or it's as much as they want to spend on it (disclaimer: me).

So one way you can help their security is

1) Don't publicize easy to follow step-by-step ways of how to do this. There's a big difference between disclosing a security issue and giving non-technical people an easy way to bypass a security system. The fact that a security weakness is known and publicized doesn't help xx% of thieves who don't have the resources to implement it. It does help the aware customer to make changes to their security and demand a fix from the vendor.

2) Responsibly disclose to Simplisafe like the linked post did is best. If they don't respond, then post what you were able to do in a similar manner. Going through ioactive would be a great idea as they're familiar with this process.

[Lawtonfogle]

1 sounds like security by obscurity and it sounds like prevent information being made public knowledge that should impact customers' choices and might lead to better locking down the system. While the ideal rational consumer would be just as impacted by a standard disclosure, I've never met an ideal rational consumer. People will be much more aware if you can show them a web page that gives a step by step guide how to destroy their security system.

To give a comparison, consider all the NSA spying leaks and then consider that show host (John Oliver I believe) who went around asking people questions in a way that made them much more informed of what the implications of spying was, and in doing so changed their reaction.

[tptacek]

To be clear: I don't think you need to disclose any vulnerabilities. Just talk about the process you used to reverse the protocol.

[Shamiq]

Just stick it up on medium for the time being. you can always figure out a 'real' blog later :).

Alternative is using github pages with something like jekyll.

[Hogg]

Oh, that's a good idea, thanks.

[zokier]

If you want something minimal, you can just put markdown in a github gist, and host some images in imgur or something.