YouTuber Reveals SimpliSafe DIY Security System Can Be Bypassed With $2 Emitter
The $2 wireless emitter fools the SimpliSafe security system by mimicking the frequency of its door and window contact sensors.
DIY home security systems continue to soar in popularity. However, they also continue to show why they are not always as reliable as professionally installed security systems.
SimpliSafe, one of the first major DIY security companies, has faced scrutiny over the past several years for vulnerabilities in its smart security system.
In 2016, the SimpliSafe system was found to be “inherently insecure and vulnerable to even a low-level attacker.” Later that year, SSI contributor and forensic alarm expert Jeffrey Zwirn analyzed SimpliSafe’s DIY offering and found disturbing results.
The latest person to find a flaw in the SimpliSafe system is a YouTuber that goes by the name “LockPickingLawyer.” He recently posted a video that demonstrates how the system can be fooled by a $2 wireless emitter that mimics the frequency of its door and window contact sensors.
This is possible because the DIY security system’s base communicates with its sensors on the 433.92MHz frequency, which is used by many other electronic consumer products.
The system can be fooled by using the emitter the same time as opening a door or window (breaking the contact of the sensors). The emitter is apparently powerful enough to block the sensor’s communication back to the base, preventing the alarm from sounding.
However, if the emitter is close enough to the alarm base, the end user will be notified of wireless interference. You can watch the demonstration in the video above.
Tech website The Verge reported on this video and received the following response from SimpliSafe:
The video is misleading, and it doesn’t apply to how security systems work in real life.
As the video demonstrates, SimpliSafe systems are engineered to detect this kind of interference.
In this video, the videomaker finds a precise frequency, signal strength, and orientation of system components in which they can thread the needle of blocking system communication without triggering an alert.
In real life, this is unlikely. Because signal strength degrades unpredictably depending on distance and landscape, it would be very difficult for anyone to hit on the “right” strength without triggering an alert.
In addition, the setup the videomaker demonstrates (in which the sensors, base, keypad and “jammer” are all close together) does not resemble the setup of an actual home. In other words, prior knowledge of the layout of the motion sensors, door sensors and base station in the customers home and a rehearsal of how to move about the home would be necessary to confidently select a strength that will both jam and not be detected. In order for a real bad actor to effectively interfere with the system in this way, they would likely have to already be inside the home and have had ample practice.
We take very seriously anything that might interfere with our mission of keeping every home secure. We have the ability to tune the detection parameters and regularly release security and usability updates, making it increasingly difficult for anyone to use this type of attack.
The Verge then reached out to LockPickingLawyer to get his comment on SimpliSafe’s statement. He says he didn’t have to tune the $2 device in any way to get it to reliably bypass the alarm system and it was able to do it right out of the box. He also said it sometimes triggered an interference notification, though never an alarm.
The farthest from the base station I tested was about 60 feet (through two walls), and it worked the same as shown in my video.
SimpliSafe takes issue with the system components being arranged close together during the video. That was a necessity of filmmaking, not a physical limit of the exploit. In my testing, I carried sensors away from the base station to the far reaches of my home, then conducted the same tests with the same device and obtained the same results. If anything, testing at realistic distances showed a more significant problem insofar as the SimpliSafe system was less likely to detect the interference.
SimpliSafe’s other criticism is that someone would need prior knowledge of the system’s arrangement to avoid the detection of interference. The company is attacking a straw man. What is necessary to avoid detection of this exploit was outside the scope of my testing. In fact, my video explicitly notes that SimpliSafe may detect the interference. Detection of interference, however, never triggered an alarm in my testing. It only sent an “alert” that the resident may or may not investigate. As such, my video specifically advised owners of this system to take these alerts seriously regardless of how many prior alerts they’ve received as a result of non-malicious interference. It’s also important to note that if the system owner doesn’t have security cameras with which to investigate, the alert is of very limited usefulness. This is why I recommend the system be used in conjunction with security cameras.
As more DIY solutions hit the market, it’s important for security professionals to educate consumers about the dangers of going DIY. Though no solution is 100% bulletproof, it is important to choose a solution that can’t be compromised with something as simple as a $2 wireless emitter.
Security Is Our Business, Too
For professionals who recommend, buy and install all types of electronic security equipment, a free subscription to Security Sales & Integration is like having a consultant on call. You’ll find an ideal balance of technology and business coverage, with installation tips and techniques for products and updates on how to add sales to your bottom line.
A free subscription to the #1 resource for the residential and commercial security industry will prove to be invaluable. Subscribe today!
This article actually points out a security issue with ALL security systems that use wireless sensors, not only Simplisafe. All wireless systems can be potentially jammed using am external RF emitter. Some systems may use an advanced RF technique such as spread spectrum, but they may still be susceptible to a specially crafted RF signal. Only wired sensors can be sufficiently secure.
Benn is 100 percent correct. Wired is the way to go. Any wireless frequency is susceptible to jamming.