Blogger Andrew Zonenberg of IOActive recently performed an in depth analysis of Simplisafe, a well known name in DIY home security. He set out to determine if it wa s possible to hack Simplisafe, and he succeeded.
According to Andrew, the Simplisafe keypad sends unencrypted PINs out to anyone listening. So an attacker can hide a device anywhere within about a hundred feet of the keypad until the alarm is disarmed once. This device could then record the PIN code. The code could then be played back at any time to disable the alarm and enable an undetected burglary. Other SimpliSafe sensors (such as entry sensors) could be spoofed in the same fashion. This could allow an attacker to trigger false/nuisance alarms on demand.
Unfortunately for Simplisafe, there is no easy workaround for the issue. Normally, the vendor would fix the vulnerability in a new firmware version by adding cryptography to the protocol. However, this is not an option for the affected SimpliSafe products because the microcontrollers in currently shipped hardware are one-time programmable. This means that field upgrades of existing systems are not possible.
At Korner, we send everything encrypted between the tags and sticks, and the keys are rotated regularly. The security implementation is custom so it isn't vulnerable to replay attacks. And there is no way, via the radio network, to disarm the system. And finally, all of Korner's firmware is remotely reconfigurable. What this means is that if any problems are found in the future, we can simply release new firmware to every piece of hardware in the field, and the update occurs automatically without any action required from the customer.