300,000 American Homes at Risk for ‘Unfixable’ Alarm Hack

Simplisafe security alarm vulnerabilities
SimpliSafe

“There is something terribly wrong with the alarm industry.” Thus reads marketing material on the site of SimpliSafe, a Boston-based “smart” alarm provider with more than 300,000 customers in the US. It’s been on a mission to improve home security since it formed in 2006 by using cellular technology to warn customers via their smartphone if someone has broken in, whilst allowing them to control alarms from afar.

SimpliSafe, which received a $57 million investment from Sequoia in 2014, not wrong about the industry. But like a growing number of alarm companies claiming their Internet-connected system provides better security than traditional services, SimpliSafe is actually leaving houses open to burglars with rudimentary hacking skills, researchers have told FORBES.

Anyone who can locate a SimpliSafe owner can use basic hardware and software, bought for between $50 and $250, to harvest customer PINs and turn alarms off at a distance of up to 200 yards away, said Dr Andrew Zonenberg, senior security consultant at IOActive. SimpliSafe has also installed a one-time programmable chip in its alarm, meaning there’s no chance of an over-the-air update. It means there’s no patch coming, leaving all owners without a remedy other than to stop using the equipment, Zonenberg said.

Such weaknesses, and more severe ones, have been found across the home and business alarm industry. In a separate FORBES story released today, your reporter found it was easy to hack into an alarm system in San Francisco, all via a browser and armed with easily-guessable passwords. The access, which was attained with permission from the owner, allowed your reporter to unlock doors, turn off alarms and access the CCTV controls of the affected building from more than 5,000 miles away in London, though he didn’t go that far.

The SimpliSafe flaw

With the well-reviewed SimpliSafe alarm system, attacks need to be carried out in the vicinity of a device, as explained in a technical blog from IOActive shown to FORBES ahead of publication. The hack, as demonstrated in a video by Zonenberg, starts by intercepting the signals that turn alarms on and off. Those signals pass between the portable keypad and the base station within the house.

Zonenberg used a separate SimpliSafe system, disconnecting the main processors and hooking up his own microcontroller to the device radios. His code, written in the C language, would listen to incoming 433 MHz radio traffic and pick out a SimpliSafe “PIN entered” data packet. An LED would light up every time a PIN had been recorded. All he had to do then was press a button to replay the PIN signal and the alarm could be disarmed.

An attacker would have to pay at least $250 for their own SimpliSafe system to carry out this attack. But Zonenburg and IOActive head of research Cesar Cerrudo told FORBES an attack of this calibre could be carried out using a software defined radio and related hardware that could be bought for under $50. Just a few hours’ work would be required.

The attacks are not dissimilar to those demonstrated in 2014 against devices from bigger beasts than SimpliSafe. ADT, this week bought for $7 billion, and Vivint were also caught out using unencrypted signals between the sensors and devices used to manage alarms.

SimpliSafe spokesperson Melina Engel told FORBES that it was planning on releasing hardware with over-the-air firmware updates and that customers would be given a discount on those once they were available. She also pointed out that customers are notified every time someone disarms an alarm, so customers should notice when something was amiss even if not checking logs, whilst PINs could be changed from the SimpliSafe smartphone app.

“The security of our systems is our top priority. We’re working to resolve this concern, which also affects other major home security providers. It’s theoretically possible but highly unlikely, and we’re not aware of it being exploited.

“Our system provides customers notifications of their disarm events, so they could catch the criminal in the act. Also customers can change their passcodes anytime locally or remotely via our webapp; so if this ever did happen, any passcode data collected useless in a matter of minutes.

“Unlike with many alarm systems, SimpliSafe customers are protected from many of the more common, low-tech, and easy methods to bypass home security systems, such as cutting the phone line or power to the home.”

It’s unclear just how far away a hacker would have to be to hoover up PIN codes. The SimpliSafe keypad works up to 100 feet, but Zonenberg believes the attack could work up to 100 yards away, even taking into account the disturbances of obstacles and humidity in the transmission of radio waves.

Smart alarm ‘fraud’

Despite the irony of SimpliSafe’s marketing, it’s right: the alarm industry is doing plenty wrong. Alongside the problems identified in Bay Alarm’s products, FORBES is also reporting on unfixed vulnerabilities in Samsung’s SmartThings home security devices and Comcast’s Xfinity service, which was determined vulnerable in January by Boston-based security consultancy Rapid7.

Cerrudo believes the collective failures of the alarm industry amount to a “fraud”. “They are promoting something to secure your home but they’re making your home more vulnerable. That should have repercussions, regulation or something. That’s kind of fraud,” Cerrudo said.

“The impression that I’ve got is that the home security product industry isn’t really actually putting any effort into security, whether it’s because they don’t realise the problem, or they don’t care, is not something I’m going to be able to tell you. It’s not just the SimpliSafe system that’s insecure,” Zonenberg added.

“These people are advertising security products that provide little to no actual security.”

Troubles with disclosure

What also became apparent to IOActive and your reporter during our respective research was that disclosing these vulnerabilities to the companies responsible for them was not simple.

SimpliSafe did not have a direct security contact; IOActive decided to disclose its findings via LinkedIn messages, the contact form on SimpliSafe’s website and the email listed on its website domain records. SimpliSafe’s spokesperson Engel said the company only saw the emails after FORBES reached out. Bay Alarm was difficult to contact too, with no security or press contacts, which had to be found from an external site by guessing email addresses. And according to the researcher who discovered the Samsung flaws, the firm promised patches that it didn’t deliver.

The myriad weaknesses across smart home devices is only exacerbated by the difficulties associated with warning the companies responsible. And yet it’s the end users who ultimately carry the risk.

Written by Thomas Fox-Brewster of Forbes

(Source:

Verizon Rolling Out Wi-Fi Calling to Samsung Devices This Week, iPhones Next Year

Provided by The Verge

Verizon is turning on Wi-Fi calling for devices on its network next week, starting with the Samsung Galaxy S6 and S6 Edge. Additional devices — including iPhones — will be updated to support the service “early next year.” Verizon is the last of the big four US carriers to flip the switch on Wi-Fi calling, perhaps in part because it waited until it could get an official waiver from the FCC to do it. AT&T also received a waiver (and also had some squabbles with T-Mobile over its lack of official approval).

Verizon is positioning Wi-Fi calling as part of its “Advanced Calling” feature, which is the branding the carrier is applying to both VoLTE HD Voice calls and its own video calling service. What’s less clear is whether Verizon handsets will default to using Wi-Fi if it’s available or if it will only resort to a Wi-Fi network “When a customer uses Advanced Calling on our 4G LTE network and travels outside of coverage,” as Verizon’s implies.

The Wi-Fi calling feature will require a software update for compatible phones — so if you have a Galaxy S6 or S6 Edge, keep an eye out for that next week (it’s going to be rolled out “in phases,” Verizon says).

Written by Dieter Bohn of The Verge

(Source: The Verge)

Google Reportedly Wants to Design its Own Android Chips

Provided by The Verge

Google is reportedly taking a page out of Apple’s playbook and expressing interest in co-developing Android chips based on its own designs, according to a report today from The Information. Similar to how the iPhone carries a Ax chip designed by Apple but manufactured by companies like Samsung, Google wants to bring its own expertise and consistency to the Android ecosystem. To do that, it would need to convince a company like Qualcomm, which produces some of the top Android smartphone chips today using its own technology, to sacrifice some of its competitive edge. Google did not respond to a request for comment.

The discussions around Google-designed chips, which The Information say occurred this fall, originated around the company’s desire to build an “enterprise connectivity device” — possibly the Pixel C laptop-tablet hybrid unveiled in September — that would rely wholly on in-house technology. Soon, Google was discussing the possibility of designing its own smartphone chips as well, the report states. One benefit of Google’s strategy would be the ability to bake in cutting edge features into future versions of Android, like support for augmented and virtual reality, that would require more closely integrated software and hardware.

A Google-designed chip may find its way to Nexus phones first

However, finding a chip co-developer may prove difficult. Though Google may find a willing partner from the pool of low-cost Android manufacturers, that partner may not be able to produce the highest-quality chips capable of powering high-end smartphones. The high-end market, which Apple dominates, is where Android fragmentation may be costing Google precious sales. One possibility, if chip makers don’t agree to use Google designs, is requiring manufacturers of Google’s Nexus line use only its own designs — all the way from the chip to the body of the device.

Written by Nick Statt of The Verge 

(Source: The Verge)

Forget Your Password? A Selfie May Do Just Fine

© Provided by CNBC

The camera phone has changed the way society has captured events, turning smartphone owners into citizen journalists, giving rise to photo-based social media apps and creating new products like the selfie stick.

Yet vanity is gradually adding up to dollars and cents, with more businesses begin to cater to consumers through their smartphone’s camera lens.

MasterCard (MA) recently announced it will start experimenting with a new program of approving online purchases with a facial scan rather than a password. PayPal  (PYPL) is also offering a similar concept through its mobile app and recently, Apple  (AAPL) filed a patent allowing facial recognition technology to unlock your iPhone (a practice that Samsung  (593-KR) has as well).

These trends are emerging as recent data suggest many consumers—including the hotly coveted millennial age group—have a clear affinity for using pictures rather than keyboards.

A new survey of more than 1,000 millennials found that 96 percent consider their camera crucial to their smartphone and nearly 50 percent even said their smartphone was “practically useless” without a camera. The survey, conducted by Mitek and Zogby Analytics, found that 68 percent of respondents said they would rather snap a picture than have to type something. That may be causing causing businesses to rethink how their younger consumers interact with products and services.

James DeBello, Mitek’s president & CEO, said companies are finding it important to engage with millennials on their own terms. One example DeBello cited is being able to sign up for a gym membership by taking a photo of a driver’s license, instead of having to type out information.

“The camera phone is how they want to be doing transactions and there can be revenue opportunities,” he told CNBC. “The camera is the new addiction and it’s a gateway to commerce.”

The substitution of passwords with selfies is an idea whose time appears to have come, some observers say.

“Millennials love their cameras,” said Cathy Boyle, mobile analyst at eMarketer. She attributes the growth in commerce opportunities to the rise in the cameras used n social media.

Even Twitter  (TWTR), a predominantly text-based product, has been building out more photo-based applications recently. “The applications for the camera phone are still being realized and have a long way to go,” she said.

Many believe the biggest growth for camera phone usage may be in banking. Some 54 percent of millennials in the Mitek and Zogby survey said they’ve deposited a check with Mobile Deposit—up 20 percent from just a year prior. Meanwhile, 40 percent said they would like to see more mobile use in banking.

Teddy Citrin, an investor at venture capital firm Greycroft Partners, said the camera’s potential is becoming a predominant factor in determining some of the companies in which the firm invests.

“The creative utilization of cameras has become a focal point for many new apps we see and for larger companies evolving their product,” he said.

He thinks that over the next few years, technology that harnesses camera phones will lead to an increase in doctors diagnosing and providing counsel from afar, instant appraisal of goods, and other facial recognition applications.

Security and selfies could be one way the banking sector could evolve; however, how secure it is still remains to be seen. For now, the sheer vanity the cell camera offers is its most practical application. The survey found 38 percent of the millennials take a least one selfie per day, while 10 percent taking more than 10 per day.

Citrin thinks there are many untapped applications that remain to be seen.

“Applications that power the camera will become incrementally smarter and more important,” he said. “Facial recognition, credit card reading, and augmented reality are just the start.”

Written by Uptin Saiidi of CNBC

(Source: CNBC)

%d bloggers like this: