SimpliSafe SS3 Unauthenticated Wi-Fi Config Modification
LowSynopsis
The configuration used for connecting to a Wi-Fi network can be changed by an unauthenticated Bluetooth LE client.
There is a button on the bottom of the base station (next to the batteries) that, after being pressed, will enable Bluetooth LE on the base station. At this point, a Bluetooth LE client can pair with the base station.
Next, the client can send a message to service "000000ff-0000-1000-8000-00805f9b34fb" characteristic "0000ff01-0000-1000-8000-00805f9b34fb" to modify the Wi-Fi credentials. This is done by sending a JSON via Bluetooth LE to set the "ssid", "pass", and "token".
Exploitation of this issue was most reliable if the base station had an entry sensor previously paired to it. However, this is expected.
Furthermore, the base station must be configured in one of the following states:
- Alarm is actively connected to a Wi-Fi network.
- Alarm is not configured with Wi-Fi credentials at all. And therefore, there is not an active Wi-Fi connection.
Proof of Concept
Below is a log obtained over a UART connection to the base station's ESP32 chip. The log contains boot information, an initial Wi-Fi connection to SSID 'simplitest', and finally, a malicious configuration change causing the device to connect to SSID 'christest' with password 'mypassword'.
..ets Jun 8 2016 00:22:57
rst:0x1 (POWERON_RESET),boot:0x13 (SPI_FAST_FLASH_BOOT)
configsip: 0, SPIWP:0xee
clk_drv:0x00,q_drv:0x00,d_drv:0x00,cs0_drv:0x00,hd_drv:0x00,wp_drv:0x00
mode:DIO, clock div:2
load:0x3fff0008,len:8
load:0x3fff0010,len:4400
load:0x40078000,len:11072
load:0x40080000,len:252
entry 0x40080034
.[0;32mI (44) boot: ESP-IDF v3.0-dev-20-g9b955f4 2nd stage bootloader.[0m
.[0;32mI (44) boot: compile time 14:06:42.[0m
.[0;32mI (44) boot: Enabling RNG early entropy source....[0m
.[0;32mI (62) boot: SPI Speed : 40MHz.[0m
.[0;32mI (74) boot: SPI Mode : DIO.[0m
.[0;32mI (87) boot: SPI Flash Size : 4MB.[0m
.[0;32mI (99) boot: Partition Table:.[0m
.[0;32mI (110) boot: ## Label Usage Type ST Offset Length.[0m
.[0;32mI (133) boot: 0 phy_init RF data 01 01 0000f000 00001000.[0m
.[0;32mI (156) boot: 1 otadata OTA data 01 00 00010000 00002000.[0m
.[0;32mI (179) boot: 2 nvs WiFi data 01 02 00012000 0000e000.[0m
.[0;32mI (203) boot: 3 ble_data unknown 40 00 00020000 00003000.[0m
.[0;32mI (226) boot: 4 ota_0 OTA app 00 10 00040000 001e0000.[0m
.[0;32mI (249) boot: 5 ota_1 OTA app 00 11 00220000 001e0000.[0m
.[0;32mI (272) boot: End of partition table.[0m
.[0;32mI (286) boot: Disabling RNG early entropy source....[0m
.[0;32mI (302) boot: Loading app partition at offset 00220000.[0m
.[0;32mI (2187) boot: segment 0: paddr=0x00220018 vaddr=0x00000000 size=0x0ffe8 ( 65512) .[0m
.[0;32mI (2188) boot: segment 1: paddr=0x00230008 vaddr=0x3f400010 size=0x45b30 (285488) map.[0m
.[0;32mI (2204) boot: segment 2: paddr=0x00275b40 vaddr=0x3ffc0000 size=0x02d8c ( 11660) load.[0m
.[0;32mI (2236) boot: segment 3: paddr=0x002788d4 vaddr=0x40080000 size=0x00400 ( 1024) load.[0m
.[0;32mI (2258) boot: segment 4: paddr=0x00278cdc vaddr=0x40080400 size=0x11ad8 ( 72408) load.[0m
.[0;32mI (2318) boot: segment 5: paddr=0x0028a7bc vaddr=0x400c0000 size=0x00064 ( 100) load.[0m
.[0;32mI (2319) boot: segment 6: paddr=0x0028a828 vaddr=0x00000000 size=0x057e0 ( 22496) .[0m
.[0;32mI (2342) boot: segment 7: paddr=0x00290010 vaddr=0x400d0018 size=0xd6714 (878356) map.[0m
.[0;32mI (2369) cpu_start: Pro cpu up..[0m
.[0;32mI (2380) cpu_start: Single core mode.[0m
.[0;32mI (2394) heap_alloc_caps: Initializing. RAM available for dynamic allocation:.[0m
.[0;32mI (2417) heap_alloc_caps: At 3FFAFF10 len 000000F0 (0 KiB): DRAM.[0m
.[0;32mI (2438) heap_alloc_caps: At 3FFB3000 len 00005000 (20 KiB): DRAM.[0m
.[0;32mI (2458) heap_alloc_caps: At 3FFBBB28 len 00002000 (8 KiB): DRAM.[0m
.[0;32mI (2479) heap_alloc_caps: At 3FFD5190 len 0000AE70 (43 KiB): DRAM.[0m
.[0;32mI (2500) heap_alloc_caps: At 3FFE0440 len 00003BC0 (14 KiB): D/IRAM.[0m
.[0;32mI (2521) heap_alloc_caps: At 3FFE4350 len 0001BCB0 (111 KiB): D/IRAM.[0m
.[0;32mI (2543) heap_alloc_caps: At 40091ED8 len 0000E128 (56 KiB): IRAM.[0m
.[0;32mI (2564) cpu_start: Pro cpu start user code.[0m
.[0;32mI (2620) cpu_start: Starting scheduler on PRO CPU..[0m
.[0;32mI (2626) uart: queue free spaces: 10.[0m
I (2634) wifi: wifi firmware version: 621ab6b
I (2635) wifi: config NVS flash: enabled
I (2635) wifi: config nano formating: disabled
.[0;32mI (2637) system_api: Base MAC address is not set, read default base MAC address from BLK0 of EFUSE.[0m
.[0;32mI (2646) system_api: Base MAC address is not set, read default base MAC address from BLK0 of EFUSE.[0m
I (2662) wifi: Init dynamic tx buffer num: 16
I (2662) wifi: Init dynamic rx buffer num: 16
I (2665) wifi: wifi driver task: 3ffd89d8, prio:23, stack:4096
I (2670) wifi: Init static rx buffer num: 10
I (2674) wifi: Init dynamic rx buffer num: 16
I (2678) wifi: Init rx ampdu len mblock:7
I (2682) wifi: Init lldesc rx ampdu entry mblock:4
I (2686) wifi: wifi power manager task: 0x3ffddda0 prio: 21 stack: 2560
I (2693) wifi: wifi timer task: 3ffdee20, prio:22, stack:3584
.[0;32mI (2719) phy: phy_version: 362.1, 75758b5, Nov 1 2017, 16:02:06, 0, 0.[0m
I (2720) wifi: mode : sta (80:7d:3a:fa:1c:58)
I (2722) wifi: mode : sta (80:7d:3a:fa:1c:58) + softAP (80:7d:3a:fa:1c:59)
I (2730) wifi: mode : sta (80:7d:3a:fa:1c:58)
.[0;33mW (2732) main.c: SS3-ESP32 Application Version: 1.2.2.69
.[0m
.[0;33mW (2736) mem.c: ----------memcheck: app_main() complete----------.[0m
.[0;33mW (2742) mem.c: Free MALLOC_CAP_8BIT: 114.[0m
.[0;33mW (2747) mem.c: Free MALLOC_CAP_32BIT: 170.[0m
.[0;33mW (2752) mem.c: Lowest Ever Free: 8-Bit: 114, 32-Bit: 170.[0m
.[0;33mW (2758) mem.c: ----------end memcheck: app_main() complete----------.[0m
I (3515) wifi: sleep enable
I (3516) wifi: type: 1
I (3654) wifi: n:6 0, o:1 0, ap:255 255, sta:6 0, prof:1
I (4644) wifi: state: init -> auth (b0)
I (4647) wifi: state: auth -> assoc (0)
I (4652) wifi: state: assoc -> run (10)
I (4664) wifi: connected with simplitest, channel 6
.[0;32mI (4670) at_port.c: SYSTEM_EVENT_STA_CONNECTED.[0m
.[0;32mI (6552) event: ip: 192.168.1.233, mask: 255.255.255.0, gw: 192.168.1.1.[0m
.[0;32mI (6552) at_port.c: WiFi Obtained IP!.[0m
I (14652) wifi: pm start, type:1
.[0;32mI (40609) example: Seeding the random number generator.[0m
.[0;32mI (40611) example: Loading the CA root certificate....[0m
.[0;32mI (40614) example: Setting hostname for TLS session....[0m
.[0;32mI (40616) example: Setting up the SSL/TLS structure....[0m
.[0;32mI (40624) example: Connecting to bb1.simplisafe.com:8899....[0m
.[0;32mI (40650) example: Connected..[0m
.[0;32mI (40651) example: Performing the SSL/TLS handshake....[0m
.[0;32mI (41079) example: Verifying peer X.509 certificate....[0m
.[0;32mI (41079) example: Certificate verified..[0m
id:0,Len:237,dp:0x3ffcba28
id:0,Len:237,dp:0x3ffcba28
id:0,Len:261,dp:0x3ffcba28
id:0,Len:40,dp:0x3ffcba28
.[0;32mI (80082) system_api: Base MAC address is not set, read default base MAC address from BLK0 of EFUSE.[0m
.[0;32mI (80326) bt_provisioning.c: start_bluetooth init bluetooth.[0m
.[0;32mI (80421) bt_provisioning.c: Reg app success, app_id 0000, status 0
.[0m
.[0;32mI (80422) bt_provisioning.c: ESP_GATTS_REG_EVT.[0m
.[0;32mI (80427) bt_provisioning.c: The number handle = 3.[0m
.[0;32mI (80429) bt_provisioning.c: ESP_GATTS_START_EVT.[0m
.[0;32mI (80435) bt_provisioning.c: Reg app success, app_id 0001, status 0
.[0m
.[0;32mI (80441) bt_provisioning.c: ESP_GATTS_REG_EVT2.[0m
.[0;32mI (80449) bt_provisioning.c: The number_2 handle = 3.[0m
.[0;33mW (80452) bt_provisioning.c: ESP_GATTS_START_EVT2.[0m
.[0;32mI (80458) bt_provisioning.c: Reg app success, app_id 0002, status 0
.[0m
.[0;32mI (80464) bt_provisioning.c: ESP_GATTS_REG_EVT3.[0m
.[0;32mI (80472) bt_provisioning.c: The number_3 handle = 3.[0m
.[0;32mI (80476) bt_provisioning.c: ESP_GATTS_START_EVT3.[0m
.[0;32mI (80486) bt_provisioning.c: ESP_GAP_BLE_SET_LOCAL_PRIVACY_COMPLETE_EVT.[0m
.[0;32mI (80488) bt_provisioning.c: config local privacy success! error status = 0.[0m
.[0;32mI (80503) bt_provisioning.c: ESP_GAP_BLE_ADV_DATA_SET_COMPLETE_EVT.[0m
.[0;32mI (80504) bt_provisioning.c: ESP_GAP_BLE_SCAN_RSP_DATA_SET_COMPLETE_EVT.[0m
.[0;32mI (80510) bt_provisioning.c: ESP_GAP_BLE_ADV_START_COMPLETE_EVT.[0m
.[0;32mI (80516) bt_provisioning.c: advertising start success.[0m
.[0;32mI (98456) bt_provisioning.c: ESP_GATTS_CONNECT_EVT.[0m
.[0;32mI (98456) bt_provisioning.c: ESP_GATTS_CONNECT_EVT2.[0m
.[0;32mI (98457) bt_provisioning.c: ESP_GATTS_CONNECT_EVT3.[0m
.[0;31mE (98465) BT: earlier enc was not done for same device
.[0m
.[0;31mE (98468) BT: earlier enc was not done for same device
.[0m
.[0;32mI (99006) bt_provisioning.c: ESP_GAP_BLE_AUTH_CMPL_EVT.[0m
.[0;32mI (99007) bt_provisioning.c: remote BD_ADDR: 001a7dda7113.[0m
.[0;32mI (99008) bt_provisioning.c: address type = 0.[0m
.[0;32mI (99013) bt_provisioning.c: pair status = success.[0m
.[0;32mI (99021) bt_provisioning.c: Bonded devices number : 4
.[0m
.[0;32mI (99024) bt_provisioning.c: Bonded devices list : 4
.[0m
.[0;32mI (99030) bt_provisioning.c: 00 1a 7d da 71 13 .[0m
.[0;32mI (99035) bt_provisioning.c: 58 ad 39 43 69 f8 .[0m
.[0;32mI (99040) bt_provisioning.c: 8c 85 90 d4 62 3d .[0m
.[0;32mI (99046) bt_provisioning.c: bc dd c2 d4 15 66 .[0m
.[0;32mI (99406) bt_provisioning.c: GATT_WRITE_EVT, conn_id 0, trans_id 1, handle 42
.[0m
.[0;32mI (99406) bt_provisioning.c: GATT_WRITE_EVT, value len 18, value
{"ssid":"christes
.[0m
.[0;31mE (99412) BT: attribute value too long, to be truncated to 18.[0m
.[0;32mI (99506) bt_provisioning.c: GATT_WRITE_EVT, conn_id 0, trans_id 2, handle 42
.[0m
.[0;32mI (99506) bt_provisioning.c: GATT_WRITE_EVT, value len 18, value t", "pass":"mypass
.[0m
.[0;31mE (99512) BT: attribute value too long, to be truncated to 18.[0m
.[0;32mI (99605) bt_provisioning.c: GATT_WRITE_EVT, conn_id 0, trans_id 3, handle 42
.[0m
.[0;32mI (99606) bt_provisioning.c: GATT_WRITE_EVT, value len 18, value word", "token":"te
.[0m
.[0;31mE (99611) BT: attribute value too long, to be truncated to 18.[0m
id:0,Len:33,dp:0x3ffcba28
.[0;32mI (99706) bt_provisioning.c: GATT_WRITE_EVT, conn_id 0, trans_id 4, handle 42
.[0m
.[0;32mI (99707) bt_provisioning.c: GATT_WRITE_EVT, value len 5, value st"}
.[0m
.[0;31mE (99712) bt_provisioning.c: SSID: christest, PASSWORD: mypassword.[0m
I (99718) wifi: state: run -> init (0)
I (99722) wifi: n:6 0, o:6 0, ap:255 255, sta:6 0, prof:1
I (99727) wifi: pm stop, total sleep time: 66684074/34844666
delete
I (99859) wifi: n:1 0, o:6 0, ap:255 255, sta:1 0, prof:1
I (100854) wifi: state: init -> auth (b0)
I (100858) wifi: state: auth -> assoc (0)
I (100868) wifi: state: assoc -> run (10)
I (100926) wifi: connected with christest, channel 1
.[0;32mI (100929) at_port.c: SYSTEM_EVENT_STA_CONNECTED.[0m
.[0;32mI (101863) event: ip: 172.20.10.3, mask: 255.255.255.240, gw: 172.20.10.1.[0m
.[0;32mI (101863) at_port.c: WiFi Obtained IP!.[0m
I (110869) wifi: pm start, type:1
.[0;32mI (113180) example: Connecting to bb2.simplisafe.com:8899....[0m
.[0;32mI (113320) example: Connected..[0m
.[0;32mI (113321) example: Performing the SSL/TLS handshake....[0m
.[0;31mE (113607) example: mbedtls_ssl_handshake returned -0x2700.[0m
.[0;32mI (119559) example: Connecting to bb1.simplisafe.com:8899....[0m
.[0;32mI (119621) example: Connected..[0m
.[0;32mI (119621) example: Performing the SSL/TLS handshake....[0m
.[0;32mI (120425) example: Verifying peer X.509 certificate....[0m
.[0;32mI (120426) example: Certificate verified..[0m
id:0,Len:236,dp:0x3ffcba28
id:0,Len:40,dp:0x3ffcba28
.[0;32mI (131907) bt_provisioning.c: ESP_GATTS_DISCONNECT_EVT.[0m
.[0;32mI (131907) bt_provisioning.c: ESP_GATTS_DISCONNECT_EVT2.[0m
.[0;32mI (131908) bt_provisioning.c: ESP_GATTS_DISCONNECT_EVT3.[0m
.[0;32mI (131919) bt_provisioning.c: ESP_GAP_BLE_ADV_START_COMPLETE_EVT.[0m
.[0;32mI (131920) bt_provisioning.c: advertising start success.[0m
.[0;32mI (131926) bt_provisioning.c: ESP_GAP_BLE_ADV_START_COMPLETE_EVT.[0m
.[0;32mI (131933) bt_provisioning.c: advertising start success.[0m
.[0;32mI (131939) bt_provisioning.c: ESP_GAP_BLE_ADV_START_COMPLETE_EVT.[0m
.[0;32mI (131945) bt_provisioning.c: advertising start success.[0m
id:0,Len:33,dp:0x3ffcba28
id:0,Len:82,dp:0x3ffcba28
.[0;31mE (201639) BT: bta_dm_disable BTA_DISABLE_DELAY set to 200 ms.[0m
Solution
There is no solution at this time. SimpliSafe has indicated a fix will be available at the end of March in firmware version 1.6.
Disclosure Timeline
10/18/2019 - Tenable contacts [email protected] to see if they have a PGP key.
10/18/2019 - SimpliSafe responds with a link to their key.
10/18/2019 - Tenable sends vulnerability disclosure. 90-day date is 01/16/2020.
10/21/2019 - SimpliSafe acknowledges receipt of the report and will work to reproduce the findings and complete their due diligence. It will take "a number of days."
10/24/2019 - SimpliSafe informs us that our firmware is out of date.
10/25/2019 - Tenable asks what the latest version is. There are no release notes.
10/25/2019 - SimpliSafe says the latest base station version is "1.4.58.X".
10/25/2019 - Tenable confirms we were out of date. Updates to keypad 1.4.20 and base station 1.4.58.
10/25/2019 - Tenable reaffirms that the Bluetooth-related flaw still exists in the latest firmware version. Tenable adds more details to the Bluetooth PoC.
10/30/2019 - SimpliSafe asks for the specific BLE application and device used to send the JSON.
10/31/2019 - Tenable replies with a Python PoC, device details (CSR 4.0), and a screen shot.
11/06/2019 - SimpliSafe acknowledges receipt. They will be in touch soon.
11/07/2019 - Tenable acknowledges.
11/19/2019 - Tenable asks for an update.
11/19/2019 - SimpliSafe will get back to us with an update.
11/21/2019 - This report will be transitioned to another SimpliSafe representative.
11/21/2019 - Tenable acknowledges. Thanks for the update.
11/25/2019 - SimpliSafe is having trouble running the Python BTLE PoC on a Linux VM.
11/25/2019 - Tenable offers advice on how to run the PoC. Also offers to provide/describe a PoC using another method.
12/02/2019 - SimpliSafe is having bluetooth-related issues with the PoC.
12/03/2019 - Tenable reproduces the issue again against two base stations. Sends screen shots of PoC working and also logs obtained over UART.
12/03/2019 - SimpliSafe has different log output. Asks if we can coordinate to figure things out.
12/05/2019 - Tenable agrees to coordinate. Asks for SimpliSafe's availability.
12/06/2019 - Tenable and SimpliSafe meet over video chat session. Bluetooth vulnerability is demonstrated by Tenable. SimpliSafe still cannot reproduce, so Tenable was asked to reproduce 3 test cases.
12/09/2019 - SimpliSafe thanks Tenable for our time. Mentions potential inconsistencies between our bluepy libraries. Asks about our test cases.
12/10/2019 - Tenable sends all test case results. Also sends instructions on how to reproduce our testing environment.
12/10/2019 - SimpliSafe thanks tenable.
12/11/2019 - SimpliSafe proposes they have different files in the bluepy library.
12/12/2019 - Tenable sends sha256sum of btle.py.
12/12/2019 - SimpliSafe confirms sha256sum is different. Asks about details of environment and if we could send our device / btle library to them.
12/12/2019 - Tenable offers to send whatever they need. Reproduces PoC with an updated bluepy library (matching SimpliSafe's).
12/19/2019 - SimpliSafe offers to provide a shipping label.
12/19/2019 - Tenable agrees to send the base station and dongle. Accepts offer for shipping label.
12/20/2019 - SimpliSafe sends a prepaid shipping label. Thanks Tenable for our efforts.
12/20/2019 - Tenable sends package using label. Notifies SimpliSafe and lists out contents of package: base station, btle dongle, and keypad. Thanks SimpliSafe as well.
12/24/2019 - Tenable sees package was delivered. Inquires if the package was delivered to the proper personnel.
12/25/2019 - SimpliSafe acknowledges that package was received. Will keep us updated on further testing results.
01/07/2020 - SimpliSafe asks us to meet due to unexpected behavior with the base station.
01/08/2020 - Tenable agrees to meet.
01/08/2020 - Through collaborative effort, SimpliSafe reproduced the BTLE issue.
01/08/2020 - SimpliSafe will send Tenable a new retail system and a summary of the issue and fix statuses. They hope to finalize scoping out the affected systems this week.
10/18/2019 - Tenable contacts [email protected] to see if they have a PGP key. 10/18/2019 - SimpliSafe responds with a link to their key. 10/18/2019 - Tenable sends vulnerability disclosure. 90-day date is 01/16/2020. 10/21/2019 - SimpliSafe acknow
01/09/2020 - SimpliSafe asks when the latest date to request a disclosure extension is.
01/09/2020 - Tenable asks if we could be notified by COB Jan 14.
01/13/2020 - SimpliSafe asks to meet again. Asks if we have retested BTLE issue against the new retail system they sent us. Also says they cannot reproduce against their own new system.
01/14/2020 - Tenable cannot reproduce on the new system. Notices the base station firmware is 1.4.62. Asks if code was updated to correct this issue. Agrees to meet today.
01/14/2020 - Tenable sends a new PoC.
01/14/2020 - SimpliSafe reproduces the issue using new PoC. Asks if we can grant 14-day extension. Also asks if we can possibly allow them more time than that.
01/14/2020 - Tenable grants 14-day extension.
01/15/2020 - Tenable asks SimpliSafe how long they might need in order to mitigate the BTLE issue.
01/15/2020 - SimpliSafe will need until around March. Asks for more time.
01/15/2020 - Tenable will extend the BTLE issue by an additional 14 days, due to extenuating circumstances. New disclosure date is Feb 13.
01/15/2020 - SimpliSafe thanks Tenable for additional extension.
02/11/2020 - Tenable follows up to ask for updates.
02/11/2020 - SimpliSafe is targeting a fix in late March. Fix version will be 1.6.
All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.
Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.
For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.
If you have questions or corrections about this advisory, please email [email protected]
Risk Information
CVE ID:
CVE-2019-3998
Tenable Advisory ID:
TRA-2020-09
Credit:
Chris Lyne
Nick Miles
Chris Lyne
Nick Miles
CVSSv2 Base / Temporal Score:
1.9 / 1.7
1.9 / 1.7
CVSSv2 Vector:
(AV:L/AC:M/Au:N/C:N/I:P/A:N)
(AV:L/AC:M/Au:N/C:N/I:P/A:N)
Affected Products:
SimpliSafe SS3 Base Station
SimpliSafe SS3 Base Station
Risk Factor:
Low
Low