Ring, SimpliSafe, and Three Other DIY Home Security Systems Vulnerable to Hacking

In CR's tests of 10 DIY systems, only half could withstand our jamming attacks

When you shop through retailer links on our site, we may earn affiliate commissions. 100% of the fees we collect are used to support our nonprofit mission. Learn more.

Illustration of a home security camera, house and warning sign Illustration: Getty Images

If you’ve seen the latest Scream movie, you might be haunted by the scene of the killer disabling a home security system to get inside a victim’s house. (Warning: the trailer is chilling.) The portrayed attack method is highly unlikely to happen in real life, but the scary scene might make you wonder just how tamper-resistant your own home security system is. And that’s a legitimate concern.

In a series of new tests, Consumer Reports found that five popular DIY home security systems are relatively easy to jam. That means a burglar can use a laptop and a portable radio frequency (RF) transceiver to block the signals from door/window or motion sensors and enter a home without triggering the alarm. It’s worth noting that any wireless device can be jammed, but there are methods and technologies that make it harder to pull off.

The systems our testers were able to jam are the Abode Iota All-In-One Kit, Cove Home Security System, Eufy 5-Piece Home Alarm Kit, Ring Alarm Security Kit (2nd gen.), and SimpliSafe The Essentials SS3-01.

Two of those systems—Cove and Eufy—are also susceptible to replay disarm signal attacks, a more complicated attack where a hacker captures and records the disarm signal from a keyfob and later broadcasts it to disarm the security system, again using a laptop and an RF transceiver.

The tests were conducted as part of our first-ever digital privacy and security tests of DIY home security systems. The tests are done in CR’s Digital Lab, which evaluates a number of digital products and services for privacy and security. Our experts in the Digital Lab design our tests using The Digital Standard, an open-source set of criteria for evaluating digital products and services created by CR with other organizations, scoring these security systems on more than 70 factors.

More on Home Security

Owners of these systems needn’t panic, however. “If you own one of these jammable systems, you don’t necessarily need to replace it since the problem is not that common right now,” says Fred Garcia, a test engineer for privacy and security at the Digital Lab. “But we do want consumers to be aware that this is possible, and if you are in the market now for a new system, we found options that are more resistant to this issue.”

Five other systems—Blue by ADT, Ecobee, Honeywell Home, Kangaroo, and Ooma—successfully resisted jamming and replay attacks using CR’s RF transceiver technique. These results demonstrate that it’s possible to create a system that is less susceptible to these relatively sophisticated attacks.

Read on for more details on our test results. And to see how each system performed in our jamming and replay disarm tests—as well as our data privacy, data security, and standard performance tests—check out our complete home security system ratings.

How Jamming Works

We don’t want to go into too much detail (and inadvertently help would-be burglars learn how to execute jamming attacks), but it’s important to understand how these attacks work at a high level.

As shown in the demonstration video above, all a hacker/burglar needs to successfully jam a home security system is a laptop, an RF transceiver, and knowledge of the system being used in the person’s home. With those resources in hand, they can continuously drown out the signals from door/window or motion sensors and prevent the sensors from triggering the alarm while they enter, traverse through, and exit the home. As far as the system is concerned, no intruder is detected and the professional monitoring service wouldn’t dispatch the police.

What Our Tests Reveal

Not all systems that can be jammed are equally vulnerable. Some systems are equipped with a jam detection feature that detects the attack and sends a notification to users (although it doesn’t trigger the alarm). Because of variations in how these systems respond (or don’t respond) to jamming, we used our Poor to Excellent ratings scale to cover the range of responses:

  • Excellent: We were unable to jam the system in our lab setup.
  • Very Good: We were able to jam the system in our lab setup, but it detects the jamming and alerts users in under 30 seconds.
  • Good: We were able to jam the system in our lab setup, and it took more than 30 seconds to detect it and alert users.
  • Fair: We were able to jam the system in our lab setup, but its more-sophisticated sensors make jamming more difficult. It does not detect jamming.
  • Poor: We were more easily able to jam the system in our lab setup, and it does not detect jamming.

For example, the SimpliSafe system rates Very Good even though it can be jammed, because it detects jamming after just a few seconds. The Abode system earns a Good rating because it detects jamming after about a minute. Both systems alert the user, but do not trigger the alarm.

Ring earns a Fair rating for jamming, while both Cove and Eufy earn Poor ratings. The five systems that we weren’t able to jam earn Excellent ratings. You can see these scores in our security system ratings under the jamming resistance column.

What the Manufacturers Say

Consumer Reports shared its findings with the five manufacturers and asked each if it would update its systems to prevent jamming. Only Eufy explicitly said it will fix the jamming issue (the company plans to release a software update in early April). Cove said it is considering moving to encrypted sensors for a future version of its system and has “been monitoring whether the cost and complexity is justified by the threat in the field.” Ring said it has “implemented safeguards in our Ring Alarm system to help address wireless signal jamming, and we will continue inventing ways to help protect our customers,” but did not get more specific.

SimpliSafe responded that it continually refines its jam detection algorithm and releases “security updates to safeguard our system against jamming vulnerabilities.” Abode pointed to the fact that it offers jam detection as a standard feature but did not address the jamming itself.

Manufacturers that don’t currently offer jamming detection were mixed on whether they would add it. Cove said it plans to add jam detection to its system next year, but likely as an optional feature. Eufy said it would not add the feature to its system. Ring wouldn’t directly answer our question about whether it will add that feature to its system.

There may be a reason for their reluctance. “Jam detection can create false positive alerts due to interference from other wireless devices, which might be why some brands opted not to implement the feature,” Garcia says.

In addition to the vulnerabilities related to jamming, Abode and Cove had a handful of small, lower-risk security issues that we found, which they did fix.

Bruce Ehlers, vice president of product development and engineering at Cove, adds that the residential security industry doesn’t see these types of attacks as a huge issue, with millions of these systems in US homes today. The deterrence value of an affordable home security system is proven in the market and “the industry has not experienced significant real-world intrusions due to replay or jamming attacks,” says Ehlers.

Glenn Gomes-Casseres, vice president of product and design at SimpliSafe, points out that these attacks are difficult to pull off in the first place.

“In order to jam a device, one would have to perfectly execute a highly nuanced protocol with devices specifically tuned and configured for this purpose,” says Gomes-Casseres. “And even if successful, thanks to SimpliSafe’s built-in detection, customers are alerted, and cameras are queued to record and capture evidence, during jamming attempts.”

Illustration of a computer blocking the signals from a home security system.

Illustration: Consumer Reports, Getty Images Illustration: Consumer Reports, Getty Images

Is Jamming a Real Threat?

Ultimately, most burglars’ preferred break-in methods are more likely to be low-tech. 

“The good news is that the intelligence required to evaluate a home security system and jam it with a specialized RF transceiver is beyond the capabilities of the vast majority of burglars,” says Kirk MacDowell, CEO of security consulting firm MacGuard Security Advisors. Still, MacDowell adds that legitimate systems should offer jam detection, as well as encryption to prevent attackers from eavesdropping on these wireless signals.

He says good quality professionally-installed systems offer these protection features, but not all DIY systems sold at retail do the same.

"If it becomes more well-known that burglars can trivially evade certain security systems, then it seems likely more wrongdoers will be able to take advantage of this flaw," says Justin Brookman, CR’s director of technology policy. "If there are reasonable measures manufacturers can take to remediate this exploitable threat, then they should be obligated to update their systems and close this loophole."

So, how can you protect your system? First, don’t advertise what system you own with its branded yard signs and window decals. Once a burglar knows what system is being used, they can easily figure out which signals they need to jam.

“Security signs and decals can be a useful deterrent to burglars, but you should always use generic, un-branded signs and decals,” says Bernie Deitrick, who oversees CR’s home security system testing. “That way you get the same benefits without tipping burglars off to the brand of system you own.”

Replay Disarm Results

As noted above, the Cove and Eufy systems are currently susceptible to this type of attack, where a hacker copies the disarm signal from a keyfob and broadcasts it to disarm the security system. Both systems receive Poor ratings for replay disarm resistance as a result, while the other systems receive Excellent ratings.

This attack is more difficult to pull off than a jamming attack, as the hacker would need to be in the vicinity of your home for a while, making it more likely that you would spot them.

“It requires the attacker to be near a key fob or keypad when the user presses the disarm button so they can capture the signal,” says Garcia. “They would then have to replay the disarm signal, near the base station of the system, in order to disarm it. This is all possible, but there are many steps involved and the user would usually get notified if the system becomes disarmed.”

We also shared these findings with Cove and Eufy. Eufy said it will fix the issue in a future software update, while Cove said it’s considering using encrypted sensors (which would prevent replay attacks) in a future version of its system. Cove vice president Bruce Ehlers also said this type of attack is unlikely to occur because it requires the hacker to “stake out” your home. He added that the Cove system can also be used without a keyfob, which would eliminate the chances of this type of attack, but also remove an easy method for controlling the system.

Best Security Systems From CR’s Tests

Here are the top three DIY security systems from our tests. Keep in mind some of them score poorly for jamming, but we still recommend them because these attacks are very unlikely to happen and the systems still perform well in our other tests, such as ease of setup and data security. One notable weak spot, though, is data privacy. With the exception of Kangaroo, most of the systems we tested earn middling-to-unfavorable data privacy scores. For the rest of our test results, see our home security system ratings.

Home Content Creator Daniel Wroclawski

Daniel Wroclawski

I'm obsessed with smart home tech and channel my obsession into new stories for Consumer Reports. When I'm not writing about products, I spend time either outside hiking and skiing or up in the air in small airplanes. For my latest obsessions, follow me on Facebook and Twitter (@danwroc).