A cybersecurity company claims that a popular smart home security system has a pair of vulnerabilities that can be exploited to completely disarm the system.
Rapid7 discovered vulnerabilities in the Fortress S03, a home security system that relies on Wi-Fi to connect cameras, motion sensors and sirens to the internet, allowing homeowners to remotely monitor their homes anywhere. where with a mobile application. The security system also uses a radio controlled key fob to allow homeowners to arm or disarm their home from outside their front door.
But the cybersecurity firm said the vulnerabilities include an unauthenticated API and an unencrypted radio signal that can be easily intercepted.
Rapid7 revealed details of the two vulnerabilities on Tuesday after not hearing from Fortress for three months, the standard window of time security researchers give companies to fix bugs before details are made public. Rapid7 said their only acknowledgment of their email was when Fortress closed their support ticket a week later without commenting.
Fortress owner Michael Hofeditz opened but did not respond to multiple emails sent by TechCrunch with an open email follow-up. An email from Bottone Riling, a Massachusetts law firm representing Fortress, called the allegations “false, deliberately misleading and defamatory,” but did not provide details that they are false or whether Fortress has mitigated vulnerabilities.
Rapid7 said that Fortress’s unauthenticated API can be queried remotely over the internet without the server checking whether the request is legitimate. The researchers said that by knowing an owner’s email address, the server would return the device’s unique IMEI, which in turn could be used to disarm the system remotely.
The other flaw takes advantage of unencrypted radio signals sent between the security system and the owner’s key fob. This allowed Rapid7 to capture and replay the signals to “arm” and “disarm” because the radio waves were not properly scrambled.
Vishwakarma said owners can add an email address with a plus tag with a unique long string of letters and numbers in place of a password in lieu of a password. But the owners didn’t have much to do with the radio signal bug until Fortress fixed it.
Fortress did not say whether it patched or plans to patch the vulnerabilities. It is not clear if Fortress is capable of patching vulnerabilities without replacing hardware. It is not known whether Fortress builds the device itself or purchases the hardware from another manufacturer.