A vulnerability in the smart access control system used in thousands of rental homes in the United States could allow anyone to remotely control any lock in an affected home. However, Chirp Systems, the company that manufactures this system, has ignored requests to fix this flaw.
U.S. cybersecurity agency CISA said last week that a phone app developed by Chirp, which residents use in place of keys to access their homes, was “unauthorized'' with hard-coded credentials that could be used to control any of Chirp's remote controls. A security advisory was issued stating that the data is being stored properly. Compatible smart lock.
Apps that rely on passwords stored in the source code (known as hard-coded credentials) are a security risk because anyone can extract and use those credentials to perform actions impersonating the app. In this case, the credentials allow anyone to remotely lock or unlock a Chirp-connected door lock over the Internet.
CISA said in its advisory that successful exploitation of this flaw “could allow an attacker to seize control and gain unrestricted physical access” to smart locks connected to Chirp smart home systems. Ta. The cybersecurity agency gave the vulnerability a severity score of 9.1 out of 10, citing its “low attack complexity” and ability to be exploited remotely.
Cybersecurity officials said Chirp Systems has not responded to CISA or the researchers who discovered the vulnerability.
Security researcher Matt Brown told veteran security journalist Brian Krebs that he notified Chirp of the security issue in March 2021, but the vulnerability remains unfixed.
Chirp Systems is one of a growing number of companies in the real estate technology space that provides keyless access control integrated with smart home technology to rental giants. Rental companies are increasingly forcing renters to allow the installation of smart home devices under lease agreements, but who bears responsibility and ownership in the event of a security issue remains unclear at best. It's also unclear.
In 2020, real estate and rental giant Camden Property Trust signed a deal to install Chirp-connected smart locks on more than 50,000 locks at more than 100 properties. It's unclear whether affected facilities like Camden are aware of the vulnerability or are taking precautions. Camden spokeswoman Kim Callahan did not respond to a request for comment.
Chirp was acquired by real estate management software giant Realpage in 2020, which was later acquired by private equity giant Thoma Bravo in a $10.2 billion deal later that year. RealPage is facing several legal challenges over allegations that its rent-setting software uses secret proprietary algorithms to help landlords set the highest possible rents for tenants. facing challenge.
Neither RealPage nor Thoma Bravo have yet acknowledged the vulnerabilities in their acquired software, nor have they said whether they plan to notify affected residents of the security risks.
RealPage spokesperson Jennifer Bowcock did not respond to TechCrunch's request for comment. Megan Frank, a spokeswoman for Thomas Bravo, also did not respond to a request for comment.