New vulnerabilities have been discovered in the Wi-Fi Fortress S03 home security system that could be abused by a malicious party to gain unauthorized access with the aim of altering system behavior, including unknowingly disarming devices of the victim.
The two unpatched issues, tracked with identifiers CVE-2021-39276 (CVSS score: 5.3) and CVE-2021-39277 (CVSS score: 5.7), were discovered and reported by cybersecurity firm Rapid7 in May 2021 with a within 60 days. to fix weaknesses.
The Fortress S03 Wi-Fi Home Security System is a DIY alarm system that allows users to protect their homes and small businesses from burglars, fires, gas leaks, and water leaks by taking advantage of Wi-Fi and RFID technology. . for keyless entry. The company’s security and surveillance systems are used by “thousands of customers and ongoing customers,” according to its website.
Calling the vulnerabilities “trivially easy to exploit,” Rapid7 researchers noted that CVE-2021-39276 refers to unauthenticated API access that allows an attacker in possession of a victim’s email address to query the API. to filter the device’s International Mobile Equipment Identity (IMEI) number. , which is also doubled as the serial number. Armed with the device’s IMEI number and email address, the adversary can proceed to make a number of unauthorized changes, such as disabling the alarm system through an unauthenticated POST request.
CVE-2021-39277, on the other hand, relates to an RF signal replay attack, in which the lack of proper encryption gives the bad actor the ability to capture the radio frequency command and control over-the-air communications using a Software Defined Radio (SDR) and play the broadcast to perform specific functions, such as “arm” and “disarm” operations, on the target device.
“As of CVE-2021-39276, an attacker with knowledge of a Fortress S03 user’s email address can easily disarm the installed home alarm without that user’s knowledge,” the researchers said in a report shared with The Hacker News. .
“CVE-2021-39277 presents similar issues, but requires less prior knowledge of the victim, as the attacker can simply monitor the property and wait for the victim to use the RF-controlled devices within radio range. The attacker can then reproduce the ‘disarm’ command later, without the victim’s knowledge. “
Rapid7 said it notified Fortress Security of the errors on May 13, 2021, only for the company to close the report 11 days later, on May 24. We reached out to Fortress Security for comment and will update the story if we receive a response. .
In view of the fact that problems continue to persist, it is recommended that users configure their alarm systems with a unique and unique email address to avoid IMEI number exposure.
“For CVE-2021-39277, there appears to be very little a user can do to mitigate the effects of RF playback issues without a firmware update to enforce cryptographic controls on RF signals. Users concerned about This exposure should avoid using key fobs and other RF devices linked to their home security systems, “the researchers said.
Author: Ravie Lakshmanan