Vulnerabilities allow attackers to remotely deactivate home security system (CVE-2021-39276, CVE-2021-39277)

A DiY home security system sold to families and businesses across the US sports two vulnerabilities (CVE-2021-39276, CVE-2021-39277) that, while not critical, “are trivially easy to exploit by motivated attackers who already have some knowledge of the target,” Rapid7 warns.

About the vulnerabilities (CVE-2021-39276, CVE-2021-39277)

The Fortress S03 WiFi Security System is a consumer-grade offering that customers can be customized for each physical location. It uses WiFi and RF communication to monitor doors and windows, and it can detect the presence of intruders, gas leaks, smoke, and so on.

Unfortunately, researcher Arvind Vishwakarma discovered that it has an insecure cloud API deployment (CVE-2021-39276) and a vulnerability that allows close-by attacker to capture and replay RF signals to alter systems behavior (CVE-2021-39277).

CVE-2021-39276 may allow a malicious actor that knows a user’s email address to query the cloud-based API to return an IMEI number that’s also the device’s serial number. Armed with these two pieces of information, the attacker could make changes to the system – and that includes disarming its alarm without the user’s knowledge.

“While this is not usually much of a concern for random, opportunistic home invaders, this is particularly concerning when the attacker already knows the victim well, such as an ex-spouse or other estranged relationship partner,” Rapid7’s Research Director, Tod Beardsley, noted.

I also posit that if criminals know the potential victim’s name and physical address, they can easily discover their different email address by searching for the info online. And with home owners often putting stickers on their windows “advertising” the use of a specific security solution, if would be easy for motivated criminals to pinpoint users of the vulnerable system.

CVE-2021-39277 is a matter of improper encryption or rotating key protections, so attackers can capture command-and-control signals over the air and replay them to, for example, disarm the security system.

“There seems to be very little a user can do to mitigate the effects of the RF replay issues, absent a firmware update to enforce cryptographic controls on RF signals. Users concerned about this exposure should avoid using key fobs and other RF devices linked to their home security systems,” Beardsley advised.

“In the absence of a patch or update, to work around the IMEI number exposure described in CVE-2021-39276, users could configure their alarm systems with a unique, one-time email address.”

Rapid7 has contacted Fortress in May to share the details of their discovery before releasing them to the public, but they haven’t heard back from them yet. They hope that the disclosure will spur them to fix the vulnerabilities quickly.