New vulnerabilities have been found in Fortress S03 Wi-Fi House Safety System that might be doubtlessly abused by a malicious occasion to achieve unauthorized entry with an intention to change system conduct, together with disarming the gadgets with out the sufferer’s data.
The 2 unpatched points, tracked below the identifiers CVE-2021-39276 (CVSS rating: 5.3) and CVE-2021-39277 (CVSS rating: 5.7), have been found and reported by cybersecurity agency Rapid7 in Might 2021 with a 60-day deadline to repair the weaknesses.
The Fortress S03 Wi-Fi House Safety System is a do-it-yourself (DIY) alarm system that permits customers to safe their houses and small companies from burglars, fires, gasoline leaks, and water leaks by leveraging Wi-Fi and RFID expertise for keyless entry. The corporate’s safety and surveillance methods are utilized by “1000’s of purchasers and continued prospects,” according to its web site.
Calling the vulnerabilities “trivially simple to take advantage of,” Rapid7 researchers famous CVE-2021-39276 issues an unauthenticated API Entry that permits an attacker in possession of a sufferer’s e mail deal with to question the API to leak the gadget’s Worldwide Cell Gear Id (IMEI) quantity, which additionally doubles up because the serial quantity. Armed with the gadget’s IMEI quantity and the e-mail deal with, the adversary can proceed to make numerous unauthorized adjustments, similar to disabling the alarm system through an unauthenticated POST request.
CVE-2021-39277, alternatively, pertains to an RF Sign replay attack, whereby an absence of ample encryption grants the dangerous actor the power to seize the radio frequency command and management communications over the air utilizing software-defined radio (SDR), and playback the transmission to carry out particular features, similar to “arm” and “disarm” operations, on the goal gadget.
“For CVE-2021-39276, an attacker with the data of a Fortress S03 person’s e mail deal with can simply disarm the put in residence alarm with out that person’s data,” the researchers mentioned in a report shared with The Hacker Information.
“CVE-2021-39277 presents comparable issues, however requires much less prior data of the sufferer, because the attacker can merely stake out the property and look ahead to the sufferer to make use of the RF-controlled gadgets inside radio vary. The attacker can then replay the ‘disarm’ command later, with out the sufferer’s data.”
Rapid7 mentioned it notified Fortress Safety of the bugs on Might 13, 2021, just for the corporate to shut the report 11 days afterward Might 24. Now we have reached out to Fortress Safety for remark, and we are going to replace the story if we hear again.
In gentle of the truth that the problems proceed to persist, it is advisable that customers configure their alarm methods with a novel, one-time e mail deal with to work across the IMEI quantity publicity.
“For CVE-2021-39277, there appears to be little or no a person can do to mitigate the results of the RF replay points absent a firmware replace to implement cryptographic controls on RF alerts. Customers involved about this publicity ought to keep away from utilizing the important thing fobs and different RF gadgets linked to their residence safety methods,” the researchers mentioned.