Rapid7 researcher Arvind Vishwakarma discovered two vulnerabilities in the Fortress S03 WiFi home security system, which can allow network attackers to remotely disarm the system’s security defenses, making the home vulnerable to illegal intrusion. Arvind said, “These vulnerabilities can lead to unauthorized access to control or modify system behavior, as well as access to unencrypted information in storage or transmission.” These two unpatched security vulnerabilities can allow unauthorized cyber attacks. The person closes the windows, doors and motion sensor monitoring.
The Fortress platform is a consumer-grade home security system. Users can mix and match various sensors, IP cameras and accessories, and connect them via Wi-Fi to create a personalized security system. RF fobs are used for system control, arming and disarming of monitors and motion detectors on doors and windows. These two vulnerabilities have not yet been repaired.
Disarm the home security system
Arvind stated in an article on Tuesday, local time, that the first vulnerability was tracked as CVE-2021-39276 because of the insecure cloud API deployment. Unauthenticated users can simply use it to obtain a secret, and then use it to remotely change the functionality of the system. To disarm the alert system, the attacker can send a specially crafted unauthenticated POST to the API.
Arvind said: “If malicious hackers know the user’s email address, they can use it to query cloud-based APIs to return an International Mobile Equipment Identity (IMEI) number, which seems to be the serial number of the device.” “Yes. With the IMEI number of the device and the user’s email address, it is possible for malicious actors to make changes to the system, including disarming alarms.”
According to Rapid7, it is important to note that for random, opportunistic family intruders, there may be too many attempts to exploit this, but in the stalker/restraint type scenario, the person already knows The target also has an email address, and given the possibility of physical violence, the urgency of alleviating the problem has increased.
“The probability of exploiting these problems is very low,” Tod Beardsley, the research director of Rapid7, told the website Threatpost. After all, an opportunistic intruder is unlikely to become a cyber security expert. However, my concern is that the attacker already knows the victims very well, or at least enough of their email addresses, which is all the information really needed to use CVE-2021-39276 to disable these devices over the Internet. “
Another RF vulnerability
The second issue, tracked as CVE-2021-39277, involves the radio frequency signals used for communication between key fobs, door/window contact sensors and the fortress console, which are sent in the 433 MHz frequency band. Specifically, anyone within the range of the radio frequency signal can capture and replay the radio frequency signal to change the behavior of the system and cause disarmament.
Arvind said: “When a radio-controlled device does not properly implement encryption or key protection, this allows an attacker to capture command and control signals through air monitoring, and then replay these radio signals to perform functions on the relevant device. “
In a proof of concept, the researchers used a software-defined radio (SDR) device to capture the normal operation of the device’s “ARM” and “DISARM” commands. Then, replaying the captured radio frequency signal communication commands will arm and disarm the system without further user interaction.
Exploiting vulnerabilities requires the attacker to physically monitor the property and wait for the victim to use the RF-controlled device on the system-without knowing the victim in advance.
Beardsley told Threatpost that to take advantage of the weaknesses of radio frequency, “the attacker needs to be fairly familiar with SDR in order to capture and replay the signal, and be within a reasonable radio range.” This range depends on the sensitivity of the equipment used, but usually this Eavesdropping requires sight and a fairly close distance-right and left across the street.”
How to prevent home security attacks
As mentioned earlier, unfortunately, no firmware updates are available for these two vulnerabilities. The supplier closed the Rapid7 work order for the vulnerability report, did not make any comments, and did not respond to the researchers’ follow-up investigation.
Beardsley said: “In the past, we have seen suppliers slow to respond before the information is disclosed, and often respond after the information is disclosed, and often solve these problems quickly. “”I have hope for this issue.”
However, for the first problem, there is a solution. Beardsley told Threatpost that because the attack requires a system email address, “We recommend registering the device with a secret, one-time-use email address, which can be used as a weak password.” “If there is no authentication update from the vendor, I think this is a good solution.”
The post stated that for CVE-2021-39277, “without a firmware update to strengthen the encryption control of radio frequency signals, users can hardly alleviate the impact of radio frequency replay problems”. Rapid7 recommends that users avoid using key fobs and other radio frequency devices connected to Fortress to avoid attacks.
This is just the latest vulnerabilities found in Internet of Things (IoT) devices, pointing to the continued demand for design security from hardware vendors.
Tripwire chief security researcher Craig Young said in an email: “Appropriate cloud infrastructure can achieve automatic updates and isolate users from many local security threats, thereby greatly promoting IoT security, but it will also amplify vendor programming errors. The impact. “”Although vulnerabilities in a single device are usually exploited by nearby attackers, vulnerabilities in the vendor’s infrastructure may expose all users at once.”