New vulnerabilities have been found in Fortress S03 Wi-Fi Dwelling Safety System that may very well be doubtlessly abused by a malicious get together to achieve unauthorized entry with an intention to change system conduct, together with disarming the gadgets with out the sufferer’s information.
The 2 unpatched points, tracked beneath the identifiers CVE-2021-39276 (CVSS rating: 5.3) and CVE-2021-39277 (CVSS rating: 5.7), had been found and reported by cybersecurity agency Rapid7 in Could 2021 with a 60-day deadline to repair the weaknesses.
The Fortress S03 Wi-Fi Dwelling Safety System is a do-it-yourself (DIY) alarm system that allows customers to safe their houses and small companies from burglars, fires, gasoline leaks, and water leaks by leveraging Wi-Fi and RFID expertise for keyless entry. The corporate’s safety and surveillance methods are utilized by “hundreds of shoppers and continued clients,” according to its web site.
Calling the vulnerabilities “trivially simple to use,” Rapid7 researchers famous CVE-2021-39276 issues an unauthenticated API Entry that allows an attacker in possession of a sufferer’s e-mail handle to question the API to leak the gadget’s Worldwide Cell Gear Identification (IMEI) quantity, which additionally doubles up because the serial quantity. Armed with the gadget’s IMEI quantity and the e-mail handle, the adversary can proceed to make a lot of unauthorized adjustments, corresponding to disabling the alarm system by way of an unauthenticated POST request.
CVE-2021-39277, alternatively, pertains to an RF Sign replay attack, whereby an absence of ample encryption grants the dangerous actor the flexibility to seize the radio frequency command and management communications over the air utilizing software-defined radio (SDR), and playback the transmission to carry out particular features, corresponding to “arm” and “disarm” operations, on the goal gadget.
“For CVE-2021-39276, an attacker with the information of a Fortress S03 consumer’s e-mail handle can simply disarm the put in house alarm with out that consumer’s information,” the researchers mentioned in a report shared with The Hacker Information.
“CVE-2021-39277 presents comparable issues, however requires much less prior information of the sufferer, because the attacker can merely stake out the property and watch for the sufferer to make use of the RF-controlled gadgets inside radio vary. The attacker can then replay the ‘disarm’ command later, with out the sufferer’s information.”
Rapid7 mentioned it notified Fortress Safety of the bugs on Could 13, 2021, just for the corporate to shut the report 11 days afterward Could 24. We’ve reached out to Fortress Safety for remark, and we’ll replace the story if we hear again.
In gentle of the truth that the problems proceed to persist, it is beneficial that customers configure their alarm methods with a novel, one-time e-mail handle to work across the IMEI quantity publicity.
“For CVE-2021-39277, there appears to be little or no a consumer can do to mitigate the consequences of the RF replay points absent a firmware replace to implement cryptographic controls on RF alerts. Customers involved about this publicity ought to keep away from utilizing the important thing fobs and different RF gadgets linked to their house safety methods,” the researchers mentioned.