A vulnerability in a smart access control system used in thousands of rental homes in the United States allows anyone to remotely control any lock on an affected home. But Chirp Systems, the company that makes the system, ignored requests to fix the flaw.
The US cybersecurity agency CISA was public with a safety advisory last week saying that phone apps developed by Chirp, which residents use instead of a key to access their homes, “incorrectly store” encrypted credentials that can be used to remotely control any Chirp-compatible smart lock.
Applications that rely on passwords stored in their source code, known as encryption credentials, are a security risk because anyone can extract and use those credentials to perform actions impersonating the application. In this case, the credentials allowed anyone to remotely lock or unlock a door lock connected to Chirp over the Internet.
In its advisory, CISA said that successful exploitation of the flaw “could allow an attacker to take control and gain unrestricted physical access” to smart locks connected to a Chirp smart home system. The cybersecurity agency gave a vulnerability severity score of 9.1 out of a maximum of 10 for its “low attack complexity” and its ability to be exploited remotely.
The cybersecurity agency said Chirp Systems has not responded to either CISA or the researcher who found the vulnerability.
Security researcher Matt Brown said Brian Krebs, veteran security journalist that notified Chirp about the security issue in March 2021, but that the vulnerability remains unfixed.
Chirp Systems is one of a growing number of companies in the real estate technology space providing keyless access controls that integrate with smart home technologies to rental giants. Rental companies are increasingly forcing tenants to allow the installation of smart home equipment as dictated by their leases, but it is unclear at best who takes responsibility or ownership when security issues arise. security.
Real estate and rental giant Camden Property Trust signed a deal in 2020 to roll out Chirp-connected smart locks in more than 50,000 units in more than one hundred properties. It is unclear whether affected properties like Camden are aware of the vulnerability or have taken action. Camden spokeswoman Kim Callahan did not respond to a request for comment.
Chirp was purchased by property management software giant RealPage in 2020, and RealPage was acquired by private equity giant Thoma Bravo. later that year in a $10.2 billion deal. RealPage faces off various legal challenges over allegations that its rent-setting software uses secret, proprietary algorithms to help landlords raise the highest possible rents for tenants.
Neither RealPage nor Thoma Bravo have yet to acknowledge the vulnerabilities in the software they acquired, nor have they said whether they plan to notify affected residents about the security risk.
Jennifer Bowcock, a spokesperson for RealPage, did not respond to TechCrunch's requests for comment. Thoma Bravo spokesperson Megan Frank also did not respond to requests for comment.
