Crickets from Chirp system in smart lock key leaks – Krebs on Security

Issues with the Chirp smart lock system has individuals growing concerned. With the growing rise of technology comes with risks of security and other technical issues. Check out this article on the Chirp smart lock system.

_____________________________________________________________________________

The U.S. government has warned that “smart locks” in about 50,000 homes across the country contain hard-coded credentials that can be used to remotely open any lock.maker of locks chirp system Despite being first notified of the critical vulnerability in March 2021, there has been no response. real page company was sued by several states in the United States for allegedly colluding with landlords to illegally raise rents.

March 7, 2024 U.S. Cybersecurity and Infrastructure Security Agency (CISA) warns that a remotely exploitable vulnerability with “low attack complexity” exists in Chirp Systems smart locks.

“Chirp Access improperly stores credentials in its source code, potentially exposing sensitive information to unauthorized access,” CISA’s alert warns. The vulnerability has a CVSS (Poor) rating of 9.1 out of 10 point). “Chirp Systems has not responded to requests to work with CISA to mitigate this vulnerability.”

Matt BrownCISA believes the researcher who reported this flaw is a senior systems development engineer at Amazon Web Services. Brown said he discovered the vulnerability and reported it to Chirp in March 2021, when the company that managed his apartment complex started using Chirp smart locks and told everyone to install Chirp’s app to get in and out of their apartments.

“I use Android, which has a very simple workflow for downloading and decompiling APK apps,” Brown told KrebsOnSecurity. “Since I’m very picky about what I trust on my device, I downloaded Chirp, decompiled it and discovered that they store passwords and private key strings in files.”

Brown found that using these hard-coded credentials, attackers could connect to an application programming interface (API) used by Chirp that is managed by the smart lock vendor. august.comand use it to enumerate and remotely lock or unlock any door in any building using this technology.

Brown said when he complained to the leasing office, they sold him a small $50 key fob that used near-field communications (NFC) to open the lock when he held it near the front door. But he said the keychain doesn’t eliminate anyone’s ability to remotely unlock his front door using exposed credentials and the Chirp mobile app.

Smart lock with Chirp function. Image: Camdenliving.com

Additionally, the key fob delivers the credentials over the air to his front door in plain text, meaning someone can clone the key fob simply by bumping him with a smartphone app designed to read and write NFC tags.

Neither August nor Chirp Systems responded to requests for comment. It’s unclear how many apartments and other residences are using vulnerable Chirp locks, but multiple articles about the company in 2020 indicate that approximately 50,000 units use Chirp smart locks with the August API.

About a year before Brown reported the flaw to Chirp Systems, the company was real page, a company founded in 1998, is a developer of multifamily property management and data analytics software. In 2021, RealPage was acquired by private equity giant Thoma Bravo.

Brown said the vulnerability he found in Chirp’s product was “an obvious flaw that is very easy to fix.”

“It’s just a matter of their motivation to do it,” he said. “But they’re part of a private equity firm now, so they’re not accountable to anyone. It’s too bad because it’s not like the residents here [the affected] Properties have another option. Either agree to use the app or move out.

October 2022, investigation Puplica Researchers examined RealPage’s dominance of the rent-setting software market and found that it “uses a mysterious algorithm to help landlords push the highest possible rents to tenants.”

“For tenants, the system upends the practice of negotiating with apartment building staff,” ProPublica found. “RealPage discourages bargaining with tenants and even recommends that landlords accept lower occupancy rates in some cases in order to raise rents and Make more money. One of the algorithm’s developers told ProPublica that leasing agents “have too much empathy” compared to computer-generated pricing.

Last year, the Justice Department threw its weight behind a massive lawsuit filed by dozens of tenants accusing the $9 billion apartment software company of helping landlords collude to raise rents.

In February 2024, the attorneys general of Arizona and the District of Columbia sued RealPage, accusing RealPage’s software of helping to create a rental monopoly.