A cybersecurity company says that a popular smart home security system has a couple of vulnerabilities that can be exploited to disable the system completely.
Rapid7 found the vulnerabilities in Fortress S03, a home security system that relies on Wi-Fi to connect cameras, motion sensors and sirens to the Internet, allowing owners to monitor their home anywhere with a mobile app. The security system also uses a radio-controlled keychain to allow homeowners to arm or disarm their house outside the front door.
But the cyber security firm said the vulnerabilities include an unauthenticated API and an unencrypted radio signal that can be easily detected.
Rapid7 revealed details of the two vulnerabilities on Tuesday after not hearing from Fortress for three months, the standard time window that security researchers give companies to fix bugs before details are published. Rapid7 said the only confirmation of the email was when Fortress closed the support ticket a week later without comment.
Fortress owner Michael Hofeditz opened, but did not respond to further emails sent by TechCrunch with an open tracker by email. An e-mail from Bottone Riling, a Massachusetts law firm representing Fortress, called the allegations “false, deliberately misleading and defamatory,”
Rapid7 said that Fortress’ unauthenticated API can be requested remotely over the Internet without the server checking if the request is legitimate. The researchers said that by knowing a homeowner’s email address, the server would return the device’s unique IMEI, which in turn could be used to remotely disable the system.
The second error takes advantage of the unencrypted radio signals sent between the security system and the homeowner’s key fob. It allowed Rapid7 to capture and play the “arm” and “disconnect” signals because the radio waves were not properly encrypted.
Vishwakarma said homeowners could add a plus-marked email address with a long, unique set of letters and numbers instead of a password as a stand-in for a password. But there was little for homeowners to do for the radio signal error before Fortress addressed it.
Fortress has not said whether it has resolved or plans to fix the vulnerabilities. It is not clear if Fortress is able to fix the vulnerabilities without replacing the hardware. It is not known if Fortress builds the device itself or buys the hardware from another manufacturer.