CISA in a flap as Chirp smart door locks can be trivially unlocked remotely
Some smart locks controlled by Chirp Systems’ software can be remotely unlocked by strangers thanks to a critical security vulnerability.
This remote exploitation is possible due to passwords and private keys being hard-coded in Chirp’s Android app. Anyone who knows or finds these credentials can use them with an API maintained by smart lock supplier August to remotely open someone’s Chirp-powered lock and thus unlock whatever door it is supposed to be protecting. Chirp has claimed its system is being used by over 50,000 households.
For those unfamiliar with this tech, Chirp provides application software to remotely control compatible locks, which can be bought from vendors such as August. It turns out it’s possible to use the credentials inside the Chirp Android app to effectively masquerade as the developer via that aforementioned API, enumerate locks, and control them. Presumably victims would need to be using an August-supported lock; we note that Yale is a brand August uses as both are owned by the same parent, Sweden’s Assa Abloy. We’ve asked August for more details.
Successful exploitation of this vulnerability could allow an attacker to take control and gain unrestricted physical access
The Chirp-side security flaw was given a CVSS severity score of 9.1 out of 10 last month. The US govt’s Cybersecurity and Infrastructure Security Agency also issued an alert about the situation. The warning notes Chirp hasn’t responded to CISA at all about fixing the hole.
As the watchdog put it, “Successful exploitation of this vulnerability could allow an attacker to take control and gain unrestricted physical access to systems using the affected product.
“Chirp Access improperly stores credentials within its source code, potentially exposing sensitive information to unauthorized access.”
The vulnerability was discovered and disclosed to Chirp three years ago by Amazon Web Services senior engineer Matt Brown, who delved into Chirp’s Android app because his apartment building switched over to the “smart” locks in March 2021. We note that Chirp updated its Android app last month after the CISA alert, to apply “bug fixes and improved stability,” so the hole may have been quietly patched by now.
“I use Android, which has a pretty simple workflow for downloading and decompiling the APK apps,” Brown told infosec blogger Brian Krebs this week. “I downloaded Chirp and after decompiling, found that they were storing passwords and private key strings in a file.”
Although the vulnerability has existed for at least three years, as Brown discovered it in early 2021, the CISA says there are no known cases of it being exploited. Presumably because its existence has been kept under wraps until now.
Chirp does offer an NFC-based key as a stand-in for the app, but that doesn’t prevent miscreants from using the remote exploit. Plus, the NFC chip itself sends credentials in plain text, making it trivial to compromise Chirp smart locks that way, too. Brown said his apartment complex charged him $50 for the privilege of using the insecure key fob.
Texas-based Chirp was bought by real-estate giant RealPage in 2020, which itself was bought by private equity firm Thoma Bravo. RealPage, like Chirp, is in hot water though for a completely different reason; its YieldStar software was accused of playing a crucial role in fixing home rental pricing in a 2022 report by ProPublica. The Department of Justice is now involved in a lawsuit against RealPage.
While Brown said the vulnerability plaguing Chirp-controlled smart locks is “an obvious flaw that is super easy to fix,” he expressed doubts it ever would be. “It’s just a matter of them being motivated to do it. But they’re part of a private equity company now, so they’re not answerable to anybody,” he said.
For anyone who uses a smart lock powered by Chirp, we recommend securing your door with a bar or mechanical lock, just like in the good old days. We’ve also asked Thoma Bravo for comment. ®
READ MORE HERE