Communications of the ACM
Popular Smart Home Security System Can Be Remotely Disarmed
Rapid7 said that Fortress unauthenticated API can be remotely queried over the Internet without the server checking if the request is legitimate.
Credit: Fortress Security.
Researchers at cybersecurity company Rapid7 found vulnerabilities that can be used to remotely disarm the Fortress S03 smart home security system.
The Wi-Fi-based system allows owners to monitor their homes with a mobile application via Internet-linked cameras, motion sensors, and sirens, and to arm or disarm it with a radio-controlled key fob.
The researchers said hackers can remotely query an unauthenticated application programming interface without the server checking the request's legitimacy; the server would return the device's unique International Mobile Equipment Identity number, which could be used to disarm the system.
In addition, intercepting unencrypted radio signals between the S03 and the key fob could permit the "arm" and "disarm" signals to be captured and replayed.
Rapid7 informed Fortress of the flaws, then publicly disclosed them when the company did not respond after three months; a law firm representing Fortress called the claims of vulnerabilities in the S03 system "false, purposely misleading, and defamatory," without specifying why they are false, or that Fortress has fixed the vulnerabilities.
From TechCrunch
View Full Article
Abstracts Copyright © 2021 SmithBucklin, Washington, DC, USA
No entries found