acm-header
Sign In

Communications of the ACM

ACM TechNews

Popular Smart Home Security System Can Be Remotely Disarmed


View as: Print Mobile App Share: Send by email Share on reddit Share on StumbleUpon Share on Hacker News Share on Tweeter Share on Facebook
Part of the Fortress S03 Wi-Fi Home Security System.

Rapid7 said that Fortress unauthenticated API can be remotely queried over the Internet without the server checking if the request is legitimate.

Credit: Fortress Security.

Researchers at cybersecurity company Rapid7 found vulnerabilities that can be used to remotely disarm the Fortress S03 smart home security system.

The Wi-Fi-based system allows owners to monitor their homes with a mobile application via Internet-linked cameras, motion sensors, and sirens, and to arm or disarm it with a radio-controlled key fob.

The researchers said hackers can remotely query an unauthenticated application programming interface without the server checking the request's legitimacy; the server would return the device's unique International Mobile Equipment Identity number, which could be used to disarm the system.

In addition, intercepting unencrypted radio signals between the S03 and the key fob could permit the "arm" and "disarm" signals to be captured and replayed.

Rapid7 informed Fortress of the flaws, then publicly disclosed them when the company did not respond after three months; a law firm representing Fortress called the claims of vulnerabilities in the S03 system "false, purposely misleading, and defamatory," without specifying why they are false, or that Fortress has fixed the vulnerabilities.

From TechCrunch
View Full Article

 

Abstracts Copyright © 2021 SmithBucklin, Washington, DC, USA


 

No entries found