According to a cybersecurity firm, a popular smart home security system has two flaws that can be exploited to completely disable the system.
Rapid7 discovered the flaws in the Fortress S03, a home security system that uses Wi-Fi to connect cameras, motion sensors, and sirens to the internet, allowing owners to watch their house remotely via a mobile app from anywhere.
A radio-controlled key fob is also used in the security system, allowing homeowners to arm or disarm their home from outside their front door.
An unauthenticated API and an unencrypted radio signal that may be easily intercepted are among the vulnerabilities, according to the cybersecurity firm.
Rapid7 revealed details of the two vulnerabilities on Tuesday after not hearing from Fortress in three months, the standard window of time that security researchers give companies to fix bugs before details are made public. Rapid7 said its only acknowledgment of its email was when Fortress closed its support ticket a week later without commenting.
Fortress owner Michael Hofeditz opened but did not respond to several emails sent by TechCrunch with an email open tracker. An email from Bottone Reiling, a Massachusetts law firm representing Fortress, called the claims “false, purposely misleading and defamatory,” but did not provide specifics that it claims are false, or if Fortress has mitigated the vulnerabilities.
Rapid7 said that Fortress’ unauthenticated API can be remotely queried over the internet without the server checking if the request is legitimate. The researchers said by knowing a homeowner’s email address, the server would return the device’s unique IMEI, which in turn could be used to remotely disarm the system.
The other flaw takes advantage of the unencrypted radio signals sent between the security system and the homeowner’s key fob. That allowed Rapid7 to capture and replay the signals for “arm” and “disarm” because the radio waves weren’t scrambled properly.
Rapid7’s Arvind Vishwakarma suggested that instead of a password, homeowners may add a plus-tagged email address with a large, unique string of letters and digits. However, until Fortress addressed the radio signal problem, there was little that homeowners could do.
Fortress has not stated if it has patched or plans to patch the flaws. It’s unclear whether Fortress will be able to patch the flaws without replacing the hardware. It’s unclear whether Fortress develops the device itself or gets it from another company.