A new vulnerability uncovered within the Fortress home security system could allow for remote disarmament of home alarms.
According to ThreatPost, citing Rapid7 researcher Arvind Vishwakarma, the unpatched flaw within the Fortress S03 WiFi Home Security System could allow for a cyberattack that includes deactivating motion-sensor monitors for doors and windows. Fortress’ platform is known for allowing consumers to activate a la carte services such as sensors, IP cameras and accessories, linking them via in-home Wi-Fi to deliver personalized physical security. RF (radio frequency) fobs are usually employed to power down the system elements.
According to Vishwakarma, ThreatPost noted, the issue could lead to “unauthorized access to control or modify system behavior,” as well as “access to unencrypted information in storage or in transit.”
“If a malicious actor knows a user’s email address, they can use it to query the cloud-based API to return an International Mobile Equipment Identity (IMEI) number, which appears to also serve as the device’s serial number,” Vishwakarma told the website. “With a device IMEI number and the user’s email address, it is then possible for a malicious actor to make changes to the system, including disarming its alarm.”
“The likelihood of exploitation of these issues is pretty low,” Tod Beardsley, Director of Research with Rapid7, told Threatpost. “An opportunistic home invader is not likely to be a cybersecurity expert, after all. However, I am concerned about a scenario where the attacker already knows the victim well, or at least, well enough to know their email address, which is all that is really required to disable these devices from over the internet using CVE-2021-39276.”
At the same time, ThreatPost noted that a RF issue related to the signals that communicate between the fobs and remote sensors could allow “anyone within RF signal range” to “capture and replay RF signals to alter systems behavior.” This, also, can be exploited to disarm the system.
ThreatPost noted that Fortress closed the Rapid7 ticket related to the bugs “without comment,” and has yet to issue a follow-up patch.