Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Security

Crickets From Chirp Systems in Smart Lock Key Leak (krebsonsecurity.com) 14

The U.S. government is warning that smart locks securing entry to an estimated 50,000 dwellings nationwide contain hard-coded credentials that can be used to remotely open any of the locks. Krebs on SecurityL: The lock's maker Chirp Systems remains unresponsive, even though it was first notified about the critical weakness in March 2021. Meanwhile, Chirp's parent company, RealPage, Inc., is being sued by multiple U.S. states for allegedly colluding with landlords to illegally raise rents. On March 7, 2024, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) warned about a remotely exploitable vulnerability with "low attack complexity" in Chirp Systems smart locks.

"Chirp Access improperly stores credentials within its source code, potentially exposing sensitive information to unauthorized access," CISA's alert warned, assigning the bug a CVSS (badness) rating of 9.1 (out of a possible 10). "Chirp Systems has not responded to requests to work with CISA to mitigate this vulnerability." Matt Brown, the researcher CISA credits with reporting the flaw, is a senior systems development engineer at Amazon Web Services. Brown said he discovered the weakness and reported it to Chirp in March 2021, after the company that manages his apartment building started using Chirp smart locks and told everyone to install Chirp's app to get in and out of their apartments.

This discussion has been archived. No new comments can be posted.

Crickets From Chirp Systems in Smart Lock Key Leak

Comments Filter:
  • Ludd is Gudd. (Score:5, Insightful)

    by b0s0z0ku ( 752509 ) on Monday April 15, 2024 @04:12PM (#64396532)
    Just use a proper key lock, preferably two locks of different designs. Are we so lazy that we don't want to carry keys now, only a dopamine slab?
    • by RobinH ( 124750 )
      There are a few use cases where having a push button lock with a code, or some other form of electronic access control is preferable. Not for a family, but often if you have a short term rental, or a shared workspace that a team uses. There's no excuse for a company that makes locks to sell a product with vulnerabilities like this.
    • Read the article.

      • Re:Ludd is Gudd. (Score:4, Informative)

        by test321 ( 8891681 ) on Monday April 15, 2024 @05:26PM (#64396686)

        Thanks for the advice, In the paper. I was shocked.
        *Human employees had "too much empathy", so now they these locks and automated software to lock people outside when they don't pay.
        * By keeping lower occupancy rates and using secret algorithms, they push the rents upwards.
        * They're being sued right now for allowing landlords to collude to artificially push the rents (using their algorithm). This case has similarities with https://news.slashdot.org/stor... [slashdot.org]

    • You'd think, but an experienced lock picker can get through pretty much anything - especially the locks you see advertised as 'unpickable'.

      Locks don't stop people, they keep out the casual / opportunistic people and slightly inconvenience the serious ones. Which doesn't mean they're not worth having... but you do have to think about just how much they do when thinking about throwing more money at them.

      • There are a few that are genuinely unpickable. Will they be that way forever? Doubtful. Will they ever be trivially defeated? Hell nah. That forces invaders to resort to less clandestine methods of entry, which leave more evidence, or to spend an unbearable amount of time attempting to pick while neighbors may notice.

        Bowley Lock Company has one of the practically unpickable options on the market now, and LockPickingLawyer has a great video on the chain-key lock.

        Best case, they’re still just a speed

    • If this lock is on the door in the apartment you rented then what? If you install your own deadbolt they'll come after you for drilling their door and quite possibly evict you.

      • Depends on the state - in NY, they have to allow you to install your own lock. Also, you don't have to drill the door, just replace their lock with yours which has an identical bolt pattern, and return it to original condition at the end of lease.
    • by ceoyoyo ( 59147 )

      Make sure to get one of those ones from the hardware store with no security pins that any idiot with a rake and five minutes on YouTube can pick. Better yet, find a lazy locksmith that just keys all locks the same because it's easier that way.

      Computer people like to think they invented crappy security and "back in my day" types like to agree with them.

  • Feature, not a bug? (Score:5, Interesting)

    by b0s0z0ku ( 752509 ) on Monday April 15, 2024 @04:17PM (#64396548)
    Convenient that landlords, cops, whoever else can open any door "secured" by this lock without the need to kick it in or drill out the lock, both of which are costly.
    • It's a non-event, as far as cops go.

      Cops have been known to break down doors while the homeowner is standing beside them offering to unlock them

  • Selling locks anyone can open is straight up fraud. This has been going on for years now, to the tune of millions of dollars. One would think the FBI would be all over a slam-dunk case like this. They like easy big wins, and this sure seems to be one.
  • If the were at least creative in their fucking-up. But no.

  • The headline can only be understood *after* reading the submission.

May all your PUSHes be POPped.

Working...