Crickets From Chirp Systems in Smart Lock Key Leak (krebsonsecurity.com) 14
The U.S. government is warning that smart locks securing entry to an estimated 50,000 dwellings nationwide contain hard-coded credentials that can be used to remotely open any of the locks. Krebs on SecurityL: The lock's maker Chirp Systems remains unresponsive, even though it was first notified about the critical weakness in March 2021. Meanwhile, Chirp's parent company, RealPage, Inc., is being sued by multiple U.S. states for allegedly colluding with landlords to illegally raise rents. On March 7, 2024, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) warned about a remotely exploitable vulnerability with "low attack complexity" in Chirp Systems smart locks.
"Chirp Access improperly stores credentials within its source code, potentially exposing sensitive information to unauthorized access," CISA's alert warned, assigning the bug a CVSS (badness) rating of 9.1 (out of a possible 10). "Chirp Systems has not responded to requests to work with CISA to mitigate this vulnerability." Matt Brown, the researcher CISA credits with reporting the flaw, is a senior systems development engineer at Amazon Web Services. Brown said he discovered the weakness and reported it to Chirp in March 2021, after the company that manages his apartment building started using Chirp smart locks and told everyone to install Chirp's app to get in and out of their apartments.
"Chirp Access improperly stores credentials within its source code, potentially exposing sensitive information to unauthorized access," CISA's alert warned, assigning the bug a CVSS (badness) rating of 9.1 (out of a possible 10). "Chirp Systems has not responded to requests to work with CISA to mitigate this vulnerability." Matt Brown, the researcher CISA credits with reporting the flaw, is a senior systems development engineer at Amazon Web Services. Brown said he discovered the weakness and reported it to Chirp in March 2021, after the company that manages his apartment building started using Chirp smart locks and told everyone to install Chirp's app to get in and out of their apartments.
Ludd is Gudd. (Score:5, Insightful)
Re: (Score:2)
Re: (Score:3)
Read the article.
Re:Ludd is Gudd. (Score:4, Informative)
Thanks for the advice, In the paper. I was shocked.
*Human employees had "too much empathy", so now they these locks and automated software to lock people outside when they don't pay.
* By keeping lower occupancy rates and using secret algorithms, they push the rents upwards.
* They're being sued right now for allowing landlords to collude to artificially push the rents (using their algorithm). This case has similarities with https://news.slashdot.org/stor... [slashdot.org]
Re: (Score:3)
You'd think, but an experienced lock picker can get through pretty much anything - especially the locks you see advertised as 'unpickable'.
Locks don't stop people, they keep out the casual / opportunistic people and slightly inconvenience the serious ones. Which doesn't mean they're not worth having... but you do have to think about just how much they do when thinking about throwing more money at them.
Re: (Score:2)
There are a few that are genuinely unpickable. Will they be that way forever? Doubtful. Will they ever be trivially defeated? Hell nah. That forces invaders to resort to less clandestine methods of entry, which leave more evidence, or to spend an unbearable amount of time attempting to pick while neighbors may notice.
Bowley Lock Company has one of the practically unpickable options on the market now, and LockPickingLawyer has a great video on the chain-key lock.
Best case, they’re still just a speed
Re: (Score:1)
If this lock is on the door in the apartment you rented then what? If you install your own deadbolt they'll come after you for drilling their door and quite possibly evict you.
Re: (Score:3)
Re: (Score:2)
Make sure to get one of those ones from the hardware store with no security pins that any idiot with a rake and five minutes on YouTube can pick. Better yet, find a lazy locksmith that just keys all locks the same because it's easier that way.
Computer people like to think they invented crappy security and "back in my day" types like to agree with them.
Feature, not a bug? (Score:5, Interesting)
Re: (Score:3)
It's a non-event, as far as cops go.
Cops have been known to break down doors while the homeowner is standing beside them offering to unlock them
Criminal Fraud (Score:2)
Always the same dumb tired old mistakes (Score:2)
If the were at least creative in their fucking-up. But no.
Headline Gymnastics (Score:2)
The headline can only be understood *after* reading the submission.