Sign In

Communications of the ACM

ACM TechNews

Popular Smart Home Security System Can Be Remotely Disarmed

View as: Print Mobile App Share:
Part of the Fortress S03 Wi-Fi Home Security System.

Rapid7 said that Fortress unauthenticated API can be remotely queried over the Internet without the server checking if the request is legitimate.

Credit: Fortress Security.

Researchers at cybersecurity company Rapid7 found vulnerabilities that can be used to remotely disarm the Fortress S03 smart home security system.

The Wi-Fi-based system allows owners to monitor their homes with a mobile application via Internet-linked cameras, motion sensors, and sirens, and to arm or disarm it with a radio-controlled key fob.

The researchers said hackers can remotely query an unauthenticated application programming interface without the server checking the request's legitimacy; the server would return the device's unique International Mobile Equipment Identity number, which could be used to disarm the system.

In addition, intercepting unencrypted radio signals between the S03 and the key fob could permit the "arm" and "disarm" signals to be captured and replayed.

Rapid7 informed Fortress of the flaws, then publicly disclosed them when the company did not respond after three months; a law firm representing Fortress called the claims of vulnerabilities in the S03 system "false, purposely misleading, and defamatory," without specifying why they are false, or that Fortress has fixed the vulnerabilities.

From TechCrunch
View Full Article


Abstracts Copyright © 2021 SmithBucklin, Washington, DC, USA


No entries found