Researchers call the identified vulnerability one of the most dangerous in the smart home industry.
A serious security threat was detected in smart locks managed by Chirp Systems software. Thanks to a critical vulnerability, attackers can remotely unlock them and physically enter protected locations.
The vulnerability is related to the fact that passwords and private keys are hard-coded in the Chirp app for Android. This data can be used to access the API of the August smart lock provider, which allows you to manage locks from a distance. According to Chirp, their system has more than 50,000 users.
Chirp software allows you to manage locks that are compatible with the products of companies such as August and Yale, the latter owned by the Swedish corporation Assa Abloy.
The vulnerability identified as CVE-2024-2197 was rated critical on the CVSS scale (9.1 out of 10). The US Cybersecurity and Infrastructure Protection Agency (CISA) also issued a warning about this issue, noting that Chirp has not yet taken the necessary measures to fix the vulnerability.
The problem was discovered by Amazon Web Services engineer Matt Brown, who started studying the Chirp application after installing such locks in his home. According to him, it is not difficult to fix the vulnerability, but for some reason the manufacturing company does not show interest in this.
Chirp also offers an NFC key as an alternative to the application, but it is not protected from remote attacks, as it transmits data in clear text. Brown had to pay $ 50 for using this unreliable key. The engineer recommends that owners of smart locks controlled through Chirp use additional mechanical locks to increase security.
Recent months have been quite generous with vulnerabilities related to smart locks. So, recently we talked about the security gaps in the locks of the German hotel chain Ibis, which allow you to open any door by using six dashes on the self-service terminal; and even earlier we wrote about the vulnerability of Saflock locks, which can be easily opened using an inexpensive RFID card reader and writer.
A serious security threat was detected in smart locks managed by Chirp Systems software. Thanks to a critical vulnerability, attackers can remotely unlock them and physically enter protected locations.
The vulnerability is related to the fact that passwords and private keys are hard-coded in the Chirp app for Android. This data can be used to access the API of the August smart lock provider, which allows you to manage locks from a distance. According to Chirp, their system has more than 50,000 users.
Chirp software allows you to manage locks that are compatible with the products of companies such as August and Yale, the latter owned by the Swedish corporation Assa Abloy.
The vulnerability identified as CVE-2024-2197 was rated critical on the CVSS scale (9.1 out of 10). The US Cybersecurity and Infrastructure Protection Agency (CISA) also issued a warning about this issue, noting that Chirp has not yet taken the necessary measures to fix the vulnerability.
The problem was discovered by Amazon Web Services engineer Matt Brown, who started studying the Chirp application after installing such locks in his home. According to him, it is not difficult to fix the vulnerability, but for some reason the manufacturing company does not show interest in this.
Chirp also offers an NFC key as an alternative to the application, but it is not protected from remote attacks, as it transmits data in clear text. Brown had to pay $ 50 for using this unreliable key. The engineer recommends that owners of smart locks controlled through Chirp use additional mechanical locks to increase security.
Recent months have been quite generous with vulnerabilities related to smart locks. So, recently we talked about the security gaps in the locks of the German hotel chain Ibis, which allow you to open any door by using six dashes on the self-service terminal; and even earlier we wrote about the vulnerability of Saflock locks, which can be easily opened using an inexpensive RFID card reader and writer.
