April 15, 2024 at 06:43PM
Chirp Systems’ smart locks can be remotely unlocked due to a critical security vulnerability. The issue stems from hard-coded passwords and keys in the Chirp Android app, allowing unauthorized access. Despite being flagged by CISA and given a high severity score, Chirp has not remedied the flaw. RealPage’s acquisition and private equity ownership raise concerns about addressing the issue.
Key Takeaways from the Meeting Notes:
1. Chirp Systems’ smart locks are vulnerable to remote unlocking due to a critical security flaw, with hardcoded passwords and private keys in the Chirp Android app facilitating exploitation via the API maintained by the smart lock supplier, August.
2. The vulnerability was assigned a CVSS severity score of 9.1 out of 10 and has been highlighted by the US govt’s Cybersecurity and Infrastructure Security Agency (CISA).
3. Chirp has allegedly not responded to CISA’s alert or taken measures to address the vulnerability, despite the potential for unauthorized access and control of affected systems.
4. The vulnerability was initially discovered three years ago by Amazon Web Services senior engineer Matt Brown and was only recently brought to public attention, with Chirp updating its Android app last month following the CISA alert, possibly addressing the issue.
5. Chirp’s offered NFC-based key does not prevent exploitation, as the NFC chip sends credentials in plain text, making it susceptible to compromise.
6. Chirp, acquired by RealPage in 2020 and subsequently by private equity firm Thoma Bravo, faces skepticism regarding its motivation to address the security flaw, given its private equity ownership.
7. Recommendations are made for users of Chirp-powered smart locks to implement additional physical security measures, and inquiries have been made to Thoma Bravo for comment.
These are the key points gleaned from the provided meeting notes.