Two vulnerabilities in the Fortress S03 Wi-Fi Home Security System could allow cyber-attackers to remotely disarm the system, leaving homes open to unlawful entry.
The pair of unpatched security vulnerabilities can allow unauthenticated cyber-attackers to turn off window, door & motion-sensor monitoring.
Mix & Match
The Fortress platform is a consumer-grade home security system that allows users to mix & match various sensors, IP cameras & accessories, connecting them via Wi-Fi to create a personalised security system. RF fobs are used for system control, arming & disarming monitors on doors, windows & motion detectors.
According to Rapid7 researcher Arvind Vishwakarma, who discovered the bugs, the “vulnerabilities could result in unauthorised access to control or modify system behaviour, & access to unencrypted information in storage or in transit.”
Both bugs remain unpatched.
Disarming Home Security
The 1st vulnerability, tracked as CVE-2021-39276, is due to an insecure cloud API deployment, he stated in a Tues. post. Unauthenticated users can trivially exploit it to retrieve a secret that can then be used to alter the system’s functionality remotely.
To disarm an alarm system, attackers can send a specially crafted unauthenticated POST to the API.
“If a malicious actor knows a user’s email address, they can use it to query the cloud-based API to return an International Mobile Equipment Identity (IMEI) number, which appears to also serve as the device’s serial number,” Vishwakarma explained.
Malicious Actor
“With a device IMEI number & the user’s email address, it is then possible for a malicious actor to make changes to the system, including disarming its alarm.”
Explains Rapid7, it’s important to note that the effort to exploit this may be too much for random, opportunistic home invaders, but in a stalker/restraining order type of situation where the person already knows the target & is in possession of an email address, the urgency to mitigate the problem increases, given the potential for physical violence.
Exploitation
“The likelihood of exploitation of these issues is pretty low,” Tod Beardsley, Director of Research at Rapid7, outlined.
“An opportunistic home invader is not likely to be a cyber-security expert, after all. However, I am concerned about a scenario where the attacker already knows the victim well, or at least, well enough to know their email address, which is all that is really required to disable these devices from over the internet using CVE-2021-39276.”
RF Weakness
The 2nd issue, tracked as CVE-2021-39277, involves the RF signals used to communicate between the key fobs, door/window contact sensors & the Fortress Console, which are sent in the 433 MHz band. Specifically, anyone within RF signal range could capture & replay RF signals to alter systems behaviour, resulting in disarmament.
“When a radio-controlled device has not properly implemented encryption or rotating key protections, this can allow an attacker to capture command-&-control signals over the air & then replay those radio signals in order to perform a function on an associated device,” according to Vishwakarma.
Proof-of-Concept Exploit
In a proof-of-concept exploit, researchers used a software-defined-radio (SDR) device to capture normal operations of the device’s “arm” & “disarm” commands. Then, replaying the captured RF signal communication command would arm & disarm the system without further user interaction.
An exploit requires an attacker to be within physical range, staking out the property & waiting for the victim to use an RF-controlled device on the system – no prior knowledge of the victim is necessary.
To exploit the RF weakness, “the attacker would need to be both reasonably conversant in SDR in order to capture & replay the signals, and be within reasonable radio range,” Beardsley outlined.
“What that range is would depend on the sensitivity of the gear being used, but typically this sort of eavesdropping requires line of sight & pretty close proximity – across the street or so.”
How to Protect
As mentioned, there is, unfortunately, no firmware update available for either vulnerability. The vendor closed the ticket that Rapid7 opened on the bugs without comment & didn’t respond to researchers’ follow-ups.
“In the past, we’ve seen that vendors that are unresponsive prior to disclosure tend to respond after disclosure, & tend to address these issues pretty quickly,” Beardsley stated. “I’m hopeful that’ll be the case with this issue.”
Authentication Update
There is, however, a workaround for the 1st issue. Because an attack requires the system’s email address, “we suggest registering the device with a secret, one-time use email address, that can function as a sort of weak password,” Beardsley suggested. “Absent an authentication update from the vendor, I feel like this is an okay workaround.”
For CVE-2021-39277, there’s “very little a user can do to mitigate the effects of the RF replay issues absent a firmware update to enforce cryptographic controls on RF signals,” according to the post. Rapid7 advised that users could avoid using key fobs & other RF devices linked to Fortress to avoid an attack.
Vendor Programming Errors
This is just the latest vulnerabilities to be found in internet of things (IoT) devices, pointing out a continuing need for security by design on the part of hardware vendors.
“A proper cloud infrastructure can greatly benefit IoT security by enabling automatic updates & insulating users from many local security threats, but it can also magnify the impact of vendor programming errors,” Craig Young, Principal Security Researcher at Tripwire, said.
“Whereas a vulnerability within an individual device is generally exploited by a nearby attacker, vulnerabilities within a vendor infrastructure can expose all users at once.”
https://www.cybernewsgroup.co.uk/virtual-conference-september-2021/