A vulnerability in a smart access control system used in thousands of rental homes in the United States allows anyone to remotely control any lock in an affected home. But Chirp Systems, the company that makes the system, has ignored requests to fix the flaw.
The American cybersecurity agency CISA visited public with a safety notice last week claiming that phone apps developed by Chirp, which residents use in place of a key to access their homes, “inappropriately store” hard-coded credentials that can be used to remotely control any Chirp-enabled smart lock.
Applications that rely on passwords stored in their source code, called hardcoded credentials, pose a security risk because anyone can extract and use these credentials to perform actions impersonating the application. In this case, the credentials allowed anyone to remotely lock or unlock a Chirp-connected door lock via the Internet.
In its advisory, CISA said that successful exploitation of the flaw “could allow an attacker to take control and gain unrestricted physical access” to smart locks connected to a Chirp smart home system. The cybersecurity agency gave the vulnerability a severity rating of 9.1 out of a maximum of 10 for its “low attack complexity” and for its ability to be exploited remotely.
The cybersecurity agency said Chirp Systems did not respond to either CISA or the researcher who discovered the vulnerability.
Security researcher Matt Brown said Brian Krebs, veteran security journalist that he informed Chirp of the security issue in March 2021 but that the vulnerability is still not fixed.
Chirp Systems is one of a growing number of companies in the real estate technology space that provide rental giants with keyless access controls that integrate with smart home technologies. Rental companies are increasingly requiring tenants to allow the installation of smart home equipment as dictated by their leases, but it's unclear at best who takes responsibility or ownership when security issues arise.
Real estate and rental giant Camden Property Trust signed a deal in 2020 to deploy Chirp connected smart locks to more than 50,000 homes spread across more than a hundred properties. It is unclear whether affected properties like Camden are aware of the vulnerability or have taken action. Kim Callahan, a Camden spokeswoman, did not respond to a request for comment.
Chirp was acquired by property management software giant RealPage in 2020, and RealPage was acquired by private equity giant Thoma Bravo. later that year in a $10.2 billion deal. RealPage is facing several legal challenges following allegations its rent-setting software uses secret, proprietary algorithms to help landlords raise rents as high as possible for tenants.
Neither RealPage nor Thoma Bravo have yet acknowledged the vulnerabilities in the acquired software, or indicated whether they plan to notify affected residents of the security risk.
Jennifer Bowcock, a spokesperson for RealPage, did not respond to TechCrunch's requests for comment. Megan Frank, a spokesperson for Thoma Bravo, also did not respond to requests for comment.