Vulnerabilities in Fortress Wi-Fi Home security alarms
Flaws in the Fortress S03 Wi-Fi Home Security System can allow a threat actor to gain unauthorized access in order to alter system behavior, which includes disarming the devices without the target’s knowledge.
Cybersecurity firm Rapid7 discovered and reported the issues, tracked as CVE-2021-39276 (CVSS score: 5.3) and CVE-2021-39277 (CVSS score: 5.7).
The Fortress S03 Wi-Fi Home Security System enables customers to protect their premises from thieves, fire, gas leakage, and water leakage through a DIY alarm system. It leverages Wi-Fi and RFID technology for entry without keys. The company boasts of serving thousands of customers through its security and surveillance systems.
Rapid7 researchers claimed the vulnerabilities to be easy to exploit. They noted that CVE-2021-39276 is related to an unauthenticated API Access, allowing the attacker with the victim’s ’email ID to query the API for the device’s International Mobile Equipment Identity (IMEI) number. Once the threat actor gains access to the device’s IMEI number then along with the email address, he can make a number of alterations, including disabling the alarm system through an unauthenticated POST request.
The vulnerability CVE-2021-39277 concerns an RF Signal replay attack where inadequate encryption allows the bad actor to capture the radio frequency command and regulate communications over the air. This is done through software-defined radio (SDR), and it enables the attacker to playback the transmission for a particular function on the victimized device.
According to the report by the researcher, CVE-2021-39276 is a sure-shot way for the attacker with the information of the user’s email address, to easily disarm the alarm without them knowing. The issue CVE-2021-39277 is similar, requiring less knowledge of the victim. This is because the victim just needs to use the RF-controlled devices that fall within the video range, and the attacker exploits the staked property by replaying the disarm command without the target’s knowledge.
Since the issues seem to persist, users are advised to configure their alarm systems with a distinct email address for the IMEI number exposure.
The experts further added that CVE-2021-39277is more challenging and so users should not use key fobs and other RF devices connected to their security systems.