Fortress S03 Wi-Fi Home Security System was found to have new vulnerabilities which could be potentially abused by a malicious party to get unauthorized access and alter system behavior, including disarming the devices without the knowledge of the victim.
The two unpatched flaws dubbed CVE-2021-39276 (CVSS score: 5.3) and CVE-2021-39277 (CVSS score: 5.7), were discovered and reported by cybersecurity firm Rapid7 in May 2021. They also provided a 60-day deadline to fix the weaknesses.
The Fortress S03 Wi-Fi Home Security System is a do-it-yourself (DIY) alarm system that enables users to secure their homes and small businesses from burglars, fires, gas leaks, and water leaks by leveraging Wi-Fi and RFID technology for keyless entry.
The company website claims that their security and surveillance systems are used by “thousands of clients and continued customers.”
According to the Rapid7 researchers, the vulnerabilities are trivially easy to exploit. The CVE-2021-39276 concerns an unauthenticated API Access that enables an attacker in possession of a victim’s email address to query the API to leak the device’s International Mobile Equipment Identity (IMEI) number, which also doubles up as the serial number. The adversary who now has the device’s IMEI number and the email address can proceed to make several unauthorized changes, such as disabling the alarm system via an unauthenticated POST request.
For this flaw, the hacker with the knowledge of a Fortress S03 user’s email address can easily disarm the installed home alarm without that user’s knowledge.
The CVE-2021-39277 flaw relates to an RF Signal replay attack, in which a lack of adequate encryption allows the threat actor to capture the radio frequency command and control communications over the air using software-defined radio (SDR), and playback the transmission to perform specific functions, such as “arm” and “disarm” operations, on the target device.
In this flaw, the attacker can simply stake out the property and wait for the victim to use the RF-controlled devices within radio range. The attacker can then replay the ‘disarm’ command later, without the victim’s knowledge.
The researchers have reported their findings to Fortress Security on May 13, 2021 who has closed the report 11 days later on May 24.
As the issue still continues, it is highly recommended that the users must configure their alarm systems with a unique, one-time email address to work around the IMEI number exposure.
But for the CVE-2021-39277 flaw, there is nothing much a user can do to mitigate the effects. The researchers suggest that those who are concerned about this exposure should avoid using the key fobs and other RF devices linked to their home security systems.