Two security flaws riddled the Fortress WiFi home security alarms allowing an adversary to remotely disable the device. Following the bug report, the vendors closed the case but didn’t clarify fixing of the bugs.
Fortress Home Security System Flaws
Researchers from Rapid7 found two security flaws in Fortress WiFi home security alarms.
As elaborated in their post, they precisely found two different vulnerabilities in Fortress S03 WiFi Home Security System.
One of these bugs includes an unauthenticated API access flaw (CVE-2021-39276). An adversary knowing the victim users’ email address could query the API to return the device’s serial or IMEI number. Learning this detail could let the adversary modify the smart device settings or even turn it off.
The second vulnerability, CVE-2021-39277, allowed an RF replay attack. In simple words, such attacks become possible due to the lack of adequate encryption of radio signals by a device. Hence, an adversary can control and replay the signals to perform various actions. In the case of Fortress S03 security system, the vulnerability allowed similar attacks. As stated in Rapid7’s post,
The RF signals used to communicate between the Key Fobs, Door/Window Contact Sensors, and the Fortress Console were identified in the 433 MHz band. Using a software defined radio (SDR) device, the researcher was able to capture normal operations of the device “arm” and “disarm” commands. Then, replaying the captured RF signal communication command would arm and disarm the system without further user interaction.
Vendors Closed The Bug Report, But…
The researchers first discovered the vulnerabilities in May 2021, following which, they reached out to the vendors.
Consequently, the vendors closed the case within the same month. However, it remains unclear if they have patched the vulnerabilities or not. The vendors haven’t released any formal statement in this regard.
If you are unsure about the security of this system, you may want to purchase a different brand that has a better handle on security. One such large brand is Vivint, you can read other users reviews of their system here: https://vivint.security/vivintreviews
As for the users, mitigating CVE-2021-39276 is possible with a simple workaround explained by Rapid7.
Users could configure their alarm systems with a unique, one-time email address. Many email systems allow for “plus tagging” an email address. For example, a user could register “email@example.com” and treat that plus-tagged email address as a stand-in for a password.
However, for the second vulnerability, users have to rely on a firmware fix from the vendors. Until then, they should avoid using key fobs or linking RF devices with their security systems to avoid potential attacks.