[BreachExchange] Vulnerabilities Can Allow Hackers to Disarm Fortress Home Security Systems

[Sophia Kingsbury]

https://www.securityweek.com/vulnerabilities-can-allow-hackers-disarm-fortress-home-security-systems

Fortress Security Store is a physical security solutions provider based in
the United States. The company says thousands of consumers and businesses
use its products.

The flaws were found in Fortress’ S03 WiFi Security System, which connects
to an existing Wi-Fi network or phone line. The system can include security
cameras, window and door sensors, motion detectors, glass break and
vibration sensors, as well as smoke, gas and water alarms.

Rapid7 researchers discovered that the product is affected by two
vulnerabilities — both rated medium severity based on their CVSS score —
that can be exploited remotely.

One of them, tracked as CVE-2021-39276, has been described as an
unauthenticated API access issue. An attacker who knows the targeted user’s
email address — the attack cannot be launched without this piece of
information — can use the email address to query the API and obtain the
security system’s associated IMEI number. Once they have obtained the IMEI,
the attacker can send unauthenticated POST requests to make changes to the
system, including to disarm it.

The second flaw, tracked as CVE-2021-39277, can be exploited to launch a
radio frequency (RF) signal replay attack. Due to the fact that
communications between different components of the home security system are
not properly protected, an attacker can capture various commands — such as
arm or disarm — using a software-defined radio device, and then replay
those commands at a later time.

This attack does not require any prior knowledge of the targeted system,
but it can only be launched by an attacker who is in the radio range of the
target.

Rapid7 said it initially reported the flaws to Fortress in mid-May and
again in mid-August. However, there does not appear to be a patch for the
vulnerabilities.

There is not much that users can do to prevent RF attacks — except to avoid
using key fobs and other RF devices linked to the system. Exploitation of
CVE-2021-39276 can be prevented by registering the system with a unique
email address that an attacker is unlikely to guess or obtain.

SecurityWeek has reached out to Fortress for comment, but we have not
received a reply beyond an automated email confirming that our message was
received.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210901/54bc3368/attachment.html>