Security News > 2021 > September > Pwned! The home security system that can be hacked with your email address

Pwned! The home security system that can be hacked with your email address
2021-09-02 18:57

A researcher at vulnerability and red-team company Rapid7 recently uncovered a pair of risky security bugs in a digital home security product.

The affected product comes from the company Fortress Security Store, which sells two branded home security setups, the entry-level S03 Wifi Security System, which starts at $130, and the more expensive S6 Titan 3G/4G WiFi Security System, starting at $250. The intrepid reseacher, Arvind Vishwakarma, acquired an S03 starter system, which includes a control panel, remote control fobs, a door or window sensor, a motion detector, and an indoor siren.

Like many modern Internet of Things, products, the Fortress Security products make use of cloud-based servers on the internet for control and monitoring purposes, accessing the Fortress cloud via what's known in the jargon as a web API, short for application programming interface.

Vishwakarma also took a look at the security of the keyfobs that come with the system.

In theory, a correctly configured SDR can reliably and easily record the exact radio signal emitted by a keyfob when it's locking or unlocking your car, your garage or your home security system.

By using a cryptographic algorithm to vary the actual data it transmits each time, much like those ever-changing 2FA codes that mobile phone security apps produce, a well-designed keyfob should be resistant to what's known as a replay attack.


News URL

https://nakedsecurity.sophos.com/2021/09/02/pwned-the-home-security-system-that-can-be-hacked-with-your-email-address/