Security News > 2021 > September > Pwned! The home security system that can be hacked with your email address
A researcher at vulnerability and red-team company Rapid7 recently uncovered a pair of risky security bugs in a digital home security product.
The affected product comes from the company Fortress Security Store, which sells two branded home security setups, the entry-level S03 Wifi Security System, which starts at $130, and the more expensive S6 Titan 3G/4G WiFi Security System, starting at $250. The intrepid reseacher, Arvind Vishwakarma, acquired an S03 starter system, which includes a control panel, remote control fobs, a door or window sensor, a motion detector, and an indoor siren.
Like many modern Internet of Things, products, the Fortress Security products make use of cloud-based servers on the internet for control and monitoring purposes, accessing the Fortress cloud via what's known in the jargon as a web API, short for application programming interface.
Vishwakarma also took a look at the security of the keyfobs that come with the system.
In theory, a correctly configured SDR can reliably and easily record the exact radio signal emitted by a keyfob when it's locking or unlocking your car, your garage or your home security system.
By using a cryptographic algorithm to vary the actual data it transmits each time, much like those ever-changing 2FA codes that mobile phone security apps produce, a well-designed keyfob should be resistant to what's known as a replay attack.