Security News > 2021 > September > Vulnerabilities allow attackers to remotely deactivate home security system (CVE-2021-39276, CVE-2021-39277)

A DiY home security system sold to families and businesses across the US sports two vulnerabilities that, while not critical, "Are trivially easy to exploit by motivated attackers who already have some knowledge of the target," Rapid7 warns.

The Fortress S03 WiFi Security System is a consumer-grade offering that customers can be customized for each physical location.

Armed with these two pieces of information, the attacker could make changes to the system - and that includes disarming its alarm without the user's knowledge.

With home owners often putting stickers on their windows "Advertising" the use of a specific security solution, if would be easy for motivated criminals to pinpoint users of the vulnerable system.

CVE-2021-39277 is a matter of improper encryption or rotating key protections, so attackers can capture command-and-control signals over the air and replay them to, for example, disarm the security system.

"There seems to be very little a user can do to mitigate the effects of the RF replay issues, absent a firmware update to enforce cryptographic controls on RF signals. Users concerned about this exposure should avoid using key fobs and other RF devices linked to their home security systems," Beardsley advised.

News URL

http://feedproxy.google.com/~r/HelpNetSecurity/~3/W411k5UoI4w/