CISA has flagged a security problem with Chirp Systems' app, which could make smart homes less secure. This issue affects a system used in many rental properties, letting anyone control the locks from afar.

Despite warnings, Chirp Systems hasn't fixed the problem.

Some people say home security is overrated, but smart locks guarantee your safety in the right hands. (Photo: Amazon)

Security Risk in Chirp Systems' App

The US government has sounded the alarm over a security loophole discovered in Chirp Systems' app, which poses a significant risk to smart home security.

This vulnerability, detected in a smart access control system widely deployed across rental properties in the US, permits unauthorized individuals to manipulate any lock within the affected premises remotely. 

Despite repeated requests to address the issue, TechCrunch reported that Chirp Systems, the developer behind the app, has yet to rectify the flaw. CISA, the US cybersecurity agency, issued a public advisory last week detailing the concerning security flaw present in Chirp's phone apps. 

These applications, which residents use as digital keys to their homes, have been found to "improperly store" hardcoded credentials.

Once exploited, these credentials grant remote control access to any smart lock compatible with the Chirp system.

Applications that store passwords directly within their source code, a practice termed "hardcoding credentials," pose significant security risks as malicious actors can easily access and misuse them. 

In this instance, the hardcoded credentials facilitated unauthorized remote manipulation of Chirp-connected door locks via the Internet. According to CISA's advisory, the exploitation of this vulnerability could grant attackers complete control and unrestricted physical access to smart locks integrated into a Chirp smart home setup. 

With a severity score of 9.1 out of 10, the vulnerability is highly critical due to its low attack complexity and potential for remote exploitation. Despite efforts by both CISA and the researcher who uncovered the vulnerability, Chirp Systems has yet to acknowledge or address the issue.

Also read: CISA Systems Hacked: Ivanti Vulnerabilities Exploited, Urgent Security Measures Advised

Security researcher Matt Brown informed Brian Krebs, a seasoned security journalist, that he brought the security issue to Chirp's attention in March 2021, yet the vulnerability persists unresolved.

Challenges in the Rental Property Tech Sector

Chirp Systems represents a subset of companies within the property technology sector offering keyless access solutions that seamlessly integrate with smart home ecosystems utilized by rental corporations. 

As rental agreements increasingly mandate the installation of smart home devices, delineating responsibility or ownership in the event of security breaches remains ambiguous.

In 2020, RealPage, a property management software leader, acquired Chirp, and shortly after, RealPage itself was purchased by private equity firm Thoma Bravo in a substantial $10.2 billion transaction. RealPage has encountered legal disputes, with accusations that its rental software employs undisclosed algorithms to facilitate rent hikes for landlords.

Currently, neither RealPage nor Thoma Bravo has acknowledged the existing software vulnerabilities inherited through acquisition, nor have they indicated any intention to inform affected residents about the associated security risks.

Related Article: Russian Government-Backed Hackers Steal Emails from US Federal Agencies Through Microsoft Accounts