Introduction:
A vulnerable smart access control system used in thousands of U.S. rental homes has raised concerns over the security of these properties. The system, developed by Chirp Systems, has a flaw that allows anyone to remotely control any lock in an affected home. Despite efforts to bring this issue to their attention, Chirp Systems has not taken action to fix the vulnerability. This article explores the implications of this security risk and the lack of response from Chirp Systems.
Hardcoded Credentials and Security Risks:
The vulnerability stems from the improper storage of hardcoded credentials in the phone apps developed by Chirp Systems. Hardcoding credentials in the source code is a security risk because it allows anyone to extract and use those credentials to impersonate the app. In this case, the hardcoded credentials enable unauthorized individuals to remotely lock or unlock Chirp-connected door locks. This flaw has been given a severity score of 9.1 out of 10 by the U.S. cybersecurity agency, CISA, due to its low attack complexity and its potential for remote exploitation.
Chirp Systems’ Ignored Requests:
Despite being made aware of the vulnerability, Chirp Systems has not responded to requests for action from either CISA or the security researcher who discovered the flaw. Matt Brown, the researcher, notified Chirp Systems about the issue in March 2021, but the vulnerability remains unfixed. This lack of response raises concerns about Chirp Systems’ commitment to addressing security issues promptly.
Keyless Access Controls and Responsibility:
Chirp Systems is just one example of a growing number of property tech companies that provide keyless access controls for rental properties. Rental giants like Camden Property Trust have signed deals to implement Chirp-connected smart locks in thousands of units. However, it remains unclear whether affected properties are aware of the vulnerability or have taken any action to address it. The responsibility for security problems in these cases is often ambiguous, leaving renters uncertain about who should be held accountable.
RealPage Acquisition and Legal Challenges:
In 2020, Chirp Systems was acquired by RealPage, a property management software giant. RealPage, in turn, was later acquired by private equity giant Thoma Bravo in a $10.2 billion deal. However, neither RealPage nor Thoma Bravo have acknowledged the vulnerabilities in the acquired software or indicated whether they plan to notify affected residents of the security risk. This lack of acknowledgment raises concerns about the commitment of these companies to prioritize the security of their customers.
Conclusion:
The vulnerability in Chirp Systems’ smart access control system highlights the need for robust security measures in rental homes. The company’s failure to address the flaw, despite being notified by both a researcher and the U.S. cybersecurity agency, raises questions about their responsiveness and commitment to customer safety. Additionally, the lack of clarity regarding responsibility and ownership when security problems arise in rental properties further compounds the issue. It is essential for property tech companies and rental giants to prioritize security and promptly address vulnerabilities to ensure the safety and peace of mind of their customers.
