Vulnerabilities allow attackers to remotely deactivate home security system (CVE-2021-39276, CVE-2021-39277)

HelpNet Security -

A DiY home security system sold to families and businesses across the US sports two vulnerabilities (CVE-2021-39276, CVE-2021-39277) that, while not critical, “are trivially easy to exploit by motivated attackers who already have some knowledge of the target,” Rapid7 warns.

About the vulnerabilities (CVE-2021-39276, CVE-2021-39277)

The Fortress S03 WiFi Security System is a consumer-grade offering that customers can be customized for each physical location. It uses WiFi and RF communication to monitor doors and windows, and it can detect the presence of intruders, gas leaks, smoke, and so on.

Unfortunately, researcher Arvind Vishwakarma discovered that it has an insecure cloud API deployment (CVE-2021-39276) and a vulnerability that allows close-by attacker to capture and replay RF signals to alter systems behavior (CVE-2021-39277).

CVE-2021-39276 may allow a malicious actor that knows a user’s email address to query the cloud-based API to return an IMEI number that’s also the device’s serial number.

The post Vulnerabilities allow attackers to remotely deactivate home security system (CVE-2021-39276, CVE-2021-39277) was first published on Help Net Security.

Read More.....