The security analyst from Rapid7 security firm has recently detected two vulnerabilities in the Wi-Fi alarm system from manufacturer Fortress, these vulnerabilities allow the threat actor to impair the alarm remotely and capture the data in transit.
However, after detecting the vulnerabilities, Arvind Vishwakarma from Rapid7 has revealed the details, as per the report, the system uses, different things like motion sensors and contact sensors for doors and windows to expose intruders, glass break, and vibration sensors, as well as smoke, gas and water alarms.
Both the vulnerabilities were properly investigated, and the experts tracked one of them as CVE-2021-39276, which describes an occurrence of CWE-287.
However, it defines an unstable cloud API deployment that generally enables unauthenticated users to insignificantly discover a secret that is being used to modify the functions of the system. This vulnerability has been given the CVSS score of 5.3 (medium).
While another vulnerability was tracked as CVE-2021-39277, and this describes an occurrence of CWE-294, a vulnerability, in this anyone within the Radio Frequency (RF) signal range can easily apprehend and replay RF signals to modify the behavior of the system and it has a CVSS score of 5.7.
Flaws and Their Exploitation
After detecting the vulnerabilities they started a specific investigation, and they claimed that both the vulnerability is easy to exploit by motivated attackers who already have some general knowledge regarding the target.
CVE-2021-39276: Unauthenticated API Access
In this vulnerability, if a threat actor associates a user’s email address, well then they can easily use it to ask the cloud-based API to render an International Mobile Equipment Identity (IMEI) number.
A post request structure has been mentioned below, which is being used to make this unauthenticated query and return the IMEI:-
CVE-2021-39277: Vulnerable to RF Signal Replay Attack
Another vulnerability performs with an RF replay attack, in this case, if a radio-controlled device has not correctly executed encryption or rotating key protections.
Well in that case it enables the threat actor to seize command-and-control signals and then replay those radio signals so that they can perform a function on the device that is associated with it.
Impact of These Security Flaws
However, the threat actors use a Fortress S03 user’s email address for CVE-2021-39276, so that they can easily disarm the installed home alarm outwardly the user’s knowledge.
The case of the other vulnerability is CVE-2021-39277, which also represents the same types of problems but needs less prior knowledge of the victim, here, the threat actor can simply stake out the property and wait for the victim to utilize the RF-controlled devices within radio range.
In the case of CVE-2021-39276, users could configure their alarm systems with an individual, one-time email address, apart from this there are many email systems that enable “plus tagging” an email address.
However, the user could register “[email protected]” and handle that plus-tagged email address as a stand-in for a password.
On the other side the CVE-2021-39277, users don’t have to do a lot of work to mitigate this vulnerability. Moreover, users must avoid using the key fobs and other RF devices linked to their home security systems.