If You Use the Fortress S03 Security System, Replace It Immediately

Your home should always be a soothing and attractive place for you and your loved ones, but it should also be the place where you feel most secure. Fortunately, over the last decade, new technology has made it easier than ever to create protection with easily installed cameras, smart locks and monitors that can even allow you to monitor your property from a distance. But if you happen to have a popular home security system, two recently discovered vulnerabilities could put you at risk. Read on to see which product you may want to replace for safety reasons.

CONNECTED: If you receive this message from Amazon, do not open it, experts warn.

A woman standing in her living room using a tablet to control her home security system

If your home is equipped with Fortress S03 security system, you may inadvertently endanger your safety. According to cybersecurity company Rapid7, a pair of major vulnerabilities allow potential intruders to deactivate the system using relatively simple tactics.

The company says it first discovered security vulnerabilities three months ago and contacted Fortress about the potential risks, TechCrunch reports. Rapid7 publicly released information about the vulnerabilities after Fortress did not respond to messages and saw the only confirmation of the scope is to close the support ticket without comment.

a hacker docking someone online

According to Rapid7, the Fortress S03 system relies on a Wi-Fi connection to support its motion sensors, cameras and sirens and allow customers to check their homes from a mobile app. It also uses a radio-controlled key to turn the system on and off when it comes in or out of its property.

However, the cybersecurity company found that the system relies on an unauthenticated API, which makes it possible to hackers or criminals to gain access to unique IMEI (International Mobile Equipment Identity) numbers on specific devices, simply by knowing the email address associated with the account. This allows them to activate or deactivate the system remotely, TechCrunch reports.

CONNECTED: If you see this on your iPhone, don’t click on it, experts warn.

white male thief holding a crowbar and wearing a hood peering out the window of the house
Shutterstock / Andrey_Popov

But a potential intruder may not even be necessary you know your personal email address to access your home. Rapid7 said it also found that the system’s control systems worked by using unencrypted radio signals to activate and deactivate it, making it relatively easy for someone to pick up the decrypted frequencies and play them back to turn off the system.

While the process of eavesdropping on radio frequency may sound high, one expert warns that it can be done relatively easily with the right know-how. “The attacker must be reasonably familiar with the SDR in order to capture and reproduce the signals and be within a reasonable range,” Todd Beardsley, director of research at Rapid7, told Threatpost. “What this range is will depend on the sensitivity of the equipment used, but usually this type of eavesdropping requires visibility and fairly close proximity – across the street.”

For more useful technical tips delivered directly to your inbox, subscribe to our daily newsletter.

a man who deals with an intelligent home security system on a tablet

Ultimately, experts say it is unlikely that an accidental intruder will be able to take advantage of vulnerabilities in the system. “The likelihood of exploiting these problems is quite low,” Beardsley told Threatpost. “Ultimately, an opportunistic domestic invader is unlikely to be a cybersecurity expert. However, I am concerned about a scenario in which the attacker already knows the victim well, or at least well enough to know her email address, which is all it takes to disable these devices from the Internet. “

Beardsley acknowledges that “very little” can be done for easy-to-use fobs, except to avoid using Fortress-related products. But there is still a way to avoid using your system by someone using your email address. “We suggest you register the device with a secret, one-time email address that can act as something like a weak password,” Beardsley told Threatpost. “In the absence of a vendor authentication update, I feel this is a good solution.”

CONNECTED: If you hear this when answering the phone, hang up immediately.