Your home should always be a soothing and attractive place for you and your loved ones, but it should also be the place where you feel most secure. Fortunately, over the last decade, new technology has made it easier than ever to create protection with easily installed cameras, smart locks and monitors that can even allow you to monitor your property from a distance. But if you happen to have a popular home security system, two recently discovered vulnerabilities could put you at risk. Read on to see which product you may want to replace for safety reasons.
CONNECTED: If you receive this message from Amazon, do not open it, experts warn.
The Fortress S03 security system has two main vulnerabilities that could put you at risk.
If your home is equipped with Fortress S03 security system, you may inadvertently endanger your safety. According to cybersecurity company Rapid7, a pair of major vulnerabilities allow potential intruders to deactivate the system using relatively simple tactics.
The company says it first discovered security vulnerabilities three months ago and contacted Fortress about the potential risks, TechCrunch reports. Rapid7 publicly released information about the vulnerabilities after Fortress did not respond to messages and saw the only confirmation of the scope is to close the support ticket without comment.
Cybersecurity experts say the security system can be deactivated using the owner’s email address.
According to Rapid7, the Fortress S03 system relies on a Wi-Fi connection to support its motion sensors, cameras and sirens and allow customers to check their homes from a mobile app. It also uses a radio-controlled key to turn the system on and off when it comes in or out of its property.
However, the cybersecurity company found that the system relies on an unauthenticated API, which makes it possible to hackers or criminals to gain access to the unique IMEI (International Mobile Equipment Identity) numbers of specific devices, simply by knowing the email address associated with the account. This allows them to activate or deactivate the system remotely, TechCrunch reports.
CONNECTED: If you see this on your iPhone, don’t click on it, experts warn.
Vulnerability with fobs can also be used to easily dispose of the system.
But a potential intruder may not even be necessary you know your personal email address to access your home. Rapid7 said it also found that the system’s control systems worked by using unencrypted radio signals to activate and deactivate it, making it relatively easy for someone to pick up the decrypted frequencies and play them back to turn off the system.
While the process of eavesdropping on radio frequency may sound high, one expert warns that it can be done relatively easily with the right know-how. “The attacker must be reasonably familiar with the SDR in order to capture and reproduce signals and be within a reasonable range,” Todd Beardsley, director of research at Rapid7, told Threatpost. “What this range is will depend on the sensitivity of the equipment used, but usually this type of eavesdropping requires visibility and fairly close proximity – across the street.”
For more useful technical tips delivered directly to your inbox, subscribe to our daily newsletter.
Using a specific email address may prevent someone from accessing your devices.
Ultimately, experts say it is unlikely that an accidental intruder will be able to take advantage of vulnerabilities in the system. “The likelihood of exploiting these problems is quite low,” Beardsley told Threatpost. “Ultimately, an opportunistic domestic invader is unlikely to be a cybersecurity expert. However, I am concerned about a scenario in which the attacker already knows the victim well, or at least well enough to know her email address, which is all it takes to disable these devices from the Internet. “
Beardsley acknowledges that “very little” can be done for easy-to-use fobs, except to avoid using Fortress-related products. But there is still a way to avoid using your system by someone using your email address. “We suggest you register the device with a secret, one-time email address that can act as something like a weak password,” Beardsley told Threatpost. “In the absence of a vendor authentication update, I feel this is a good solution.”
CONNECTED: If you hear this when answering the phone, hang up immediately.