Pwned! The home security system that can be hacked with your email address – Naked Security

A vulnerability researcher and company from the red team Rapid7 recently discovered a a pair of security risk bugs in a digital home security product.

The first bug reported in May 2021, called CVE-2021-39276, means that an attacker who knows the email address against which you registered your product can effectively use it as a password to issue commands to the system, including spinning. the whole alarm is off.

The affected product comes from the company Fortress security shopwhich sells two branded home security settings, entry level S03 Wifi security system, which starts at $ 130, and more expensive S6 Titan 3G / 4G WiFi security systemstarting at $ 250.

The fearless researcher, Arvind Vishwakarma, acquired the S03 launch system, which includes a control panel, remote controls, a door or window sensor, a motion detector and an internal siren.

(The company also sells additional tricks and sensors, external sirens that are probably stronger, and motion-protected motion detectors that we assume are less sensitive than usual.)

Unfortunately, Vishwakarma didn’t have to compromise the system much and figure out how to control it without permission, both locally and remotely.