Pierluigi Paganini August 31, 2021

Rapid7 researchers discovered two flaws that can be exploited by attackers to remotely disable one of the home security systems offered by Fortress Security Store.

Researchers at cybersecurity firm Rapid7 discovered two vulnerabilities that can be exploited by hackers to remotely disarm the Fortress S03 WiFi Security System manufactured by Fortress Security Store.

The Fortress S03 Wi-Fi Home Security System allows users to build their own alarm system to secure their homes and small businesses. It supports security cameras, window and door sensors, glass break sensors, vibration and motion sensors, and smoke/gas/water alarms.

The company provides its systems to thousands of clients and continued customers.

The flaws, tracked as CVE-2021-39276 (CVSS score: 5.3) and CVE-2021-39277 (CVSS score: 5.7), can be abused by a threat actor to gain unauthorized access to the system.

Both issues were reported by cybersecurity firm Rapid7 in May 2021.

“Rapid7 researcher Arvind Vishwakarma discovered multiple vulnerabilities in the Fortress S03 WiFi Home Security System. These vulnerabilities could result in unauthorized access to control or modify system behavior, and access to unencrypted information in storage or in transit.” reads the post published by Rapid7.

The CVE-2021-39276 flaw is an insecure cloud API deployment, while the CVE-2021-39277 issue can allow anyone within Radio Frequency (RF) signal range to capture and replay RF signals to alter systems behavior.

“CVE-2021-39276 describes an instance of CWE-287; specifically, it describes an insecure cloud API deployment which allows unauthenticated users to trivially learn a secret that can then be used to alter the system’s functionality remotely.” continues the post. “It has an initial CVSS score of 5.3 (medium). CVE-2021-39277 describes an instance of CWE-294, a vulnerability where anyone within Radio Frequency (RF) signal range could capture and replay RF signals to alter systems behavior, and has an initial CVSS score of 5.7.”

An attacker could exploit the CVE-2021-39276 by knowing the targeted user’s email address and use it to query the API and obtain the IMEI number associated with the security system. Once the attacker has obtained the IMEI, he can send unauthenticated POST requests to change the behavior the system, including disarming it.

The CVE-2021-39277 flaw can be exploited to launch a radio frequency (RF) signal replay attack because communications between different components of the home security system are not properly protected.

An attacker in the radio range of the target can capture command-and-control signals over the air, such as a command to disarm the system, and then replay them at a later time.

Below the Disclosure Timeline for the two flaws:

• May, 2021: Issues discovered by Arvind Vishwakarma of Rapid7
• Thu, May 13, 2021: Initial contact to Fortress support email
• Thu, May 13, 2021: Ticket #200781 created
• Mon, May 24, 2021: Ticket #200781 closed by Fortress
• Wed, Aug 18, 2021: Rapid7 created a follow up ticket, #203001, with vulnerability details and a reiteration of intent to publish
• Tue, Aug 31, 2021: Published disclosure

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Fortress)

[adrotate banner=”5″]

[adrotate banner=”13″]