Fortress S03 Wi-Fi Home Security System has been affected by several security issues that could allow unauthorized users to gain access and alter the system. Attackers could also disarm devices without the user’s knowledge and potentially gain access to the house.
Two unpatched issues – CVE-2021-39276 (CVSS score: 5.3) and CVE-2021-39277 (CVSS score: 5.7) – were discovered and reported by Rapid7. The maker had a 60-day deadline to fix them.
Fortress S03 is a home security system that uses Wi-Fi and RFID technology to protect property from unauthorized access, gas leaks, and water leaks, and fires. The security and surveillance systems are used by “thousands of clients and continued customers,” according to its site.
The researchers noted that the CVE-2021-39276 issue could be easily exploited by an attacker to get access to the device’s API and as a consequence its IMEI number, but requires the victim’s email address. An attacker could then modify the alarm system or disable it by sending an unauthenticated POST request.
“For CVE-2021-39276, an attacker with the knowledge of a Fortress S03 user’s email address can easily disarm the installed home alarm without that user’s knowledge,” the researchers said in a report.
The CVE-2021-39277 issue relates to an RF Signal attack that can take advantage of a lack of encryption for a radio frequency signal replay. This issue allows an attacker to capture the radio frequency command and control communications, and playback them to perform functions, such as “arm” and “disarm” operations, on the target device.
“CVE-2021-39277 presents similar problems, but requires less prior knowledge of the victim, as the attacker can simply stake out the property and wait for the victim to use the RF-controlled devices within radio range. The attacker can then replay the ‘disarm’ command later, without the victim’s knowledge.”
Rapid7 notified Fortress Security the bugs on May 13, 2021. The company closed the report 11 days later, and it is uncertain when or whether it will patch the bugs.
In order to avoid getting affected by the issue, users should set up their devices with a one-time email address that will prevent the email abuse by attackers.
“For CVE-2021-39277, there seems to be very little a user can do to mitigate the effects of the RF replay issues absent a firmware update to enforce cryptographic controls on RF signals. Users concerned about this exposure should avoid using the key fobs and other RF devices linked to their home security systems,” the researchers advised.
