A vulnerability in a smart access control system used in thousands of U.S. rental homes allows anyone to remotely control any lock in an affected home. But Chirp Systems, the company that makes the system, has ignored requests to fix the flaw. U.S. cybersecurity agency CISA went public with a security advisory last week saying that the phone apps developed by Chirp, which residents use in place of a key to access their homes, 'improperly stores' hardcoded credentials that can be used to remotely control any Chirp-compatible smart lock. Apps that rely on passwords stored in its source code, known as hardcoding credentials, are a security risk because anyone can extract and use those credentials to perform actions that impersonate the app. In this case, the credentials allowed anyone to remotely lock or unlock a Chirp-connected door lock over the internet. In its advisory, CISA said that successful exploitation of the flaw 'could allow an attacker to take control and gain unrestricted...
learn more
