A major security flaw in a smart access control system used in thousands of U.S. rental homes has been exposed, allowing anyone to remotely control any lock in an affected home. The system, developed by Chirp Systems, has been found to store hardcoded credentials that can be exploited to manipulate smart locks.
The U.S. cybersecurity agency CISA issued a security advisory last week, warning that the vulnerability in the Chirp phone apps could allow attackers to gain unrestricted physical access to homes with Chirp-compatible smart locks. The severity of the flaw was rated 9.1 out of 10 for its low attack complexity and remote exploitability.
Despite being notified of the security issue by researcher Matt Brown in March 2021, Chirp Systems has failed to address the vulnerability. This raises concerns as the company’s technology is being widely adopted by rental giants like Camden Property Trust, which has integrated Chirp-connected smart locks into over 50,000 units.
The situation is further complicated by the acquisition of Chirp Systems by RealPage, a property management software giant, which was later acquired by private equity firm Thoma Bravo. Both companies have yet to acknowledge the security risk or indicate whether affected residents will be notified.
As the debate over responsibility for security vulnerabilities in smart home technologies continues, affected residents and rental companies are left in the dark about the potential risks they face. With no response from Chirp Systems, RealPage, or Thoma Bravo, the security of thousands of rental homes remains uncertain.