Bad news: Popular home security system can be disarmed remotely

Bad news: Popular home security system can be disarmed remotely
© Kittipong Jirasukhanont | Dreamstime.com

Keeping your family safe is the most important thing you can do. There are several options available to help, with the smartest being a home security system. Some systems have Wi-Fi-enabled cameras so that you can see what is going on, even when you’re not home. Tap or click here to see how to install cameras that upload right to the cloud.

But a security system is of no use if strangers can remotely turn it off. Unfortunately, that is what’s happening with a popular home security system.

Security researchers recently found a flaw in its Wi-Fi-connected cameras and managed to disable them without much effort. Keep reading for details on how this happened and a better home security solution.

Here’s the backstory

Rapid7 researcher Arvind Vishwakarma found several critical security flaws in the Fortress S03 Wi-Fi Home Security System, which could have devastating consequences for customers.

He found that the system could be controlled or modified through unauthorized access. With a little know-how, attackers would also be able to view unencrypted information stored in the system.

The S03 Wi-Fi Home Security System is described as a DIY option, where its primarily used to track movement inside a house and monitor the opening of windows and doors. It uses WiFi and radio frequency (RF) communications to set up and operate.

Vishwakarma found that anybody within the RF signal range could “capture and replay RF signals to alter the system’s behavior.” Access to the system is granted through an unsecured cloud API deployment setup.

To disarm the security system, a key fob or remote button is used. When an attacker captures the RF signal from the key fob or remote, they can replay that signal later to control the system. This is possible with cameras and sensors where the encryption or rotating key protection hasn’t been set up properly.

What you can do about it

Rapid7 tried for three months to get a response from Fortress. This period is what researchers and analysts call responsible disclosure before alerting the public and making their findings known.

Because Fortress hasn’t responded, the company felt obligated to release the report. As of the time of writing, the flaw is still active in the S03 WiFi Home Security System, and Fortress hasn’t acknowledged when it will be patched.

Since the flaw is not patched, you should avoid using key fobs and other RF devices linked to Fortress home security systems. Until Fortress releases a “firmware update to enforce cryptographic controls on RF signals,” there is “very little a user can do to mitigate the effects,” Rapid7 explained.

Your best bet is to use a home security system that you can trust. We recommend our sponsor, SimpliSafe.

For a limited time, save 20% on your SimpliSafe security system, and get your first month free when you sign up for Interactive Monitoring.

Keep reading

The smart trick to know when your phone’s camera or mic is being used

Are you a caretaker facing false accusations? Security cameras can prove your innocence

Tags: encryption, false accusations, firmware update, home security, Interactive Monitoring, key fob, security, security system, SimpliSafe, Wi-Fi