US government says security flaw in Chirp Systems’ app lets anyone remotely control smart home locks

A vulnerability in a smart access control system used in thousands of U.S. rental homes allows anyone to remotely control any lock in an affected home. But Chirp Systems, the company that makes the system, has ignored requests to fix the flaw.

U.S. cybersecurity agency CISA went public with a security advisory last week saying that the phone apps developed by Chirp, which residents use in place of a key to access their homes, “improperly stores” hardcoded credentials that can be used to remotely control any Chirp-compatible smart lock.

Apps that rely on passwords stored in its source code, known as hardcoding credentials, are a security risk because anyone can extract and use those credentials to perform actions that impersonate the app. In this case, the credentials allowed anyone to remotely lock or unlock a Chirp-connected door lock over the internet.

In its advisory, CISA said that successful exploitation of the flaw “could allow an attacker to take control and gain unrestricted physical access” to smart locks connected to a Chirp smart home system. The cybersecurity agency gave the vulnerability severity score of 9.1 out of a maximum of 10 for its “low attack complexity” and for its ability to be remotely exploited.

The cybersecurity agency said Chirp Systems has not responded to either CISA or the researcher who found the vulnerability.

Security researcher Matt Brown told veteran security journalist Brian Krebs that he notified Chirp of the security issue in March 2021 but that the vulnerability remains unfixed.

Chirp Systems is one of a growing number of companies in the property tech space that provide keyless access controls that integrate with smart home technologies to rental giants. Rental companies are increasingly forcing renters to allow the installation of smart home equipment as dictated by their leases, but it’s murky at best who takes responsibility or ownership when security problems arise.

Real estate and rental giant Camden Property Trust signed a deal in 2020 to roll out Chirp-connected smart locks to more than 50,000 units across over a hundred properties. It’s unclear if affected properties like Camden are aware of the vulnerability or have taken action. Kim Callahan, a spokesperson for Camden, did not respond to a request for comment.

Chirp was bought by property management software giant RealPage in 2020, and RealPage was acquired by private equity giant Thoma Bravo later that year in a $10.2 billion deal. RealPage is facing several legal challenges over allegations its rent-setting software uses secret and proprietary algorithms to help landlords raise the highest possible rents on tenants.

Neither RealPage nor Thoma Bravo have yet to acknowledge the vulnerabilities in the software it acquired, nor say if they plan on notifying affected residents of the security risk.

Jennifer Bowcock, a spokesperson for RealPage, did not respond to requests for comment from TechCrunch. Megan Frank, a spokesperson for Thoma Bravo, also did not respond to requests for comment.