A critical security flaw has been uncovered in a widely-used smart access control system deployed in numerous rental properties across the United States. Despite alerts from cybersecurity experts and the U.S. agency CISA, the company behind the system, Chirp Systems, has yet to address the issue.
Hardcoding credentials within app source code is a well-known security vulnerability, allowing malicious actors to extract and exploit them for unauthorized access. Given the severity of the issue, CISA assigned it a high severity score of 9.1 out of 10 due to its low attack complexity and potential for remote exploitation.
CISA recently issued a public security advisory, revealing that Chirp’s phone apps, utilized by residents for keyless entry to their homes, contain hardcoded credentials that pose a significant risk. This flaw enables unauthorized individuals to remotely manipulate any Chirp-compatible smart lock, potentially granting unrestricted physical access to affected properties.
Despite notifications from both CISA and independent security researcher Matt Brown, Chirp Systems has yet to respond or address the vulnerability, which was initially reported in March 2021.
Following the publication of CISA’s advisory, Chirp issued a statement denying the claims but later acknowledged that they are working on a patch to resolve the identified issues.
Chirp Systems operates in the property tech sector, providing keyless access solutions integrated with smart home technologies to rental companies. However, the responsibility for addressing security concerns remains ambiguous, particularly concerning rental agreements mandating the installation of such systems.
Chirp Systems was acquired by RealPage, a property management software giant, in 2020, which subsequently underwent acquisition by private equity firm Thoma Bravo. Despite these corporate changes, neither RealPage nor Thoma Bravo have publicly acknowledged the security vulnerabilities or outlined plans to notify affected residents.