Some smart locks controlled by Chirp Systems' software can be remotely unlocked by strangers thanks to a critical security vulnerability. This remote exploitation is possible due to passwords and private keys being hard-coded in Chirp's Android app. Anyone who knows or finds these credentials can use them with an API …

COMMENTS

Post your comment

House rules Send corrections

Add to 'My topics'

Tuesday 16th April 2024 00:01 GMT elDog

Since most of this content seems very similar to Krebs On Security

I wanted to make sure that your readers can see his posting.

https://krebsonsecurity.com/2024/04/crickets-from-chirp-systems-in-smart-lock-key-leak/

Attribution is always welcome.

23 0 Reply
Tuesday 16th April 2024 03:03 GMT Stoic Skeptic

With 50,000 potential clients each with a product liability claim, one would think that the lawyers would be dripping off this.

8 0 Reply
1. Tuesday 16th April 2024 08:06 GMT abend0c4
  
  Given the description of the app developer's primary business (a developer of multifamily property management and data analytics software) you have to wonder whether securiy is the primary motivation.
  
  Is it usual in America for your landlord to own your door lock? Not a tenancy condition I'd accept.
  
  11 0 Reply
  1. Tuesday 16th April 2024 10:52 GMT jmch
    
    I would expect the scenario for this is maybe the lock on an outer door of a multi-property building rather than the door to each individual apartment. I certainly wouldn't want to rent a building where the landlord can remote-operate the lock (although to be fair, landlords usually anyway have a spare key for their properties and tenants have clauses in their contracts prohibiting landlords from barging in uninvited - such contract clause would be binding whether the lock is electronic or physical)
    
    5 0 Reply
    1. Tuesday 16th April 2024 15:25 GMT Anonymous Coward
      
      as a former landlord, yes on the extra key, yes never enter without tenant permission or police escort (shit happens).
      
      After 15 years and a few bad tenants - two domestic violence, one super filthy/disgusting, - eff that crap, sold it.
      
      Locks always changed for new tenants, most were good people.
      
      9 0 Reply
      1. Tuesday 16th April 2024 15:36 GMT J. Cook
        
        Plus one, at least in Arizona, where the tenant laws are pretty well spelled out- landlords can't just come in whenever they want, unless there are specific reasons (danger of property damage or to life and limb, etc.)
        
        I changed out the locks at the house I was renting when the roommate moved out, with the landlord's provision of "send them a copy of the key".
        
        And the first thing I did when I took ownership of my house was a wholesale replacement of all the locks and knobs from whatever mashup of vendors to a single vendor.
        
        If I owned or managed a multi-tenant property, the locks would have a mastering system in them (i.e., a master key and separate keys for each unit.), which is perfectly normal in the US for commercial properties.
        
        2 0 Reply
2. Tuesday 16th April 2024 10:01 GMT Pascal Monett
  
  I'm guessing that that number is going to go down.
  
  1 0 Reply
Tuesday 16th April 2024 05:50 GMT spireite

3 years?

Obviously not in a thrush to fix it, which begs the question.....

Wren are they going to do it.

Now this is publicly known, there must be plenty of robin going on!

I assume they won't be parroting about how safe your property is now.

12 1 Reply
1. Tuesday 16th April 2024 07:42 GMT KittenHuffer
  
  Re: 3 years?
  
  I think I'd have to flip them the bird, and change my locks!
  
  ------------> Only bird option!
  
  11 0 Reply
Tuesday 16th April 2024 05:56 GMT Neil Barnes

You're still using electronic locks?

How quaint.

I have an android guard who stands outside the door, vets visitors, and bounces those it doesn't like back down the drive.

I had to build a little hutch for it to stay when it rains, but it does impress the neighbours.

12 0 Reply
1. Tuesday 16th April 2024 07:46 GMT Phil O'Sophical
  
  Re: You're still using electronic locks?
  
  Sounds like you may have a potential weather-related vulnerability there.
  
  8 0 Reply
  1. Tuesday 16th April 2024 09:01 GMT Neil Barnes
    
    Re: You're still using electronic locks?
    
    As long as it keeps moving, it doesn't rust.
    
    4 0 Reply
  2. Tuesday 16th April 2024 14:55 GMT Jellied Eel
    
    Re: You're still using electronic locks?
    
    Sounds like you may have a potential weather-related vulnerability there.
    
    I want one of the robo-hounds from Snowcrash. Rain would help keep cool. C'mon Boston Dynamic, get on it faster!
    
    3 3 Reply
    1. Wednesday 17th April 2024 09:53 GMT I ain't Spartacus
      
      Re: You're still using electronic locks?
      
      I want one of the robo-hounds from Snowcrash.
      
      Also the first thing I thought of. Though wasn't there something similar in Stainless Steel Rat as well?
      
      Thinks: Not read that since the 80s. Wonder if I'd still enjoy it if I found a copy?
      
      0 0 Reply
      1. Wednesday 17th April 2024 10:20 GMT Jellied Eel
        
        Re: You're still using electronic locks?
        
        Also the first thing I thought of. Though wasn't there something similar in Stainless Steel Rat as well?
        
        Not sure, but I did remember the dog-things in Snowcrash were called rat-things..Still dog-like and perfect for guarding.
        
        Thinks: Not read that since the 80s. Wonder if I'd still enjoy it if I found a copy?
        
        Well.. noticed I do have an omnibus/trilogy on my shelf, have nearly finished the current book I'm reading and may give that a go. Not read it in years
        
        2 3 Reply
Tuesday 16th April 2024 05:58 GMT Anonymous Coward

LockPickingLawyer

Just check out his channel on Youtube. Then you'll realise no locks are really that secure. (But the electronic ones do seem to get rinsed regularly.)

5 1 Reply
1. Tuesday 16th April 2024 10:00 GMT MonkeyJuice
  
  Re: LockPickingLawyer
  
  The fun is that it it takes considerable dedication and time to learn how to pick locks effectively, but any idiot can push the exploit button.
  
  12 0 Reply
  1. Tuesday 16th April 2024 11:38 GMT Evil Scot
    
    Re: LockPickingLawyer
    
    I see so many "smart locks" that fall foul of percussive glazing bypass.
    
    5 0 Reply
  2. Tuesday 16th April 2024 12:22 GMT Anonymous Coward
    
    Re: LockPickingLawyer
    
    ...or "strong magnet" as the LPL calls them.
    
    4 0 Reply
2. Tuesday 16th April 2024 20:26 GMT Anonymous Coward
  
  Plenty of strong locks
  
  Not many of the big companies making them though, and not a ton of customers yet. Too much of the market is dictated by commercial players, and there has been too much consolidation of the manufacturers.
  
  But LPL has covered plenty of the ones that are both strong and a bastard to pick, like some of the old detector locks, and some of the new oddballs. Just don't expect to walk into HomeDespot and buy one for 20$. Then get a security door and reinforced frame, and don't forget the wall it's cut into and all of the windows, etc, etc.
  
  Not much point blowing cash on one good lock for a literal glass house. That's why Schlage and the others push so much crap. Just as well, most people are as likely to need to be rescued by EMS as burgled. Suck to die because your front door was too awesome.
  
  0 0 Reply
  1. Wednesday 17th April 2024 16:26 GMT Michael Wojcik
    
    Re: Plenty of strong locks
    
    Yes. There are use cases for good locks, and use cases for just enough to discourage the opportunists. As always, it's all about the threat model.
    
    My current home (Mountain Fastness 2.0) is unusual for me, in that it's the first one I couldn't easily break into (without doing serious damage) myself, if I were locked out for some reason. That's because it's a new build with decent windows and such. But if I wanted in badly enough, I could certainly break a window or door with nothing more than improvised tools.
    
    Though I wouldn't, because I know where the hide-a-key is, and if my car's there I can open the garage door. (My car is parked outside; the garage is for my wife's car.) And, of course, so can anyone else, if they think to try it.
    
    But in more than five decades, no one has ever burgled any home I've lived in. And it's particularly unlikely for MF2, where a stranger can't walk or drive down the (private, dead-end, gravel) road without becoming a subject of discussion among the neighbors. Burglary is not high on my priority list of risks.
    
    0 0 Reply
Tuesday 16th April 2024 06:26 GMT DS999

I actually wouldn't worry all that much about this

What are the odds a burglar would 1) know the brand of smart lock you have and 2) have the know how to exploit it? This is like being worried about Pegasus software p0wning your phone - unless you are specifically targeted (and there has to be a reason someone would target you) you have nothing at all to be worried about.

I can pick the average home deadbolt in 30 seconds, and while there are more secure lock types out there (that people with more than my amateur level of competence could still attack) that gets you into 98% of houses. Who is going to bother with exploiting some weird off brand smart lock? The owner of that house isn't wealthy, and if they were they'd have a security system once you got past the lock so that's the least of your obstacles.

0 23 Reply
1. Tuesday 16th April 2024 06:46 GMT Terje
  
  Re: I actually wouldn't worry all that much about this
  
  As to the questions you put.
  
  What are the odds a burglar would know the brand of a smart lock you have and have the know how to exploit it?.
  
  Probably quite high if we look at the "professional burglar" it's a job skill and as such would probably quite fast make it's round to those in that area of "business" especially if the owner have to manually update the locks firmware as that is unlikely to happen to a large number of them and is thus a long term viable option. If you are talking about your regular break a window kind not very high, but then any kind of locked door will result in going through an easier route.
  
  The lock business seems to have a longstanding tradition of security through obscurity, putting their heads in the sand and ignoring known problems, so I'm not surprised at there being no answers and no patches from the company.
  
  10 0 Reply
  1. Tuesday 16th April 2024 13:58 GMT Terry 6
    
    Re: I actually wouldn't worry all that much about this
    
    And if we consider how easily criminals can obtain kits to get inside car locks and nick the Pride and Joy it's likely that this knowedge will get shared pretty quickly- probably happening inside one of His Majesty's finishing schools as we speak.
    
    4 0 Reply
2. Tuesday 16th April 2024 08:45 GMT Anonymous Coward
  
  Re: I actually wouldn't worry all that much about this
  
  The most problematic scenario is not random burglar knowing a hack for the particular lock he stumbles on, which seems indeed unlikely, but the opposite: burglar buys from hacker both the hacking tool and a list of addresses where the lock is installed obtained from the operator.
  
  Like an "open door" app with a "find me a door near me that I can open" with maps integration. A companion feature would be to plot the location of the house dwellers from some other data leaks.
  
  11 0 Reply
  1. Wednesday 17th April 2024 16:30 GMT Michael Wojcik
    
    Re: I actually wouldn't worry all that much about this
    
    Particularly for multi-tenant buildings, which is where these locks are mostly used. Certainly if I were in the business of domestic burglary I'd have the Chirp backdoor in my pocket (literally), because why wouldn't you?
    
    And for the same reason I'm very dubious of the "no evidence it's been used" comment from CISA, which may be technically correct (if glossed as "no evidence they're aware of"). Where this would be used is in burglary of apartments, for the most part, and the management company would do its best to 1) blame the tenants and 2) hush it up. "Oh yes, you say things were taken from your unit, but how do we know it wasn't someone you gave access to?"
    
    0 0 Reply
3. Tuesday 16th April 2024 13:08 GMT Steve Graham
  
  Re: I actually wouldn't worry all that much about this
  
  What are the odds that car thieves would have the equipment to deceive your car's "keyless entry" system? It happened to a friend of mine a few weeks ago, and it wasn't high-tech hacker car thieves, just a couple of local yobbos. (They were arrested.)
  
  4 0 Reply
  1. Tuesday 16th April 2024 14:11 GMT 42656e4d203239
    
    Re: I actually wouldn't worry all that much about this
    
    What are the odds that car thieves would have the equipment to deceive your car's "keyless entry" system?
    
    Pretty high. Saw an video of some muppet opening a range rover using one such devcie and, via an OBDCII device, starting it and driving away...
    
    Don't buy nice cars boys and girls - the bad uns will have them away if they want them.... but then that has always been the case (nice is obviously relative to the location of the vehicle...)
    
    3 0 Reply
    1. Tuesday 16th April 2024 15:17 GMT Mr Humbug
      
      Re: I actually wouldn't worry all that much about this
      
      I think Range Rovers have a particular security problem. I was talking to the local PCSO about the kinds of crime in the area around our office a fewof weeks ago. She said they don't break in to houses, they steal Range Rovers through keyless entry. She said Range Rovers but then went on to say that it's theft of luxury cars.
      
      0 0 Reply
    2. Tuesday 16th April 2024 15:43 GMT J. Cook
      
      Re: I actually wouldn't worry all that much about this
      
      Don't buy nice cars boys and girls - the bad uns will have them away if they want them.... but then that has always been the case (nice is obviously relative to the location of the vehicle...)
      
      The cheap ones, too- Kia has a known issue with a few of their low end models where they decided to not put in something like chipped keys, and a number of people decided to put the exploit on social media. Kia's response was to offer people a steering wheel lock, which was not much better.
      
      If a thief wants something badly enough, they'll find a way to take it- locks keep honest people honest and slow down the pros.
      
      1 0 Reply
    3. Tuesday 16th April 2024 16:55 GMT John Miles
      
      Re: I actually wouldn't worry all that much about this
      
      The sad fact is this has been going on for at least 12 years - back in 2012 it was BMWs going awol, if you got access to the inside of the car you could plug into the ODBC and program car to accept another key pretty quick. A particular weakness was for right had drive vehicles where the alarm sensors didn't cover the area around the port or drivers window and putting a screwdriver in the lock and twisting it hard would wind the windows down - so easy access.
      
      0 0 Reply
Tuesday 16th April 2024 07:12 GMT Mike 137

Oh no -not AGAIN!!!!

"it's possible to use the credentials inside the Chirp Android app to effectively masquerade as the developer"

So the dev hard coded their test credentials into the app and they were left in when it was passed for release. Two absolutely idiotic mistakes. If it's representative of the level of understanding of, and attention to, security in the dev community (and I fear it is) we're doomed, we're DOOMED.

17 0 Reply
1. Tuesday 16th April 2024 07:52 GMT Mishak
  
  Yep
  
  It's well beyond time that this sort of "error" resulted in prison time (behind a door secured with a different lock).
  
  9 1 Reply
2. Wednesday 17th April 2024 16:33 GMT Michael Wojcik
  
  Re: Oh no -not AGAIN!!!!
  
  I think "test credentials" are generous. I'm more inclined to believe Chirp put these in as a deliberate backdoor so they could reset things for management companies that lost their password. Property management does not always attract the best and brightest, and a vendor like Chirp would like to appear "responsive" to requests for assistance.
  
  These "smart locks" are largely security theater; very few vendors show any evidence of actually being interested in security. They're interested in sales, and a customer complaining that they locked themselves out and the vendor couldn't quickly get them back in is bad for sales.
  
  1 0 Reply
Tuesday 16th April 2024 07:36 GMT JT_3K

SURPRISE

[JAZZ HANDS]

7 0 Reply
Tuesday 16th April 2024 10:01 GMT Pascal Monett

"application software to remotely control compatible locks"

How is it that people looked at this possibility and thought : "now that's a great idea" ?

I am not interested in remote-opening my front door. I want to open it when I get there, not before and certainly not after.

And if I am renting something with this, I will tell the owner that I am replacing the lock. If he objects, I will look elsewhere.

8 1 Reply
1. Tuesday 16th April 2024 14:09 GMT Jimmy2Cows
  
  Re: "application software to remotely control compatible locks"
  
  I can sort of imagine some kind of remote support use case, where the owner has lost access. But then that person would have to prove they are the property owner, and how would Chirp be able to verify that? Another possibility could be law enforcement support. But they'll happily smash the door down rather than wait for it be unlocked.
  
  So neither possibility is a good option.
  
  Or maybe a parent who is out, and needs to let their kid into the house. Maybe they lost or forgot their key, and don't have access to the Chirp app. Lost/stolen phone, dead phone, calling from a neighbour's house or something. This one is broadly more sensible and perhaps useful in niche cases.
  
  But realistically, this is most likely one of those product meetings where "no idea is a bad idea", someone tossed out remote unlocking, and marketing went "Hell yeah! That'll be cool!" without actually thinking it through.
  
  1 0 Reply
2. Tuesday 16th April 2024 14:14 GMT robinsonb5
  
  Re: "application software to remotely control compatible locks"
  
  A friend of mine has a porch with an regular lock on the internal front door but an electronic lock on the outer door. The electronic lock can be fingerprint operated (with varying degrees of success in varying weather conditions!) - but the killer feature for him is that he can give a one-time entry code to a courier, and have parcels left securely in the porch.
  
  0 0 Reply
  1. Tuesday 16th April 2024 14:53 GMT usbac
    
    Re: "application software to remotely control compatible locks"
    
    Good luck with that.
    
    We installed a gate at the front fence that has a VOIP door phone and an electronic lock. All done with my own systems, no cloud connected BS.
    
    We did this mostly to deter door-to-door ~~scammers~~ sales people. We get tones of solar energy scammers these days for some reason. It also deters porch pirates, although that has never been an issue in our neighborhood.
    
    There is a clear sign on the gate that says "To unlock this gate, use the code from the shipping label, or press the CALL button". If they press the CALL button, it rings all of the phones in the house, and we can press a key to unlock the gate. They can enter the 4 digit code on the door phone keypad also.
    
    The results have been a mixed bag depending on the courier. So far the best has been Amazon's Prime delivery people. We set up the gate code in our account, and never a problem with them. With FedEx, once they got used to the setup, no problems either. UPS is still a problem. They just toss the package over the gate. This is a problem because the gate opens in, and when they leave heavy packages there, no one else can open the gate. Not sure what to do about that one.
    
    USPS is the worst. They just leave a tag in the mailbox now, and we have to drive to the post office during business hours to retrieve our packages. I usually try not to order from anyone that uses USPS for shipment anymore.
    
    It's been no problem for the utility people (gas and electric). I called each company and gave them a code, and they come and read the meters just fine.
    
    It's sure gotten rid of the scammers.
    
    3 0 Reply
Tuesday 16th April 2024 10:52 GMT sitta_europea

It doesn't really matter what it is, if it's sold as "smart" it isn't going to be sold to me, because I know it will be dumb. Really, *REALLY* dumb.

10 0 Reply
1. Tuesday 16th April 2024 14:35 GMT Jimmy2Cows
  
  lt's a universal discriminator. Marketed as "smart"? Avoid at all costs. If you can... the number of non-"smart" things, of every ilk, seems to be dropping daily.
  
  3 0 Reply
  1. Wednesday 17th April 2024 16:36 GMT Michael Wojcik
    
    Sometimes you can find "smart" devices that can be left in a non-connected state. Our LG range is one — we simply ignored the instructions to connect it to the home network, and it's never been a problem.¹ But finding those is difficult too.
    
    ¹Yes, it'll be a problem on the day we want to turn the oven on remotely, probably to pre-heat it for those unicorn steaks we're bringing home.
    
    0 0 Reply
Tuesday 16th April 2024 10:56 GMT Anonymous Coward

Antique Joke

Burgler at house door.

Burgler opens letterbox.

Burgler shouts (loudly): Alexa....open the door!!

Alexa.....opens the door.......or not........

Burgler moves to next target.....

N.B. In this scenario, the burgler has ABSOLUTELY NO NEED AT ALL FOR TECHNICAL SKILLS!!!

8 1 Reply
1. Tuesday 16th April 2024 14:25 GMT Z P
  
  Re: Antique Joke
  
  Ugh Thank you for exhibiting that you do not know how Alexa handles locks / locked doors.
  
  Now, I admit, this is to the best of my knowledge with a handful of products, but they all require a pass code before a lock can be opened by voice command.
  
  Having said that, "LOL Android" as an ongoing dig to the lack of security and privacy on that cesspool of a platform (circling back to the original article content)
  
  Right, as you were, carry on
  
  0 0 Reply
2. Wednesday 17th April 2024 16:36 GMT Michael Wojcik
  
  Re: Antique Joke
  
  I died a little inside at the thought of a joke about Amazon Alexa being "antique".
  
  0 0 Reply
Tuesday 16th April 2024 12:31 GMT Anonymous Coward

Smart things are often dumb

1 0 Reply
Tuesday 16th April 2024 14:03 GMT Terry 6

the CISA says there are no known cases of it being exploited. Presumably because .....

Or because victims don't even know how their home got raided, or haven't told the public-at-large even if they had guessed/suspected.

1 0 Reply
Tuesday 16th April 2024 16:02 GMT Sparkus

Answerable to no one?

All is would take is for an insurance company or two to send out a notice that they will be denying coverage and claims for any property that uses this suspect tech.

1 0 Reply
1. Wednesday 17th April 2024 16:41 GMT Michael Wojcik
  
  Re: Answerable to no one?
  
  If they can. Policies typically have a fairly specific list of conditions under which coverage can be denied. And in the US at least, insurers are pretty extensively regulated; they often have to get approval from regulators for policy changes.
  
  That said, I'd expect insurers could announce that they'd be either denying coverage (unlikely, since they'd lose business) or adding a surcharge to premiums for properties with these locks. That might be enough to motivate property owners (who, again, are likely to be management companies in most cases, not individuals).
  
  0 0 Reply