back to article CISA in a flap as Chirp smart door locks can be trivially unlocked remotely

Some smart locks controlled by Chirp Systems' software can be remotely unlocked by strangers thanks to a critical security vulnerability. This remote exploitation is possible due to passwords and private keys being hard-coded in Chirp's Android app. Anyone who knows or finds these credentials can use them with an API …

  1. elDog

    Since most of this content seems very similar to Krebs On Security

    I wanted to make sure that your readers can see his posting.

    https://krebsonsecurity.com/2024/04/crickets-from-chirp-systems-in-smart-lock-key-leak/

    Attribution is always welcome.

  2. Stoic Skeptic

    With 50,000 potential clients each with a product liability claim, one would think that the lawyers would be dripping off this.

    1. abend0c4 Silver badge

      Given the description of the app developer's primary business (a developer of multifamily property management and data analytics software) you have to wonder whether securiy is the primary motivation.

      Is it usual in America for your landlord to own your door lock? Not a tenancy condition I'd accept.

      1. jmch Silver badge

        I would expect the scenario for this is maybe the lock on an outer door of a multi-property building rather than the door to each individual apartment. I certainly wouldn't want to rent a building where the landlord can remote-operate the lock (although to be fair, landlords usually anyway have a spare key for their properties and tenants have clauses in their contracts prohibiting landlords from barging in uninvited - such contract clause would be binding whether the lock is electronic or physical)

        1. Anonymous Coward
          Anonymous Coward

          as a former landlord, yes on the extra key, yes never enter without tenant permission or police escort (shit happens).

          After 15 years and a few bad tenants - two domestic violence, one super filthy/disgusting, - eff that crap, sold it.

          Locks always changed for new tenants, most were good people.

          1. J. Cook Silver badge
            Boffin

            Plus one, at least in Arizona, where the tenant laws are pretty well spelled out- landlords can't just come in whenever they want, unless there are specific reasons (danger of property damage or to life and limb, etc.)

            I changed out the locks at the house I was renting when the roommate moved out, with the landlord's provision of "send them a copy of the key".

            And the first thing I did when I took ownership of my house was a wholesale replacement of all the locks and knobs from whatever mashup of vendors to a single vendor.

            If I owned or managed a multi-tenant property, the locks would have a mastering system in them (i.e., a master key and separate keys for each unit.), which is perfectly normal in the US for commercial properties.

    2. Pascal Monett Silver badge

      I'm guessing that that number is going to go down.

  3. spireite Silver badge

    3 years?

    Obviously not in a thrush to fix it, which begs the question.....

    Wren are they going to do it.

    Now this is publicly known, there must be plenty of robin going on!

    I assume they won't be parroting about how safe your property is now.

    1. KittenHuffer Silver badge
      Linux

      Re: 3 years?

      I think I'd have to flip them the bird, and change my locks!

      ------------> Only bird option!

  4. Neil Barnes Silver badge
    Terminator

    You're still using electronic locks?

    How quaint.

    I have an android guard who stands outside the door, vets visitors, and bounces those it doesn't like back down the drive.

    I had to build a little hutch for it to stay when it rains, but it does impress the neighbours.

    1. Phil O'Sophical Silver badge
      Coat

      Re: You're still using electronic locks?

      Sounds like you may have a potential weather-related vulnerability there.

      1. Neil Barnes Silver badge

        Re: You're still using electronic locks?

        As long as it keeps moving, it doesn't rust.

      2. Jellied Eel Silver badge

        Re: You're still using electronic locks?

        Sounds like you may have a potential weather-related vulnerability there.

        I want one of the robo-hounds from Snowcrash. Rain would help keep cool. C'mon Boston Dynamic, get on it faster!

        1. I ain't Spartacus Gold badge

          Re: You're still using electronic locks?

          I want one of the robo-hounds from Snowcrash.

          Also the first thing I thought of. Though wasn't there something similar in Stainless Steel Rat as well?

          Thinks: Not read that since the 80s. Wonder if I'd still enjoy it if I found a copy?

          1. Jellied Eel Silver badge

            Re: You're still using electronic locks?

            Also the first thing I thought of. Though wasn't there something similar in Stainless Steel Rat as well?

            Not sure, but I did remember the dog-things in Snowcrash were called rat-things..Still dog-like and perfect for guarding.

            Thinks: Not read that since the 80s. Wonder if I'd still enjoy it if I found a copy?

            Well.. noticed I do have an omnibus/trilogy on my shelf, have nearly finished the current book I'm reading and may give that a go. Not read it in years

  5. Anonymous Coward
    Anonymous Coward

    LockPickingLawyer

    Just check out his channel on Youtube. Then you'll realise no locks are really that secure. (But the electronic ones do seem to get rinsed regularly.)

    1. MonkeyJuice

      Re: LockPickingLawyer

      The fun is that it it takes considerable dedication and time to learn how to pick locks effectively, but any idiot can push the exploit button.

      1. Evil Scot Bronze badge
        Facepalm

        Re: LockPickingLawyer

        I see so many "smart locks" that fall foul of percussive glazing bypass.

      2. Anonymous Coward
        Anonymous Coward

        Re: LockPickingLawyer

        ...or "strong magnet" as the LPL calls them.

    2. Anonymous Coward
      Anonymous Coward

      Plenty of strong locks

      Not many of the big companies making them though, and not a ton of customers yet. Too much of the market is dictated by commercial players, and there has been too much consolidation of the manufacturers.

      But LPL has covered plenty of the ones that are both strong and a bastard to pick, like some of the old detector locks, and some of the new oddballs. Just don't expect to walk into HomeDespot and buy one for 20$. Then get a security door and reinforced frame, and don't forget the wall it's cut into and all of the windows, etc, etc.

      Not much point blowing cash on one good lock for a literal glass house. That's why Schlage and the others push so much crap. Just as well, most people are as likely to need to be rescued by EMS as burgled. Suck to die because your front door was too awesome.

      1. Michael Wojcik Silver badge

        Re: Plenty of strong locks

        Yes. There are use cases for good locks, and use cases for just enough to discourage the opportunists. As always, it's all about the threat model.

        My current home (Mountain Fastness 2.0) is unusual for me, in that it's the first one I couldn't easily break into (without doing serious damage) myself, if I were locked out for some reason. That's because it's a new build with decent windows and such. But if I wanted in badly enough, I could certainly break a window or door with nothing more than improvised tools.

        Though I wouldn't, because I know where the hide-a-key is, and if my car's there I can open the garage door. (My car is parked outside; the garage is for my wife's car.) And, of course, so can anyone else, if they think to try it.

        But in more than five decades, no one has ever burgled any home I've lived in. And it's particularly unlikely for MF2, where a stranger can't walk or drive down the (private, dead-end, gravel) road without becoming a subject of discussion among the neighbors. Burglary is not high on my priority list of risks.

  6. DS999 Silver badge

    I actually wouldn't worry all that much about this

    What are the odds a burglar would 1) know the brand of smart lock you have and 2) have the know how to exploit it? This is like being worried about Pegasus software p0wning your phone - unless you are specifically targeted (and there has to be a reason someone would target you) you have nothing at all to be worried about.

    I can pick the average home deadbolt in 30 seconds, and while there are more secure lock types out there (that people with more than my amateur level of competence could still attack) that gets you into 98% of houses. Who is going to bother with exploiting some weird off brand smart lock? The owner of that house isn't wealthy, and if they were they'd have a security system once you got past the lock so that's the least of your obstacles.

    1. Terje

      Re: I actually wouldn't worry all that much about this

      As to the questions you put.

      What are the odds a burglar would know the brand of a smart lock you have and have the know how to exploit it?.

      Probably quite high if we look at the "professional burglar" it's a job skill and as such would probably quite fast make it's round to those in that area of "business" especially if the owner have to manually update the locks firmware as that is unlikely to happen to a large number of them and is thus a long term viable option. If you are talking about your regular break a window kind not very high, but then any kind of locked door will result in going through an easier route.

      The lock business seems to have a longstanding tradition of security through obscurity, putting their heads in the sand and ignoring known problems, so I'm not surprised at there being no answers and no patches from the company.

      1. Terry 6 Silver badge

        Re: I actually wouldn't worry all that much about this

        And if we consider how easily criminals can obtain kits to get inside car locks and nick the Pride and Joy it's likely that this knowedge will get shared pretty quickly- probably happening inside one of His Majesty's finishing schools as we speak.

    2. Anonymous Coward
      Anonymous Coward

      Re: I actually wouldn't worry all that much about this

      The most problematic scenario is not random burglar knowing a hack for the particular lock he stumbles on, which seems indeed unlikely, but the opposite: burglar buys from hacker both the hacking tool and a list of addresses where the lock is installed obtained from the operator.

      Like an "open door" app with a "find me a door near me that I can open" with maps integration. A companion feature would be to plot the location of the house dwellers from some other data leaks.

      1. Michael Wojcik Silver badge

        Re: I actually wouldn't worry all that much about this

        Particularly for multi-tenant buildings, which is where these locks are mostly used. Certainly if I were in the business of domestic burglary I'd have the Chirp backdoor in my pocket (literally), because why wouldn't you?

        And for the same reason I'm very dubious of the "no evidence it's been used" comment from CISA, which may be technically correct (if glossed as "no evidence they're aware of"). Where this would be used is in burglary of apartments, for the most part, and the management company would do its best to 1) blame the tenants and 2) hush it up. "Oh yes, you say things were taken from your unit, but how do we know it wasn't someone you gave access to?"

    3. Steve Graham

      Re: I actually wouldn't worry all that much about this

      What are the odds that car thieves would have the equipment to deceive your car's "keyless entry" system? It happened to a friend of mine a few weeks ago, and it wasn't high-tech hacker car thieves, just a couple of local yobbos. (They were arrested.)

      1. 42656e4d203239 Silver badge

        Re: I actually wouldn't worry all that much about this

        What are the odds that car thieves would have the equipment to deceive your car's "keyless entry" system?

        Pretty high. Saw an video of some muppet opening a range rover using one such devcie and, via an OBDCII device, starting it and driving away...

        Don't buy nice cars boys and girls - the bad uns will have them away if they want them.... but then that has always been the case (nice is obviously relative to the location of the vehicle...)

        1. Mr Humbug

          Re: I actually wouldn't worry all that much about this

          I think Range Rovers have a particular security problem. I was talking to the local PCSO about the kinds of crime in the area around our office a fewof weeks ago. She said they don't break in to houses, they steal Range Rovers through keyless entry. She said Range Rovers but then went on to say that it's theft of luxury cars.

        2. J. Cook Silver badge
          Go

          Re: I actually wouldn't worry all that much about this

          Don't buy nice cars boys and girls - the bad uns will have them away if they want them.... but then that has always been the case (nice is obviously relative to the location of the vehicle...)

          The cheap ones, too- Kia has a known issue with a few of their low end models where they decided to not put in something like chipped keys, and a number of people decided to put the exploit on social media. Kia's response was to offer people a steering wheel lock, which was not much better.

          If a thief wants something badly enough, they'll find a way to take it- locks keep honest people honest and slow down the pros.

        3. John Miles

          Re: I actually wouldn't worry all that much about this

          The sad fact is this has been going on for at least 12 years - back in 2012 it was BMWs going awol, if you got access to the inside of the car you could plug into the ODBC and program car to accept another key pretty quick. A particular weakness was for right had drive vehicles where the alarm sensors didn't cover the area around the port or drivers window and putting a screwdriver in the lock and twisting it hard would wind the windows down - so easy access.

  7. Mike 137 Silver badge

    Oh no -not AGAIN!!!!

    "it's possible to use the credentials inside the Chirp Android app to effectively masquerade as the developer"

    So the dev hard coded their test credentials into the app and they were left in when it was passed for release. Two absolutely idiotic mistakes. If it's representative of the level of understanding of, and attention to, security in the dev community (and I fear it is) we're doomed, we're DOOMED.

    1. Mishak Silver badge

      Yep

      It's well beyond time that this sort of "error" resulted in prison time (behind a door secured with a different lock).

    2. Michael Wojcik Silver badge

      Re: Oh no -not AGAIN!!!!

      I think "test credentials" are generous. I'm more inclined to believe Chirp put these in as a deliberate backdoor so they could reset things for management companies that lost their password. Property management does not always attract the best and brightest, and a vendor like Chirp would like to appear "responsive" to requests for assistance.

      These "smart locks" are largely security theater; very few vendors show any evidence of actually being interested in security. They're interested in sales, and a customer complaining that they locked themselves out and the vendor couldn't quickly get them back in is bad for sales.

  8. JT_3K

    SURPRISE

    [JAZZ HANDS]

  9. Pascal Monett Silver badge
    Facepalm

    "application software to remotely control compatible locks"

    How is it that people looked at this possibility and thought : "now that's a great idea" ?

    I am not interested in remote-opening my front door. I want to open it when I get there, not before and certainly not after.

    And if I am renting something with this, I will tell the owner that I am replacing the lock. If he objects, I will look elsewhere.

    1. Jimmy2Cows Silver badge

      Re: "application software to remotely control compatible locks"

      I can sort of imagine some kind of remote support use case, where the owner has lost access. But then that person would have to prove they are the property owner, and how would Chirp be able to verify that? Another possibility could be law enforcement support. But they'll happily smash the door down rather than wait for it be unlocked.

      So neither possibility is a good option.

      Or maybe a parent who is out, and needs to let their kid into the house. Maybe they lost or forgot their key, and don't have access to the Chirp app. Lost/stolen phone, dead phone, calling from a neighbour's house or something. This one is broadly more sensible and perhaps useful in niche cases.

      But realistically, this is most likely one of those product meetings where "no idea is a bad idea", someone tossed out remote unlocking, and marketing went "Hell yeah! That'll be cool!" without actually thinking it through.

    2. robinsonb5

      Re: "application software to remotely control compatible locks"

      A friend of mine has a porch with an regular lock on the internal front door but an electronic lock on the outer door. The electronic lock can be fingerprint operated (with varying degrees of success in varying weather conditions!) - but the killer feature for him is that he can give a one-time entry code to a courier, and have parcels left securely in the porch.

      1. usbac Silver badge

        Re: "application software to remotely control compatible locks"

        Good luck with that.

        We installed a gate at the front fence that has a VOIP door phone and an electronic lock. All done with my own systems, no cloud connected BS.

        We did this mostly to deter door-to-door scammers sales people. We get tones of solar energy scammers these days for some reason. It also deters porch pirates, although that has never been an issue in our neighborhood.

        There is a clear sign on the gate that says "To unlock this gate, use the code from the shipping label, or press the CALL button". If they press the CALL button, it rings all of the phones in the house, and we can press a key to unlock the gate. They can enter the 4 digit code on the door phone keypad also.

        The results have been a mixed bag depending on the courier. So far the best has been Amazon's Prime delivery people. We set up the gate code in our account, and never a problem with them. With FedEx, once they got used to the setup, no problems either. UPS is still a problem. They just toss the package over the gate. This is a problem because the gate opens in, and when they leave heavy packages there, no one else can open the gate. Not sure what to do about that one.

        USPS is the worst. They just leave a tag in the mailbox now, and we have to drive to the post office during business hours to retrieve our packages. I usually try not to order from anyone that uses USPS for shipment anymore.

        It's been no problem for the utility people (gas and electric). I called each company and gave them a code, and they come and read the meters just fine.

        It's sure gotten rid of the scammers.

  10. sitta_europea Silver badge

    It doesn't really matter what it is, if it's sold as "smart" it isn't going to be sold to me, because I know it will be dumb. Really, *REALLY* dumb.

    1. Jimmy2Cows Silver badge

      lt's a universal discriminator. Marketed as "smart"? Avoid at all costs. If you can... the number of non-"smart" things, of every ilk, seems to be dropping daily.

      1. Michael Wojcik Silver badge

        Sometimes you can find "smart" devices that can be left in a non-connected state. Our LG range is one — we simply ignored the instructions to connect it to the home network, and it's never been a problem.1 But finding those is difficult too.

        1Yes, it'll be a problem on the day we want to turn the oven on remotely, probably to pre-heat it for those unicorn steaks we're bringing home.

  11. Anonymous Coward
    Anonymous Coward

    Antique Joke

    Burgler at house door.

    Burgler opens letterbox.

    Burgler shouts (loudly): Alexa....open the door!!

    Alexa.....opens the door.......or not........

    Burgler moves to next target.....

    N.B. In this scenario, the burgler has ABSOLUTELY NO NEED AT ALL FOR TECHNICAL SKILLS!!!

    1. Z P

      Re: Antique Joke

      Ugh Thank you for exhibiting that you do not know how Alexa handles locks / locked doors.

      Now, I admit, this is to the best of my knowledge with a handful of products, but they all require a pass code before a lock can be opened by voice command.

      Having said that, "LOL Android" as an ongoing dig to the lack of security and privacy on that cesspool of a platform (circling back to the original article content)

      Right, as you were, carry on

    2. Michael Wojcik Silver badge

      Re: Antique Joke

      I died a little inside at the thought of a joke about Amazon Alexa being "antique".

  12. Anonymous Coward
    Anonymous Coward

    Smart things are often dumb

  13. Terry 6 Silver badge

    the CISA says there are no known cases of it being exploited. Presumably because .....

    Or because victims don't even know how their home got raided, or haven't told the public-at-large even if they had guessed/suspected.

  14. Sparkus

    Answerable to no one?

    All is would take is for an insurance company or two to send out a notice that they will be denying coverage and claims for any property that uses this suspect tech.

    1. Michael Wojcik Silver badge

      Re: Answerable to no one?

      If they can. Policies typically have a fairly specific list of conditions under which coverage can be denied. And in the US at least, insurers are pretty extensively regulated; they often have to get approval from regulators for policy changes.

      That said, I'd expect insurers could announce that they'd be either denying coverage (unlikely, since they'd lose business) or adding a surcharge to premiums for properties with these locks. That might be enough to motivate property owners (who, again, are likely to be management companies in most cases, not individuals).

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like