The U.S. government is warning that “smart locks” securing entry to an estimated 50,000 dwellings nationwide contain hard-coded credentials that can be used to remotely open any of the locks. The lock’s maker Chirp Systems remains unresponsive, even though it was first notified about the critical weakness in March 2021. Meanwhile, Chirp’s parent company, RealPage, Inc., is being sued by multiple U.S. states for allegedly colluding with landlords to illegally raise rents.
On March 7, 2024, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) warned about a remotely exploitable vulnerability with “low attack complexity” in Chirp Systems smart locks.
“Chirp Access improperly stores credentials within its source code, potentially exposing sensitive information to unauthorized access,” CISA’s alert warned, assigning the bug a CVSS (badness) rating of 9.1 (out of a possible 10). “Chirp Systems has not responded to requests to work with CISA to mitigate this vulnerability.”
Matt Brown, the researcher CISA credits with reporting the flaw, is a senior systems development engineer at Amazon Web Services. Brown said he discovered the weakness and reported it to Chirp in March 2021, after the company that manages his apartment building started using Chirp smart locks and told everyone to install Chirp’s app to get in and out of their apartments.
“I use Android, which has a pretty simple workflow for downloading and decompiling the APK apps,” Brown told KrebsOnSecurity. “Given that I am pretty picky about what I trust on my devices, I downloaded Chirp and after decompiling, found that they were storing passwords and private key strings in a file.”
Using those hard-coded credentials, Brown found an attacker could then connect to an application programming interface (API) that Chirp uses which is managed by smart lock vendor August.com, and use that to enumerate and remotely lock or unlock any door in any building that uses the technology.
Update, April 18, 11:55 a.m. ET: August has provided a statement saying it does not believe August or Yale locks are vulnerable to the hack described by Brown.
“We were recently made aware of a vulnerability disclosure regarding access control systems provided by Chirp, using August and Yale locks in multifamily housing,” the company said. “Upon learning of these reports, we immediately and thoroughly investigated these claims. Our investigation found no evidence that would substantiate the vulnerability claims in either our product or Chirp’s as it relates to our systems.”
Update, April 25, 2:45 p.m. ET: Based on feedback from Chirp, CISA has downgraded the severity of this flaw and revised their security advisory to say that the hard-coded credentials do not appear to expose the devices to remote locking or unlocking. CISA says the hardcoded credentials could be used by an attacker within the range of Bluetooth (~30 meters) “to change the configuration settings within the Bluetooth beacon, effectively removing Bluetooth visibility from the device. This does not affect the device’s ability to lock or unlock access points, and access points can still be operated remotely by unauthorized users via other means.”
Brown said when he complained to his leasing office, they sold him a small $50 key fob that uses Near-Field Communications (NFC) to toggle the lock when he brings the fob close to his front door. But he said the fob doesn’t eliminate the ability for anyone to remotely unlock his front door using the exposed credentials and the Chirp mobile app.
Also, the fobs pass the credentials to his front door over the air in plain text, meaning someone could clone the fob just by bumping against him with a smartphone app made to read and write NFC tags.
Neither August nor Chirp Systems responded to requests for comment. It’s unclear exactly how many apartments and other residences are using the vulnerable Chirp locks, but multiple articles about the company from 2020 state that approximately 50,000 units use Chirp smart locks with August’s API.
Roughly a year before Brown reported the flaw to Chirp Systems, the company was bought by RealPage, a firm founded in 1998 as a developer of multifamily property management and data analytics software. In 2021, RealPage was acquired by the private equity giant Thoma Bravo.
Brown said the exposure he found in Chirp’s products is “an obvious flaw that is super easy to fix.”
“It’s just a matter of them being motivated to do it,” he said. “But they’re part of a private equity company now, so they’re not answerable to anybody. It’s too bad, because it’s not like residents of [the affected] properties have another choice. It’s either agree to use the app or move.”
In October 2022, an investigation by ProPublica examined RealPage’s dominance in the rent-setting software market, and that it found “uses a mysterious algorithm to help landlords push the highest possible rents on tenants.”
“For tenants, the system upends the practice of negotiating with apartment building staff,” ProPublica found. “RealPage discourages bargaining with renters and has even recommended that landlords in some cases accept a lower occupancy rate in order to raise rents and make more money. One of the algorithm’s developers told ProPublica that leasing agents had ‘too much empathy’ compared to computer generated pricing.”
Last year, the U.S. Department of Justice threw its weight behind a massive lawsuit filed by dozens of tenants who are accusing the $9 billion apartment software company of helping landlords collude to inflate rents.
In February 2024, attorneys general for Arizona and the District of Columbia sued RealPage, alleging RealPage’s software helped create a rental monopoly.
Hey, I know that guy!
Woah, me too! 🙂
Nice work, well done!
Great title! Thanks for my morning chuckle.
“Chirp’s parent company, RealPage, Inc., is being sued by multiple U.S. states for allegedly colluding with landlords to illegally raise rents.”
It’s been 3 years since the flaw was discovered… If there is a flaw in a car to could ‘potentially’ cause an accident – recalls can be mandated (often done voluntarily before mandated). Why can’t we get that sort of system enacted for Cyber?
Also, seems like a class action lawsuit could be filed…’did knowingly continue to provide devices for security while aware said devices contain flaws that do the opposite’. Its called Fraud: “a person or thing intended to deceive others, typically by unjustifiably claiming or being credited with accomplishments or qualities.”
The US Dept of Transportation can mandate recalls because they pose a direct risk of death and injury to owners of the vehicles and anyone around them. This flaw risks property.
Re class action, I agree. I hadn’t heard of this before. I’m…guessing it was just made public? Usually such a flaw is quietly reported to a developer so they can fix the flaw before bad guys find it. They only went public when Chirp refused to fix it. If there haven’t already been class action suits filed, I’m sure it’s just a matter of time. (Though I’d bet quite a bit of $ that leases from such toxic landlords ban tenants from class action suits and mandate binding arbitration.)
it’s not just property. people tend to sleep in apartments, ya know?
So yet again, a flaw that could be easily fixed if the companies wanted to? Why am I not surprised?
BTW, I’ve never heard of negotiating your rent. I’ve always thought whatever they tell you is it.
If you are talking directly with the owner, you can negotiate and have. But for all the apartment complexes I’ve lived at, they would rather see you walk away that give a penny in concessions. The people you deal with probably can’t give any concessions.
One time I decided to test that. I offered, no discount, to pay the entire lease’s rent all at once. Sucky deal for me, but wonderful for them. They flat out refused without even considering it. They wanted a payment every month, and that’s what they got. Sadly, that wasn’t even the worse place I lived at.
If I remember right, August is one of the few companies making Homekit locks. I wonder if Apple knows about this one yet?
Was wondering the same.
Brian,
what is not clear from the article, at least to my level of knowledge, is whether the August locks are also affected.
Does the problem begin with August, or is intrinsic to something Chirp does with August’s product.
Yes, there are several things that remain unclear. It would help if any of the companies involved responded to questions.
Why don’t everyone using these locks just take the batteries out and use a key.. I’m sure if enough of the tenants get together and insist on keys the managers would do it or better yet take it to court.
It’s a kwikset keyway, those a trivially easy for a locksmith to rekey, just take the lock to a local shop and they should be able to get you a working key in 10 minutes or less.
Camden didn’t and wouldn’t issue physical keys after installing the new locks.
Try and unlock my Yale locks with the client key. They’re bluetooth, not networked, and gated by user auth. It’s not a private key and the most that will happen is someone takes the key and finds out they can only access their locks. Pretty sure the bridge isn’t employed much…..
I see there’s a Yale smartlock image in this article. Do we know if there has there been any evidence of this glaring security oversight flowing into Yale or Assa Abloy lock control products?
From chirpsystems.com/user-guide:
“Unlocking Your Home
If your property uses Yale smart locks for apartment access, tap on your Home in the Chirp App to unlock your door. You must have Bluetooth turned on and be within 20 feet of your lock.”
Yo, I clicked this article because I saw a Yale logo. If this doesn’t affect Yale locks, please change the image.
Lmao, I didn’t even notice that. I now feel very silly. My other reply is potentially untrue
If you read the Chirp Systems website, they talk about their product working with Yale smart locks, and that picture comes from Chirp’s site. e.g.:
“More Details About
Home Access
Unlocking Your Home
If your property uses Yale smart locks for apartment access, tap on your Home in the Chirp App to unlock your door. You must have Bluetooth turned on and be within 20 feet of your lock.”
So…. this isn’t “remote unlocks” like everyone claims? I fail to see where the “vulnerability” is with a public key, gated by user auth.
What manufacturer’s locks are affected? The photo is of a Yale lock. The article mentions August locks. Yale and Schlage are two of the biggest manufacturers of residential electronic access locks.
August is wholly owned by Yale.
From august.com/pages/connected-by-august:
“For a safer, smarter front door
Yale Assure Locks now work with the August app! The Connected by August Module will allow you to lock/unlock, share access and see who comes and goes all from your August app. Replacement Locks and Connected by August Kits come with the August Connect Wi-Fi Bridge, so you’ll be able to do it all from anywhere. Plus you can control your lock with voice assistants including Amazon Alexa, the Google Assistant and Siri!”
Yale and August are both owned by Assa Abloy, Inc. Chirp has partnered with Assa Abloy to deliver the lock hardware from Yale Residential and the bluetooth technology developed by August Home.
Here is why i am confused. this article alludes to the resident being sold a credential (Hard) that uses NFC as an alternative, however after using these august/yale locks with Air BNB they are WIFI/ZigBee/zwave/Bluetooth only. Can someone help clarify if this entire story is made up since these locks don’t even take fobs/cards.
The entire story is made up? Did you just read the captions and skip the story?
The NFC fob has nothing to do with the security flaw. The residents that complained were given the fobs to lock/unlock the doors, BUT the use of the fob does NOT eliminate the security flaw that allows someone to use the data stored in the Chirp API from being able to lock/unlock the door remotely. In other words, giving the fob to the tenants was just trying to passivate the complaints of users that don’t understand how the locks/app/firmware works.
This is not correct, Yale locks support Apple HomeKey which uses NFC. Yale has supported NFC in their locks for years –
https://www.wired.com/2011/09/yale-lock-opens-doors-with-nfc-phones/
https://www.theverge.com/23367464/yale-assure-lock-2-touchscreen-keypad-wifi-review
I’ll stick with my mechanical lock thank you. It doesn’t have a large feature set – I can’t unlock my house from halfway around the world for example. It is however pick and bump resistant enough to stop any likely attackers, and I don’t have to worry about hardcoded credentials or the fob being being cloned by a malicious person walking past me.
pheww… only moderately surprised that the housing “market” would spawn the conditions in which this kind of weakness can flourish. Assuming that there was a burglary based on this weakness:
a) on the plus side, you could think it would give tenants the chance to sue their landlord for failing to provide a secure door lock
b) on the other hand, your landlord could probably still find legal cause to then directly eject you out on the street and put you on a blacklist; AND they would easily find another person who is more than willing to accept the risk. AND of course your landlord has a better lawyer than you do, so you will think twice and thrice about actually suing them (after all, with this weakness it will be much harder to prove that there even was a burglary).
The housing “market” sucks so much, it is unbelievable. Good on all municipalities that still manage some level of financially accessible housing themselves.
I have a Yale lock that works with HomeKit. So I immediately emailed support.
This was the reply when I asked if my lock was vulnerable:
“ We were recently made aware of a vulnerability disclosure regarding access control systems provided by Chirp, using August and Yale locks in multifamily housing. These reports do not impact August or Yale residential customers or the Yale Access app.
Upon learning of these reports, we immediately and thoroughly investigated these claims. Our investigation found no evidence that would substantiate the vulnerability claims in either our product or Chirp’s as it relates to our systems.”
So someone is clearly not correct. My moneys not on Chirp, but willing to see how it plays out.
1efbb8f0-d89d-ffe0-3420-a3f2b203e1a6
https://api-production.august.com/
30820222300d06092a864886f70d01010105000382020f003082020a0282020100c048da8f03fe5be32cbaa8d60f6b83174a1a531f5983d4c9a98a051b47de68ee0f4a035a1e36d907f6570f4dc37f28a274f4c9ace182585f3d1eaaaacd53bca988ab3e93869b4c56981d282d7d7e86e42fd0a640e7c6118f9c5efff0130365694cb0fd6d8f1edc52952eceb593c4d3822086a8a00150c1bcf91bac65635da4801acbf511f87c75be64ffbbaf231a3e15e88bfa3433aec3c7930b21ccd87f7fa105385123c5b6b9abe199d9283e6ceb724949279a9951b6614b7c7aacefba1401181545a635a682dc92eb7bf776d9b4f138f94fb05531d243a33621eecfd8e056d1010fc0a958cd41c28245c377e6008adb17fa17cfea745ab30b3e1d3c633c9f94d54acf9e3dd513983bc7047127a09c6337b95975e1c93098aa14e61d8f5d2d74c48c4201f7898751cb9ce6bfbc870da332fe33cd44c62e1b3aa468455565d7351c89b3f44f6565bc772b09ec34cce3f42ea462ff79737779bf1d4c722c803b95aaf11cfbc58d83d40d97bd171d892be9c3ec17566c5a93371ec3b22e2dc98184605f56f60208c4193cb3b05d04e90d08053f7c4c0a1b72af91b842090c9da55f9b91b23fbdbfde757a780ab1bb1b63c2b00f1858af0e466e0a21de4c14b81d8840b3b398b5531d6c110e49d7152fea0fa2ba9390a560690ad68caf029343b96da5eda27eeb6b797cb96138215d730998c8a2d494a5cba67068f07d58cec7b10203010001
G3tCh1rp
https://www.realpage.com/privacy-policy/
https://www.chirpsystems.com/terms-of-use
https://www.chirpsystems.com/user-guide
res.cloudinary.com
TKZMlZn5kpz1T5/e8S98oykAmga2R2MA4iOy7QPbckc=
Interesting.
I don’t know if https://www.chirpsystems.com/terms-of-use was still live when this was posted, but it’s 404’d now.
Chirps terms of use now redirects here; https://www.realpage.com/sbserviceterms/
New guarantees of Nothing at all:
13. Disclaimer of Warranties
b.
SITE OWNER ACKNOWLEDGES AND AGREES THAT THE SERVICES (I) ARE NOT INTENDED TO OPERATE AS A SECURITY MONITORING SYSTEM; (II) DO NOT REDUCE THE LIKELIHOOD OF OR ELIMINATE OCCURRENCES OF EVENTS SUCH AS THEFTS, BURGLARIES, ROBBERIES, ASSAULTS AND OTHER CRIMES (COLLECTIVELY, “UNDESIRED OCCURRENCES”); AND (III) MAY NOT AVERT OR MINIMIZE UNDESIRED OCCURRENCES OR THEIR CONSEQUENCES. SITE OWNER FURTHER ACKNOWLEDGES AND AGREES THAT SITE OWNER IS NOT RELYING ON THE SERVICES TO AVERT OR MINIMIZE UNDESIRED OCCURRENCES OR THEIR CONSEQUENCES.
Last line, not hex, GetChirp, in case anyone missed it
Assa Abloy no longer owns Yale Locks or August, they are now owned by Fortune Brands. I was not able to find any reference about this vulnerability.
Didn’t Camden living sell this software to real page?
thrilled that Yale, Emtek, August and Schaub have now officially joined the Fortune Brands family
https://ir.fbin.com/news-releases/news-release-details/fortune-brands-completes-acquisition-emtek-and-schaub-premium
Jun. 20, 2023
Fortune Brands Completes Acquisition of Emtek and Schaub Premium Hardware Brands and the U.S. and Canadian Yale and August Residential Smart Lock Brands
Brian, have you seen the latest from CISA on this vulnerability: https://www.cisa.gov/news-events/ics-advisories/icsa-24-067-01
They apparently have accepted Chirp Systems’ repsonse (see here https://statement.chirpsystems.com/chirp-systems-icsa-24-067-01-response.html) that essentially says that what Matt Brown reported does not exist on their system.