April 15, 2024

The U.S. government is warning that “smart locks” securing entry to an estimated 50,000 dwellings nationwide contain hard-coded credentials that can be used to remotely open any of the locks. The lock’s maker Chirp Systems remains unresponsive, even though it was first notified about the critical weakness in March 2021. Meanwhile, Chirp’s parent company, RealPage, Inc., is being sued by multiple U.S. states for allegedly colluding with landlords to illegally raise rents.

On March 7, 2024, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) warned about a remotely exploitable vulnerability with “low attack complexity” in Chirp Systems smart locks.

“Chirp Access improperly stores credentials within its source code, potentially exposing sensitive information to unauthorized access,” CISA’s alert warned, assigning the bug a CVSS (badness) rating of 9.1 (out of a possible 10). “Chirp Systems has not responded to requests to work with CISA to mitigate this vulnerability.”

Matt Brown, the researcher CISA credits with reporting the flaw, is a senior systems development engineer at Amazon Web Services. Brown said he discovered the weakness and reported it to Chirp in March 2021, after the company that manages his apartment building started using Chirp smart locks and told everyone to install Chirp’s app to get in and out of their apartments.

“I use Android, which has a pretty simple workflow for downloading and decompiling the APK apps,” Brown told KrebsOnSecurity. “Given that I am pretty picky about what I trust on my devices, I downloaded Chirp and after decompiling, found that they were storing passwords and private key strings in a file.”

Using those hard-coded credentials, Brown found an attacker could then connect to an application programming interface (API) that Chirp uses which is managed by smart lock vendor August.com, and use that to enumerate and remotely lock or unlock any door in any building that uses the technology.

Update, April 18, 11:55 a.m. ET: August has provided a statement saying it does not believe August or Yale locks are vulnerable to the hack described by Brown.

“We were recently made aware of a vulnerability disclosure regarding access control systems provided by Chirp, using August and Yale locks in multifamily housing,” the company said. “Upon learning of these reports, we immediately and thoroughly investigated these claims. Our investigation found no evidence that would substantiate the vulnerability claims in either our product or Chirp’s as it relates to our systems.”

Update, April 25, 2:45 p.m. ET: Based on feedback from Chirp, CISA has downgraded the severity of this flaw and revised their security advisory to say that the hard-coded credentials do not appear to expose the devices to remote locking or unlocking. CISA says the hardcoded credentials could be used by an attacker within the range of Bluetooth (~30 meters) “to change the configuration settings within the Bluetooth beacon, effectively removing Bluetooth visibility from the device. This does not affect the device’s ability to lock or unlock access points, and access points can still be operated remotely by unauthorized users via other means.”

Brown said when he complained to his leasing office, they sold him a small $50 key fob that uses Near-Field Communications (NFC) to toggle the lock when he brings the fob close to his front door. But he said the fob doesn’t eliminate the ability for anyone to remotely unlock his front door using the exposed credentials and the Chirp mobile app.

Also, the fobs pass the credentials to his front door over the air in plain text, meaning someone could clone the fob just by bumping against him with a smartphone app made to read and write NFC tags.

Neither August nor Chirp Systems responded to requests for comment. It’s unclear exactly how many apartments and other residences are using the vulnerable Chirp locks, but multiple articles about the company from 2020 state that approximately 50,000 units use Chirp smart locks with August’s API.

Roughly a year before Brown reported the flaw to Chirp Systems, the company was bought by RealPage, a firm founded in 1998 as a developer of multifamily property management and data analytics software. In 2021, RealPage was acquired by the private equity giant Thoma Bravo.

Brown said the exposure he found in Chirp’s products is “an obvious flaw that is super easy to fix.”

“It’s just a matter of them being motivated to do it,” he said. “But they’re part of a private equity company now, so they’re not answerable to anybody. It’s too bad, because it’s not like residents of [the affected] properties have another choice. It’s either agree to use the app or move.”

In October 2022, an investigation by ProPublica examined RealPage’s dominance in the rent-setting software market, and that it found “uses a mysterious algorithm to help landlords push the highest possible rents on tenants.”

“For tenants, the system upends the practice of negotiating with apartment building staff,” ProPublica found. “RealPage discourages bargaining with renters and has even recommended that landlords in some cases accept a lower occupancy rate in order to raise rents and make more money. One of the algorithm’s developers told ProPublica that leasing agents had ‘too much empathy’ compared to computer generated pricing.”

Last year, the U.S. Department of Justice threw its weight behind a massive lawsuit filed by dozens of tenants who are accusing the $9 billion apartment software company of helping landlords collude to inflate rents.

In February 2024, attorneys general for Arizona and the District of Columbia sued RealPage, alleging RealPage’s software helped create a rental monopoly.

41 thoughts on “Crickets from Chirp Systems in Smart Lock Key Leak

  1. Jeff

    “Chirp’s parent company, RealPage, Inc., is being sued by multiple U.S. states for allegedly colluding with landlords to illegally raise rents.”
    It’s been 3 years since the flaw was discovered… If there is a flaw in a car to could ‘potentially’ cause an accident – recalls can be mandated (often done voluntarily before mandated). Why can’t we get that sort of system enacted for Cyber?
    Also, seems like a class action lawsuit could be filed…’did knowingly continue to provide devices for security while aware said devices contain flaws that do the opposite’. Its called Fraud: “a person or thing intended to deceive others, typically by unjustifiably claiming or being credited with accomplishments or qualities.”

    1. DaBunny42

      The US Dept of Transportation can mandate recalls because they pose a direct risk of death and injury to owners of the vehicles and anyone around them. This flaw risks property.

      Re class action, I agree. I hadn’t heard of this before. I’m…guessing it was just made public? Usually such a flaw is quietly reported to a developer so they can fix the flaw before bad guys find it. They only went public when Chirp refused to fix it. If there haven’t already been class action suits filed, I’m sure it’s just a matter of time. (Though I’d bet quite a bit of $ that leases from such toxic landlords ban tenants from class action suits and mandate binding arbitration.)

      1. pwf

        it’s not just property. people tend to sleep in apartments, ya know?

  2. Wannabe Techguy

    So yet again, a flaw that could be easily fixed if the companies wanted to? Why am I not surprised?
    BTW, I’ve never heard of negotiating your rent. I’ve always thought whatever they tell you is it.

    1. Robert

      If you are talking directly with the owner, you can negotiate and have. But for all the apartment complexes I’ve lived at, they would rather see you walk away that give a penny in concessions. The people you deal with probably can’t give any concessions.

      One time I decided to test that. I offered, no discount, to pay the entire lease’s rent all at once. Sucky deal for me, but wonderful for them. They flat out refused without even considering it. They wanted a payment every month, and that’s what they got. Sadly, that wasn’t even the worse place I lived at.

  3. Bill Horvath

    If I remember right, August is one of the few companies making Homekit locks. I wonder if Apple knows about this one yet?

    1. RWKOS

      Was wondering the same.

      what is not clear from the article, at least to my level of knowledge, is whether the August locks are also affected.

      Does the problem begin with August, or is intrinsic to something Chirp does with August’s product.

      1. BrianKrebs Post author

        Yes, there are several things that remain unclear. It would help if any of the companies involved responded to questions.

  4. Roger Chase

    Why don’t everyone using these locks just take the batteries out and use a key.. I’m sure if enough of the tenants get together and insist on keys the managers would do it or better yet take it to court.

    1. Steven -Redacted-

      It’s a kwikset keyway, those a trivially easy for a locksmith to rekey, just take the lock to a local shop and they should be able to get you a working key in 10 minutes or less.

    2. Matt Brown

      Camden didn’t and wouldn’t issue physical keys after installing the new locks.

      1. IoT Guy

        Try and unlock my Yale locks with the client key. They’re bluetooth, not networked, and gated by user auth. It’s not a private key and the most that will happen is someone takes the key and finds out they can only access their locks. Pretty sure the bridge isn’t employed much…..

  5. Ben Wrigley

    I see there’s a Yale smartlock image in this article. Do we know if there has there been any evidence of this glaring security oversight flowing into Yale or Assa Abloy lock control products?

    1. Walter Yamamoto

      From chirpsystems.com/user-guide:

      “Unlocking Your Home
      ‍If your property uses Yale smart locks for apartment access, tap on your Home in the Chirp App to unlock your door. You must have Bluetooth turned on and be within 20 feet of your lock.”

  6. Throwaway

    Yo, I clicked this article because I saw a Yale logo. If this doesn’t affect Yale locks, please change the image.

    1. BrianKrebs Post author

      If you read the Chirp Systems website, they talk about their product working with Yale smart locks, and that picture comes from Chirp’s site. e.g.:

      “More Details About
      Home Access

      Unlocking Your Home
      ‍If your property uses Yale smart locks for apartment access, tap on your Home in the Chirp App to unlock your door. You must have Bluetooth turned on and be within 20 feet of your lock.”

      1. Smart Home Novice

        So…. this isn’t “remote unlocks” like everyone claims? I fail to see where the “vulnerability” is with a public key, gated by user auth.

  7. Michael Coelho

    What manufacturer’s locks are affected? The photo is of a Yale lock. The article mentions August locks. Yale and Schlage are two of the biggest manufacturers of residential electronic access locks.

  8. Walter Yamamoto

    From august.com/pages/connected-by-august:
    “For a safer, smarter front door
    Yale Assure Locks now work with the August app! The Connected by August Module will allow you to lock/unlock, share access and see who comes and goes all from your August app. Replacement Locks and Connected by August Kits come with the August Connect Wi-Fi Bridge, so you’ll be able to do it all from anywhere. Plus you can control your lock with voice assistants including Amazon Alexa, the Google Assistant and Siri!”

  9. Walter Yamamoto

    Yale and August are both owned by Assa Abloy, Inc. Chirp has partnered with Assa Abloy to deliver the lock hardware from Yale Residential and the bluetooth technology developed by August Home.

  10. Andrew Rose

    Here is why i am confused. this article alludes to the resident being sold a credential (Hard) that uses NFC as an alternative, however after using these august/yale locks with Air BNB they are WIFI/ZigBee/zwave/Bluetooth only. Can someone help clarify if this entire story is made up since these locks don’t even take fobs/cards.

    1. Walter Yamamoto

      The NFC fob has nothing to do with the security flaw. The residents that complained were given the fobs to lock/unlock the doors, BUT the use of the fob does NOT eliminate the security flaw that allows someone to use the data stored in the Chirp API from being able to lock/unlock the door remotely. In other words, giving the fob to the tenants was just trying to passivate the complaints of users that don’t understand how the locks/app/firmware works.

  11. Lee

    I’ll stick with my mechanical lock thank you. It doesn’t have a large feature set – I can’t unlock my house from halfway around the world for example. It is however pick and bump resistant enough to stop any likely attackers, and I don’t have to worry about hardcoded credentials or the fob being being cloned by a malicious person walking past me.

  12. R.Cake

    pheww… only moderately surprised that the housing “market” would spawn the conditions in which this kind of weakness can flourish. Assuming that there was a burglary based on this weakness:
    a) on the plus side, you could think it would give tenants the chance to sue their landlord for failing to provide a secure door lock
    b) on the other hand, your landlord could probably still find legal cause to then directly eject you out on the street and put you on a blacklist; AND they would easily find another person who is more than willing to accept the risk. AND of course your landlord has a better lawyer than you do, so you will think twice and thrice about actually suing them (after all, with this weakness it will be much harder to prove that there even was a burglary).
    The housing “market” sucks so much, it is unbelievable. Good on all municipalities that still manage some level of financially accessible housing themselves.

  13. Jack Rosenzweig

    I have a Yale lock that works with HomeKit. So I immediately emailed support.

    This was the reply when I asked if my lock was vulnerable:

    “ We were recently made aware of a vulnerability disclosure regarding access control systems provided by Chirp, using August and Yale locks in multifamily housing. These reports do not impact August or Yale residential customers or the Yale Access app.

    Upon learning of these reports, we immediately and thoroughly investigated these claims. Our investigation found no evidence that would substantiate the vulnerability claims in either our product or Chirp’s as it relates to our systems.”

    So someone is clearly not correct. My moneys not on Chirp, but willing to see how it plays out.

    1. Some Idiot


        1. Mahhn

          New guarantees of Nothing at all:
          13. Disclaimer of Warranties

      1. David Wishengrad

        Last line, not hex, GetChirp, in case anyone missed it

  14. Jonathan Simpson

    Assa Abloy no longer owns Yale Locks or August, they are now owned by Fortune Brands. I was not able to find any reference about this vulnerability.

  15. Leaky Faucet

    Didn’t Camden living sell this software to real page?

Comments are closed.