A serious security vulnerability in the Chirp Systems app has been made public by the US authorities. This flaw permits unwanted remote access to smart home locks. It allows anyone to remotely override any lock in thousands of rental homes across the United States thanks to a smart access control system that is extensively utilized in these residences. Chirp Systems has been made aware of the problem, however it has not been resolved.
The inhabitants use the app to replace their keys, but the Cybersecurity and Infrastructure Security Agency (CISA) released a security advice pointing out that the program improperly maintains hardcoded credentials, granting external control of any smart lock that is compatible with Chirp. Because they are easily retrieved and exploited to imitate app functionality, such as remotely locking or opening doors over the internet, hardcoded credentials in apps provide a security risk.
The vulnerability was classified as having a low attack complexity and the potential for remote exploitation, with CISA rating the vulnerability's severity at 9.1 out of 10. Chirp Systems has not been in touch with CISA or the researcher who found the vulnerability in spite of numerous alerts. Although security researcher Matt Brown notified Chirp of the bug in March 2021, it still exists.
After the alert was published, Chirp stated that it had not discovered any data to substantiate its assertions, although it did state that it was working on a patch to fix the problems.
In 2020, RealPage bought Chirp Systems, a company in the expanding property tech sector that provided keyless access. Later that year, Thoma Bravo acquired RealPage for a whopping $10.2 billion. RealPage's rent-setting software is currently at the center of legal disputes, and the firm has neither recognized the software's flaws nor disclosed its intentions to alert impacted residents to the security dangers.