The US government says a vulnerability in the Chirp Systems app allows anyone to remotely control smart home locks

A flaw in a smart access control system used in hundreds of U.S. rental homes allows anyone to remotely control any lock in the affected home. However, Chirp Systems, which produces the system, ignored requests to fix the fault.

The US cybersecurity agency CISA followed a safety advisory was made publicly available last week claiming that Chirp-developed phone apps that residents use as an alternative of a key to access their homes “improperly store” hard-coded credentials that might be used to remotely control any Chirp-compatible smart lock.

Applications that use passwords stored in the source code, called hardcoded credentials, pose a security risk because anyone can extract these credentials and use them to perform actions that impersonate the application. In this case, the credentials allowed anyone to remotely lock or unlock a door lock connected to Chirp over the Internet.

In its advisory, CISA said that a successful exploitation of the vulnerability “could allow an attacker to gain control and gain unrestricted physical access” to smart locks connected to the Chirp smart home system. The Cybersecurity Agency gave the vulnerability a severity rating of 9.1 out of a maximum of 10 for its “low attack complexity” and distant exploitability.

The cybersecurity agency said Chirp Systems didn’t respond to either CISA or the researcher who discovered the vulnerability.

said security researcher Matt Brown veteran security journalist Brian Krebs that it notified Chirp of a security issue in March 2021, but the vulnerability stays unpatched.

Chirp Systems is one among a growing variety of real estate technology firms providing rental giants with keyless access control that integrates with smart home technologies. Rental firms are increasingly forcing tenants to allow the installation of smart home equipment in accordance with their lease agreements, nevertheless it is at best unclear who takes responsibility or is held accountable when security issues arise.

Property and rental giant Camden Property Trust signed a deal to introduce Chirp-connected smart locks in 2020 over 50,000 premises in over a hundred facilities. It is unclear whether affected facilities, equivalent to Camden, are aware of the vulnerability or have taken motion. Kim Callahan, a spokesman for Camden, didn’t respond to a request for comment.

Chirp was acquired by property management software giant RealPage in 2020, and RealPage was acquired by private equity giant Thoma Bravo later that 12 months in a deal valued at $10.2 billion. RealPage stands several legal challenges following the allegations, rent-setting software uses secret and proprietary algorithms to help landlords raise the highest possible rents for tenants.

Neither RealPage nor Thoma Bravo have yet confirmed vulnerabilities in the acquired software or said whether or not they plan to notify affected residents of the security risk.

Jennifer Bowcock, a spokeswoman for RealPage, didn’t respond to requests for comment from TechCrunch. Megan Frank, a spokeswoman for Thoma Bravo, also didn’t respond to requests for comment.