Unlocking Disaster: 50,000 Homes at Risk Due to Chirp Smart Lock Flaw

Forget picking locks, hackers just need the secret code from Chirp’s smart locks to waltz into 50,000 homes. Talk about an open-door policy! #SmartLockSnafu

Hot Take:

Who needs a battering ram when you’ve got hardcoded credentials? Chirp Systems’ smart locks seem to have taken the ‘open sesame’ concept a bit too literally, granting potential digital skeleton keys to cyber ne’er-do-wells. And with RealPage, Inc. potentially playing Monopoly with actual apartments, one wonders if their ‘Go directly to jail’ card is just around the corner.

Key Points:

  • 50,000 dwellings in the US could be playing unintentional open house due to Chirp Systems smart locks’ vulnerabilities.
  • Hard-coded credentials in the locks could allow remote access because someone thought a digital ‘Hide-A-Key’ rock was a good security measure.
  • The US Cybersecurity & Infrastructure Security Agency (CISA) rates this blunder a 9.1 on the ‘badness’ meter.
  • Chirp Systems might be ghosting CISA better than a Tinder match you wish you never swiped right on.
  • RealPage, Inc., Chirp’s parent company, is simultaneously getting its knuckles rapped for allegedly treating the housing market like a game of Risk.

Need to know more?

Locks of Lament

Imagine the surprise of 50,000 households when they find out that their smart locks are about as smart as a pet rock. In a modern twist on the Trojan Horse tale, these locks come with a hidden gift for hackers: hard-coded credentials, which is basically a fancy term for "Oops, we left the backdoor key under the mat for everyone to find!"

CISA's Can of Critique

CISA, not known for sending out 'just because' greeting cards, has issued a stern warning that basically says, "Y'all need to fix this, like yesterday." They've given this security gaffe a 9.1 CVSS score, which in layman's terms means "Really, really not good." But Chirp Systems, in a bold move, seems to be testing the 'silent treatment' as a business strategy. Spoiler alert: It's not a great one.

Amazonian Discovery

Enter Matt Brown, an Amazon Web Services engineer who probably never expected his apartment security to become his side project. After being told to install the Chirp app to enter his own abode, he discovered the vulnerability faster than you can say "Alexa, unlock my door." He reported it to Chirp in March 2021, but apparently, they've been too busy not responding to get back to him.

The Parent Trap

Meanwhile, Chirp's parent company, RealPage, Inc., is seemingly competing for the 'Least Popular Landlord' award. They've been accused of colluding with landlords to do the rent hike hokey pokey, which is a dance nobody enjoys. With multiple states suing them, one does wonder if they'll be changing their locks soon—preferably to something a tad more secure.

Locksmiths, Assemble!

So where do we go from here? If you're one of the lucky 50,000 with a Chirp smart lock, you might be considering a good old-fashioned deadbolt. As for Chirp and RealPage, Inc., it might be time to consider that silence isn't always golden, especially when the cat's out of the bag and that cat knows your locks better than you do.

Tags: Chirp Systems flaw, CISA alert, CVSS Rating, Hard-Coded Credentials, Matt Brown discovery, RealPage legal issues, smart locks vulnerability