Chirp smart locks vulnerable to unauthorized access due to hardcoded secrets
Take action: As a user of "smart devices", consider whether you want to use them because their security is not stellar. Mechanical locks are useful, don't avoid them. As a developer, avoid hardcoding secrets, because it's just wrong and exposes your product to exploits.
Learn More
Chirp Systems, a provider of smart lock technology has a serious vulnerability in its Android software. The flaw, involves hard-coded passwords and private keys within Chirp's Android application, which could potentially allow unauthorized remote access to Chirp-controlled locks.
The hard-coded credentials in the Chirp's Android app can be used to interface with an API maintained by the smart lock supplier and could allow an unauthorized user to remotely unlock doors fitted with Chirp-powered smart locks.
Despite its severity, there are no known instances of the vulnerability being exploited, partly due to limited public knowledge. Chirp has updated its Android app which reportedly included "bug fixes and improved stability," though it is unclear if this update fully resolves the vulnerability and whether the hardcoded credentials from the previous version are revoked.
Chirp also offers an NFC-based key as an alternative to the app, but this method transmits credentials in plaintext, which presents another security risk.
For individuals using Chirp’s smart lock systems, it is recommended to employ additional physical security measures, such as traditional locks, until it is confirmed that the vulnerabilities have been fully addressed.
