On March 7, 2024, an alert concerning a cybersecurity vulnerability in Chirp Systems’ product, Chirp Access, was issued.
Chirp based locks are common in commercial settings, including apartment complexes and condos. These are Yale smart locks, running software managed by the smart lock vendor August.com. In 2020, roughly 50,000 Chirp smart lock units were in use. That number is believed to be larger now.
The affected products are all versions of Chirp Access, which are used in the commercial facilities sector and have been deployed worldwide. Chirp Systems, headquartered in the United States, has not yet collaborated with the Cybersecurity and Infrastructure Security Agency (CISA) to mitigate this vulnerability.
Researcher Matt Brown, with Amazon’s Web Services team, found and reported the vulnerability to Chirp in 2021. He also reported the vulnerability to CISA. The vulnerability, identified as CVE-2024-2197, has been given a CVSS v3.1 base score of 9.1, indicating a high severity level.
Chirp has hard-coded credentials within the product’s code, which could allow an attacker to unlock the smart lock. An attacker simply needs to retrieve the credentials one time, then can use those credentials to connect to any Chirp supported lock and unlock it.
Since this attack is easy to execute, and allows the attacker to unlock the lock, mitigation steps involve disabling the lock or making sure that the lock is note accessible from the internet.
There has been no reported public exploitation of this specific vulnerability, and organizations are encouraged to report any suspicious activity to CISA. Users of Chirp Access are recommended to contact Chirp Systems support for further information. For more details, view CISA’s report here.
