Research firm says popular Wi-Fi security system can be remotely disarmed by hackers

Cyber company Rapid7 said it has found vulnerabilities in a Wi-Fi connected security system, saying the system has an unauthenticated API and an unencrypted radio signal that can be easily intercepted.

Together, Rapid7 said these vulnerabilities with a system called the Fortress S03, which uses Wi-Fi to connect cameras, motion sensors and sirens, can be exploited, allowing bad actors or non-owners to disarm the security system.

Rapid7 says it made these details public after not hearing from Fortress in three months, the standard window of time that security researchers give companies to fix bugs before details are made public. Rapid7 said its only acknowledgment of its email was when Fortress closed its support ticket a week later without commenting.

TechCrunch reported receiving an email from Bottone Reiling, a Massachusetts law firm representing Fortress, called the claims “false, purposely misleading and defamatory."

Rapid7 reported that the technology's unauthenticated API can be remotely queried over the internet without the server checking if the request is legitimate. The researchers say that by putting in a system owner's email address, the server would return the device’s IMEI, which could then be used to remotely disarm the system.

ON DEMAND: Business-impacting events such as severe weather, man-made disasters, and supply chain disruption are increasing in frequency and making impacts around the globe.

In today's rapidly evolving security landscape, organizations face an ever-growing array of disruptive events, security threats and risks. Traditional reactive approaches to security intelligence often leave businesses vulnerable and ill-prepared to anticipate and mitigate emerging threats that could impact the safety of their people, facilities or operations.