The US government has warned that the smart locks that protect an estimated 50,000 homes across the country are hard-coded with credentials that can be used to open the locks remotely. About Mr. Krebs' Security L: Chirp Systems, the lock's maker, remains unresponsive despite first being notified of the critical vulnerability in March 2021. Meanwhile, Chirp's parent company, RealPage, is being sued by several U.S. states for allegedly colluding with landlords to illegally raise rents. On March 7, 2024, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned that Chirp Systems' smart locks have a remotely exploitable vulnerability with “low attack complexity.”
CISA's warning warns that “Chirp Access improperly stores credentials within its source code, potentially exposing sensitive information to unauthorized access,” and the bug's CVSS rating. was given a score of 9.1 (out of 10). “Chirp Systems has not responded to requests that he work with CISA to mitigate this vulnerability,” said researcher Matt Brown, who credited CISA with reporting the flaw to Amazon Web Services. is a senior system development engineer. Brown discovered the vulnerability in March 2021 after the company that manages her apartment building started using Chirp smart locks and told everyone to install Chirp's app when entering and exiting her apartment. He said he discovered it and reported it to Chirp.
