US government downgrades bug in Chirp Systems app that contained hardcoded password

A vulnerability in a smart access control system used in thousands of U.S. rental homes went unfixed for years because Chirp Systems, the company that makes the system, ignored requests to fix the flaw.

U.S. cybersecurity agency CISA went public with a security advisory last month saying that the phone apps developed by Chirp, which residents use in place of a key to access their homes, "improperly stores" hardcoded credentials.

The agency has since downgraded its assessment, ruling out that the hardcoded credentials could have allowed remote control of any Chirp-compatible smart lock.

CISA's advisory now says that an attacker within Bluetooth range could use the hardcoded password — which was "BEACON_PASSWORD" — to block the app's ability to notify users when they are near a Bluetooth-enabled lock.

Chirp Systems said in a statement that the vulnerability could not be used to "take control of and gain unrestricted physical access to locks, doors, or gates managed by Chirp Systems."

Apps that rely on passwords stored in the source code, known as hardcoding credentials, can be a security risk because anyone can extract and use those credentials to perform actions that impersonate the app.

CISA said it went public because Chirp Systems had not responded to either CISA or the researcher who found the vulnerability.

Security researcher Matt Brown told veteran security journalist Brian Krebs that he notified Chirp of the security issue in March 2021 but that the vulnerability went unfixed.

Chirp Systems is one of a growing number of companies in the property tech space that provide keyless access controls that integrate with smart home technologies to rental giants. Rental companies are increasingly forcing renters to allow the installation of smart home equipment as dictated by their leases, but it's murky at best who takes responsibility or ownership when security problems arise.

Real estate and rental giant Camden Property Trust signed a deal in 2020 to roll out Chirp-connected smart locks to more than 50,000 units across over a hundred properties. Kim Callahan, a spokesperson for Camden, did not respond to a request for comment.

Chirp was bought by property management software giant RealPage in 2020, and RealPage was acquired by private equity giant Thoma Bravo later that year in a $10.2 billion deal. RealPage is facing several legal challenges over allegations its rent-setting software uses secret and proprietary algorithms to help landlords raise the highest possible rents on tenants.

Jennifer Bowcock, a spokesperson for RealPage, referred TechCrunch to its published statement but did not answer our questions. Megan Frank, a spokesperson for Thoma Bravo, did not respond to requests for comment.

Updated on May 2 with new information from CISA downgrading the vulnerability, including a statement from Chirp Systems. This story also has a new headline to reflect the changes.