Chirp Systems / Chirp Access smart-lock app hardcoded credentials (CVE-2024-2197)

Assessment

CFSE Consequence Paths assesses Chirp Systems / Chirp Access smart-lock app hardcoded credentials (CVE-2024-2197) at HIGH — the worst of 2 risk paths (authority, safety). The dominant consequence is privileged account or control authority.

Vulnerability

Chirp Systems / Chirp Access smart-lock app hardcoded credentials (CVE-2024-2197). Reported attack vector: Adjacent (Bluetooth range, ~30m) per the revised NVD assessment; initial CISA claim alleged network/remote unlock but was retracted.

CFSE Consequence Paths analysis

The vulnerability is decomposed into one risk path per terminal consequence. Each path is scored on its exposure (reachability × execution complexity) and the authority, perception, and physical/safety it reaches, together with its scale of reuse, scale of execution, and recoverability.

ACCOUNT_AUTHORITY → HIGH

CPATH:1.0-candidate/TT:ACCOUNT_AUTHORITY/RE:3/EC:4/EX:3/PH:2/DP:3/AT:2/CH:3/SR:4/SX:3/OR:4/EV:2/LS:MITIGATED

Exposure EX=3 (reachability-bound) · bands PH=HIGH · DP=HIGH · AT=HIGH → base HIGH · uplift recall-class recovery → assessed HIGH.

Hardcoded BEACON_PASSWORD (CWE-259/798) is embedded in the public Chirp Access app; an attacker downloads the app and extracts the static credential (RE:3 own-artifact, not physical; EC:4 trivial). The secret is a shared credential authenticating to beacon/back-end functions (DP:3 credential/firmware-tier secret). Confirmed authority is bounded to beacon config functions, not admin/fleet control, so AT:2. SR:4: one secret shared across all installs, fully portable. SX:3: knowledge is deployment-wide but turning it into effect still needs proximity, so not true remote fleet-scale (not 4). CH:3 bridges app->credential->device-config boundary. OR:4: remediation requires app/firmware update to rotate the embedded secret across the install base and vendor was unresponsive. EV:2 report-backed.

DEVICE_CONTROL_SAFETY → HIGH

CPATH:1.0-candidate/TT:DEVICE_CONTROL_SAFETY/RE:2/EC:3/EX:2/PH:2/DP:3/AT:2/CH:2/SR:4/SX:2/OR:4/EV:2/LS:MITIGATED

Exposure EX=2 (reachability-bound) · bands PH=ELEVATED · DP=HIGH · AT=ELEVATED → base HIGH · uplift recall-class recovery → assessed HIGH.

• Confirmed consequence per revised NVD/CISA (CVSS AV:A, I:L): an attacker within Bluetooth range (~30m) uses the hardcoded credential to modify Bluetooth beacon configuration, e.g. disabling proximity-unlock notifications on a smart-lock/keyless-entry system. RE:2 BLE/proximity. EC:3 standard once positioned. AT:2 bounded config control of one beacon, not lock-command/admin authority (the disputed remote-unlock claim was retracted, so not AT:3+/PH:4). PH:2: degrades a physical access-control convenience feature / availability of proximity unlock, no confirmed severe harm.
• perception_feeds_action — false: beacon config change does not drive a safety-relevant actuation in the confirmed scope. DP:3 config/operational integrity of an access-control device. SR:4 same shared secret enables this on any install. SX:2 per-device proximity needed. CH:2 crosses app->BLE->device boundary. OR:4 fix requires fleet-wide app/firmware update; vendor unresponsive. EV:2 report-backed; disputed higher-impact unlock scenario excluded to avoid inflation.

Published baseline

• v4.0 2.3 LOW — CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X — CISA/ICS-CERT via NVD
• v3.1 4.3 MEDIUM — CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N — CISA/ICS-CERT via NVD

The published baseline above is retained for source review. The registry records the reachable consequence path, including deployment-specific cyber-physical consequence, physical/safety impact, scale, and recovery burden.

Sources

• NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-2197