| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 20 Feb 2017 12:18:30 +0100
From: Matthias Deeg <matthias.deeg@...s.de>
To: <fulldisclosure@...lists.org>
Subject: [FD] [SYSS-2016-117] ABUS Secvest (FUAA50000) - Missing Protection
against Replay Attacks
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Advisory ID: SYSS-2016-117
Product: ABUS Secvest (FUAA50000)
Manufacturer: ABUS
Affected Version(s): v1.01.00
Tested Version(s): v1.01.00
Vulnerability Type: Missing Protection against Replay Attacks
Risk Level: Medium
Solution Status: Open
Manufacturer Notification: 2016-11-28
Solution Date: -
Public Disclosure: 2017-02-20
CVE Reference: Not yet assigned
Author of Advisory: Matthias Deeg (SySS GmbH)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Overview:
ABUS Secvest (FUAA50000) is a wireless alarm system with different
features.
Some of the supported features as described by the manufacturer are
(see [1]):
"
* Convenient operation via the app (Android/iOS), integrated web
browser and also at the alarm panel
* For up to 50 users with freely selectable control options
(code/chip key/remote control)
* Active intrusion protection in combination with additional mechatronic
wireless window/door locks
* Video verification of alarms via email, push notifications or via the
app
* Up to 48 individually identifiable wireless detectors, eight control
panels, 50 remote controls
* Integrated dialling device
* VdS Home certified and EN 50131-1 Level 2
* Alarm verification via the integration of up to six IP cameras
* 32 additional wireless outputs for flexible event control
* Switching to monitoring station via protocols possible
"
Due to an insecure implementation of the used 868 MHz radio
communication, the wireless alarm system ABUS Secvest is vulnerable to
replay attacks.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Vulnerability Details:
SySS GmbH found out that the radio communication protocol used by the
ABUS Secvest wireless alarm system (FUAA50000) and its remote control
(FUBE50013) is not protected against replay attacks. Therefore, an
attacker can record the radio signal of a wireless remote control, for
example using a software-defined radio, when the alarm system is
disarmed by its owner, and play it back at a later time in order to
disable the alarm system at will.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Proof of Concept (PoC):
SySS GmbH could successfully perform a replay attack as described in the
previous section using a software-defined radio and disarm an ABUS
Secvest wireless alarm system in an unauthorized way.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Solution:
SySS GmbH is not aware of a solution for this reported security
vulnerability.
For further information please contact the manufacturer.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Disclosure Timeline:
2016-11-28: Vulnerability reported to manufacturer
2016-12-05: Vulnerability reported to manufacturer again
2016-12-06: Manufacturer responded to emails
2016-12-08: Exchanged further information with manufacturer
2017-02-07: Asked manufacturer for current status concerning the
reported security issue
2017-02-20: Public release of security advisory
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
References:
[1] Product website for ABUS Secvest wireless alarm system
https://www.abus.com/eng/Home-Security/Alarm-systems/Secvest-wireless-alarm-system/Alarm-panels-and-kits/Secvest-Wireless-Alarm-System
[2] SySS Security Advisory SYSS-2016-117
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2016-117.txt
[3] SySS GmbH, SySS Responsible Disclosure Policy
https://www.syss.de/en/news/responsible-disclosure-policy/
[4] Plusminus video: Von wegen sicher - Wie leicht Alarmanlagen zu
knacken sind
http://www.daserste.de/information/wirtschaft-boerse/plusminus/videos/von-wegen-sicher-wie-leicht-alarmanlagen-zu-knacken-sind-100.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Credits:
This security vulnerability was found by Matthias Deeg of SySS GmbH.
E-Mail: matthias.deeg (at) syss.de
Public Key:
https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Matthias_Deeg.asc
Key fingerprint = D1F0 A035 F06C E675 CDB9 0514 D9A4 BF6A 34AD 4DAB
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Disclaimer:
The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS Web
site.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Copyright:
Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE0fCgNfBs5nXNuQUU2aS/ajStTasFAliqyqgACgkQ2aS/ajSt
TauDyBAAooHv0j6CNMghjO72OmILNbjUhXovwiPj4XqpQjKxb7NOxDpSzEfrKZPy
B2m2Ki6dUW52a0wBEoWec4ONAH+c1eDFBehFlhryGkSqqFGLpSKpoM4+FVL11hwO
aW4vyzAurW6QuyywreSxL+U2/TuruRZOuTaMDInUubJ41ODj4p0mEFvz0KeADy0o
qyQDDCWE3c6IPCSHy7wa98GnF8pGC+0CSDlfr2Vi1q2H/sc1hSZcxGiVN7j6A3y4
X1DqV9bEfJBIpFoIotHIenm8mBO36/N08vetH6XKGP0ZKlvkgilpSrrF9KHCkDAO
/5dmdXVvTIKYiEpUYevEUdGiaY/ZUj2Day7Z+w9t1y7TmMnKSrljTNR9Aai10lYi
06PmMeU1kLkaMvaz89lkAFT/tkqnWHgw40zGDCs1KfQyo58DUWjapKuiXsjkOUu6
4pF57dE548qDZaWyJMn/shRNHKz7l7TdZ2DqAT+WTtQ/LjTkn2rFCJJVDdzadPOh
CEm/ARctIfM8PM7cFM8xffQA4Bcwte0xh+1qQGsPfndH9dq+9Ep3HLhAv5GTCw/5
Z4OlVuTiXHTnVssh4zTBVyecHlSE6gEIl0At5wzAGr9AlKqTKNCvysH5ayMZzkhl
13jSS0RL+kEsabiNV23IeFLtKKU7fSdTrbCZFHCYpHcjCxAwjYA=
=Lm07
-----END PGP SIGNATURE-----
Download attachment "smime.p7s" of type "application/pkcs7-signature" (3954 bytes)
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists