ABUS Secvest Wireless Control Device Missing Encryption ≈ Packet Storm
iSpeech.org
[*]Advisory ID: SYSS-2020-014[*]Product: ABUS Secvest Wireless Control Device (FUBE50001)[*]Manufacturer: ABUS[*]Affected Version(s): N/A[*]Tested Version(s): N/A[*]Vulnerability Type: Missing Encryption of Sensitive Data (CWE-311)[*]Risk Level: High[*]Solution Status: Open[*]Manufacturer Notification: 2020-04-03[*]Solution Date: -[*]Public Disclosure: 2020-06-17[*]CVE Reference: CVE-2020-14157[*]Authors of Advisory: Michael Rüttgers, Thomas Detert,[*]Matthias Deeg (SySS GmbH)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Overview:
ABUS Secvest Wireless Control Device (FUBE50001) is a wireless control[*]panel for the ABUS Secvest wireless alarm system.
Some of the device features as described by the manufacturer are[*](see [1]):
"[*]* Easy operation via code or proximity keyfob[*]The Secvest wireless control panel is an optional Secvest accessory.[*]Every wireless control panel can be operated from your system via PIN[*]code. It is possible to arm and disarm the panel via proximity keyfob.
* Flexible use in entrance areas[*]Up to 8 control panels can be integrated into the alarm system. These[*]additional modules can be placed in various areas of the building.[*]This provides added convenience for you, because Secvest can be armed[*]and disarmed directly on the wireless control panel, without the need[*]to go back to the central alarm panel every time.[*]In addition to internal arming or arming individual sub-areas, you can[*]also switch a single output, such as the garage door, if desired.
* Secure wireless communication[*]Thanks to a secure wireless communication procedure, this product is[*]protected against ‘replay attacks’, as are the Secvest wireless alarm[*]system and Secvest Touch alarm systems. This procedure for preventing[*]third-party tampering exceeds the requirements of the “DIN EN 50131-1[*]level 2” security standard.[*]"
Due to the missing encryption of the wireless communication, an attacker[*]is able to eavesdrop sensitive data as cleartext, for instance, used PINs[*]or proximity token IDs.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Vulnerability Details:
Michael Rüttgers found out that the wireless communication of the ABUS[*]Secvest Wireless Control Device (FUBE50001) for transmitting sensitive[*]data like PIN codes or IDs of used proximity chip keys (RFID tokens) is[*]not encrypted.
This security issue is related to the insecure wireless transmission of[*]sensitive data of the ABUS Secvest remote controls FUBE50014 and[*]FUBE50015 reported back in 2018 (see SySS security advisory[*]SYSS-2018-035 [2]).
Thus, an attacker observing radio signals of an ABUS FUBE50001[*]wireless control panel is able to see all sensitive data of transmitted[*]packets as cleartext and can analyze the used packet format and the[*]communication protocol.
For instance, this security issue could successfully be exploited to[*]sniff used PIN codes and used proximity chip key IDs.
By knowing the correct PIN code or the ID of a valid ABUS Secvest[*]proximity chip key, an attacker is able to disarm the wireless alarm[*]system in an unauthorized way.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Proof of Concept (PoC):
Michael Rüttgers, Thomas Detert, and Matthias Deeg developed different[*]PoC software tools, either for the RFCat-based radio dongle YARD Stick[*]One [3] in one version, or the GreatFet One neighbor Erica [4] in another[*]one, that allowed sniffing out used PIN codes or used proximity chip key[*]IDs when eavesdropping on the FUBE50001 wireless communication.
The following output exemplarily shows a successful PIN code sniffing[*]attack:
$ python2 abus_fube50001_pin_sniffer.py[*]ABUS Secvest FUBE50001 PIN Code Sniffer PoC - SySS GmbH (c) 2020[*]by Thomas Detert, Michael Rüttgers, and Matthias Deeg[*]---[*][*] Listening for ABUS FUBE50001 packets ...[*][*] Received packet:[*]f0f352b4ccb4ccd52aab52d2acd2d34d4cb34cb333332b34d4b530f0f0f352b4ccb4ccd52aab52d2acd2d34d4cb34cb333332b34d4b530f0f0f333333333117162f5[*][*] Decoded packet : da0a077ed5c549888800626b[*][*] Received packet:[*]f0f352b4b32b4d352ad5332aab2cb34cd3332cccb4ccacb354acaaaaccccd2ab32aab54d30f0f0f352b4b32b4d352ad5332aab2cb34cd3332cccb4ccacb354acaaaa[*][*] Decoded packet : da86937707e4884040a0c8ecff005e1fb9[*][*] Detected FUBE50001 packet with FUBE50001 PIN[*][+] Sniffed PIN code: 1337[*](...)
An example of a successful sniffing attack regarding the ID of an ABUS[*]proximity chip key is illustrated in the following output:
$ python2 abus_fube50001_chip_key_id_sniffer.py[*]ABUS Secvest FUBE50001 Proximity Chip Key ID Sniffer PoC - SySS GmbH (c)[*]2020[*]by Thomas Detert, Michael Rüttgers, and Matthias Deeg[*]---[*][*] Listening for ABUS FUBE50001 packets ...[*][*] Received packet:[*]f0f352b4b332b2cad52accd554d34cb32cccd33332b34ab2cd2b2d4ad32ad2aacaacd32b30f0f0f3057c0764bf788b6ce7d0de43f6c1cb71e7374b7bd7c7a1abe567[*][*] Decoded packet: da81937707e488404018b9165b475f3c46[*][*] Detected FUBE50001 packet with proximity token ID[*][+] Sniffed proximity chip key ID: 3805964445[*](...)
The described sniffing attacks are also demonstrated in the SySS[*]Proof-of-Concept Video titled "ABUS Secvest Sniffing Attack" which is[*]available on the SySS YouTube Channel [8].
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Solution:
SySS GmbH is not aware of a solution for this reported security[*]vulnerability.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Disclosure Timeline:
2020-04-03: Vulnerability reported to manufacturer[*]2020-06-17: Public release of security advisory
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
References:
[1] Product website for ABUS Secvest wireless control device
https://www.abus.com/eng/Home-Security/Alarm-systems/Secvest-wireless-alarm-system/Control-devices-and-extensions/Secvest-Wireless-Control-Device[*][2] SySS Security Advisory SYSS-2018-035
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2018-035.txt[*][3] Product website YARD Stick One[*]https://greatscottgadgets.com/yardstickone/[*][4] GreatFET One neighbor Erica targeting the 315/433/868/915 MHz[*]freqency bands[*]https://github.com/AsFaBw/erica[*][5] GreatFET wiki[*]https://github.com/greatscottgadgets/greatfet/wiki[*][6] SySS Security Advisory SYSS-2020-014
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2020-014.txt[*][7] SySS GmbH, SySS Responsible Disclosure Policy[*]https://www.syss.de/en/news/responsible-disclosure-policy/[*][8] SySS Proof of Concept Video: ABUS Secvest Sniffing Attack[*]https://www.youtube.com/watch?v=kCqAVYyahLc
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Credits:
This security vulnerability was found by Michael Rüttgers and Thomas[*]Detert.
Mr. Rüttgers and Mr. Detert reported this finding to SySS GmbH where it[*]was verified and later reported to the manufacturer by Matthias Deeg.
E-Mail: matthias.deeg (at) syss.de[*]Public Key:[*]https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Matthias_Deeg.asc[*]Key fingerprint = D1F0 A035 F06C E675 CDB9 0514 D9A4 BF6A 34AD 4DAB
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Disclaimer:
The information provided in this security advisory is provided "as is"[*]and without warranty of any kind. Details of this security advisory may[*]be updated in order to provide as accurate information as possible. The[*]latest version of this security advisory is available on the SySS website.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Copyright:
Creative Commons - Attribution (by) - Version 3.0[*]URL: http://creativecommons.org/licenses/by/3.0/deed.en
Gloss