[SYSS-2018-034]: ABUS Secvest - Rolling Code - Predictable from- Observable State (CWE-341)

From: matthias.deeg@syss.de
To: bugtraq@securityfocus.com
Cc:
Subject: [SYSS-2018-034]: ABUS Secvest - Rolling Code - Predictable from- Observable State (CWE-341)
Date:


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID: SYSS-2018-034
Product: ABUS Secvest (FUAA50000)
Manufacturer: ABUS
Affected Version(s): v3.01.01
Tested Version(s): v3.01.01
Vulnerability Type: Rolling Code - Predictable from Observable State (CWE-341)
Risk Level: High
Solution Status: Open
Manufacturer Notification: 2018-11-21
Solution Date: -
Public Disclosure: 2019-03-25
CVE Reference: CVE-2019-9863
Authors of Advisory: Matthias Deeg (SySS GmbH), Thomas Detert

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

ABUS Secvest (FUAA50000) is a wireless alarm system with different
features.

Some of the supported features as described by the manufacturer are 
(see [1]):

"
* Convenient operation via the app (Android/iOS), integrated web
  browser and also at the alarm panel
* For up to 50 users with freely selectable control options
  (code/chip key/remote control)
* Active intrusion protection in combination with additional mechatronic
  wireless window/door locks
* Video verification of alarms via email, push notifications or via the
  app
* Up to 48 individually identifiable wireless detectors, eight control
  panels, 50 remote controls
* Integrated dialling device
* VdS Home certified and EN 50131-1 Level 2
* Alarm verification via the integration of up to six IP cameras
* 32 additional wireless outputs for flexible event control
* Switching to monitoring station via protocols possible
"

Due to the use of an insecure algorithm for rolling codes, an attacker
is able to predict valid future rolling codes and can thus remotely
control the ABUS Secvest wireless alarm system in an unauthorized way.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

Thomas Detert found out that the rolling codes implemented as replay
protection (see SySS security advisory SYSS-2016-117 [2]) in the radio
communication protocol used by the ABUS Secvest wireless alarm system
(FUAA50000) and its remote control (FUBE50014, FUB50015) is
cryptographically weak. Thus, an attacker observing the unencrypted radio
signals of an ABUS FUBE50014 or FUBE50015 wireless remote control
(see SySS security advisory SYSS-2018-035 [6]) is able to deduce the
implemented rolling code algorithm and to correctly predict valid future
rolling codes.

This enables an attacker to remotely control affected wireless alarm
systems in an unauthorized manner, for instance disarming the wireless
alarm system at will.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

Thomas Detert developed a Teensy-based PoC tool using a CC1101 sub-1GHz
transceiver that allows disarming the alarm system in an unauthorized
way. He provided his tool including documentation and source to SySS
GmbH for responsible disclosure purposes. 

SySS GmbH could successfully perform a disarming attack against an ABUS
Secvest wireless alarm system by exploiting the unencrypted signal
transmission of the ABUS Secvest wireless remote controls FUBE50014 and
FUBE50015 and the predictable rolling code implementation using either
Mr. Detert's PoC tool, a developed Python tool for the RFCat-based radio
dongle YARD Stick One (see [3]), or a eZ430-Chronos (see [4]) with a
specially developed firmware.

Successful disarming attacks against an ABUS Secvest wireless alarm
system are shown in our SySS proof-of-concept video "ABUS Secvest
Rolling Code PoC Attack" [8].

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

SySS GmbH is not aware of a solution for this reported security
vulnerability.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2018-11-21: Vulnerability reported to manufacturer
2018-11-28: Vulnerability reported to manufacturer once more
2018-12-12: E-mail to ABUS support asking if they are going to give
            some feedback regarding the reported security issue
2018-12-12: Phone call with ABUS support, the reported security
            advisories were forwarded to the ABUS Security Center
            Support
2018-12-12: E-mail to ABUS Security Center Support asking if they are
            going to give some feedback regarding the reported security
            issue
2019-01-14: Updated information regarding remote control ABUS Secvest
            FUBE50015
2019-03-25: Public release of security advisory

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for ABUS Secvest wireless alarm system
    https://www.abus.com/eng/Home-Security/Alarm-systems/Secvest-wireless-alarm-system/Alarm-panels-and-kits/Secvest-Wireless-Alarm-System
[2] SySS Security Advisory SYSS-2016-117
    https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2016-117.txt
[3] Product website YARD Stick One
    https://greatscottgadgets.com/yardstickone/
[4] Product website for Texas Instruments eZ430-Chronos
    http://www.ti.com/tool/EZ430-CHRONOS
[5] SySS Security Advisory SYSS-2018-034
    https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2018-034.txt
[6] SySS Security Advisory SYSS-2018-035
    https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2018-035.txt
[7] SySS GmbH, SySS Responsible Disclosure Policy
    https://www.syss.de/en/news/responsible-disclosure-policy/
[8] SySS Proof-of-Concept Video: ABUS Secvest Rolling Code PoC Attack
    https://youtu.be/pSdsMVn-7gM

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Thomas Detert.

Mr. Detert reported his finding to SySS GmbH where it was verified and
later reported to the manufacturer by Matthias Deeg.

E-Mail: matthias.deeg (at) syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Matthias_Deeg.asc
Key fingerprint = D1F0 A035 F06C E675 CDB9 0514 D9A4 BF6A 34AD 4DAB

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS Web
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE0fCgNfBs5nXNuQUU2aS/ajStTasFAlyUoKcACgkQ2aS/ajSt
Tav+OBAAnJ6Vb6DVHhNWevqYKGjdn5eIIIHcfIrwe4bzKbXusNIVK9okNNkZT9i+
hRZfVSFR21uyamh950qNujjizNhGUnD3mezPx5ep0R7tPxhwcp67kgVjRef4PNEE
p1rbhVFKKWlR4ygcmsAeKnnHQTGUK9UlYBlTt2RpPh4OCCRikPW0RuwfYuAxrvug
kDpWV/XA2DivteL68jDYzCdXHG2toph1FGmfv5CTx0NiyKD/XSm952c17z/D78Qz
AHvJT+xVMyZoUWqhSWHbwS+byBzVaXM2C3/89FBJ0YgolmrL1k8GvbYGe5fVlbBa
+PcHpp2yRbhuDgANCdLGEvWMCaflbqUPZN/xyaySF5HaKmpULvU44QEtg9CjDKNv
m0yyZDWaBAUMb574MsBZNAnFmyWPFuq1wd/hM5oxLoUyu6nbBlsLcpH/3E0LbJL0
ifNvk9KTsrvOItAV1fQl7/ccNcAeI+DB2yz44gtDaHjHvYCFjEHaQvws5a9L0PIF
XYRuHI+BNNIIi2KwivpnR316MA2MgE0hEny708sdS879qP1eZ5gDXcrVvUPFDsbA
DRH66TVPmoi2HMkKn95/PVLgqAYH0QFlGs3RkT+t7QS1K0gVCude4sTtxZFpT1A/
oxl2o8Kn4YhBDXvT9tUs1vaBFMO46MCgKF4yx3adPCRqK7twhiY=
=eZ14
-----END PGP SIGNATURE-----





Copyright © 1995-2019 LinuxRocket.net. All rights reserved.