Thomas Detert found out that the claimed "Encrypted signal transmission" of the Secvest wireless remote control FUBE50014 is not present and that the implemented rolling codes are predictable. By exploiting these two security issues, an attacker can simply desynchronize a wireless remote control by observing the current rolling code state, generating many valid rolling codes, and use them before the original wireless remote control. The Secvest wireless alarm system will ignore sent commands by the wireless remote control until the generated rolling code happens to match the window of valid rolling code values again. Depending on the number of used rolling codes by the attacker, a resynchronization without actually reconfiguring the wireless remote control could take quite a lot of time and effectless button presses. SySS found out that the new ABUS Secvest remote control FUBE50015 is also affected by this security vulnerability.
1af146c7db6df9a5a723c3e54422b6a1
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Advisory ID: SYSS-2018-036
Product: ABUS Secvest Remote Control (FUBE50014, FUBE50015)
Manufacturer: ABUS
Affected Version(s): n/a
Tested Version(s): n/a
Vulnerability Type: Denial of Service - Uncontrolled Resource Consumption (CWE-400)
Risk Level: Low
Solution Status: Open
Manufacturer Notification: 2018-11-21
Solution Date: -
Public Disclosure: 2019-03-25
CVE Reference: CVE-2019-9860
Authors of Advisory: Matthias Deeg (SySS GmbH), Thomas Detert
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Overview:
ABUS Secvest FUBE50014 and FUBE50015 are wireless remote controls for
the ABUS Secvest wireless alarm system.
Some of the device features as described by the manufacturer are
(see [1]):
"
* User-friendly remote control with easily identifiable symbols
* Features arm, disarm and status query keys
* 8 LEDs provide an overview and display current system status
* Button for custom configuration available (Secvest wireless alarm
system only)
* Optional manual panic alarm available (Secvest wireless alarm system
only)
* Encrypted signal transmission
* Rolling Code
Thanks to the rolling code process this product is protected against
so-called replay attacks. All controlling signals between this product
and the Secvest alarm panel are in individualised and thus, are not
able to be reproduced by third parties. This process is protected
from third party tampering, and exceeds the requirements of the
DIN EN 50131-1 level 2 security standard.
"
Due to unencrypted signal communication and predictability of rolling
codes, an attacker can "desynchronize" an ABUS Secvest wireless remote
control regarding its controlled Secvest wireless alarm system, so that
sent commands by the remote control are not accepted anymore.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Vulnerability Details:
Thomas Detert found out that the claimed "Encrypted signal transmission"
of the Secvest wireless remote control FUBE50014 is not present (see
SySS security advisory SYSS-2018-035 [2]) and that the implemented
rolling codes are predictable (see SySS security advisory SYSS-2018-034
[3]).
By exploiting these two security issues, an attacker can simply
desynchronize a wireless remote control by observing the current rolling
code state, generating many valid rolling codes, and use them before the
original wireless remote control.
The Secvest wireless alarm system will ignore sent commands by the
wireless remote control until the generated rolling code happens to
match the window of valid rolling code values again. Depending on the
number of used rolling codes by the attacker, a resynchronization
without actually reconfiguring the wireless remote control could take
quite a lot of time and effectless button presses.
SySS found out that the new ABUS Secvest remote control FUBE50015 is
also affected by this security vulnerability.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Proof of Concept (PoC):
Thomas Detert developed a Teensy-based PoC tool using a CC1101 sub-1GHz
transceiver that allows disarming the alarm system in an unauthorized
way. He provided his tool including documentation and source to SySS
GmbH for responsible disclosure purposes.
Based on Mr. Detert's PoC tool, SySS GmbH developed a Python tool for
the RFCat-based radio dongle YARD Stick One (see [4]) for demonstrating
this simple denial-of-service (DoS) attack against the ABUS Secvest
wireless remote controls FUBE50014 and FUBE50015. This tool simply
generates many valid rolling codes based on the current observed state
and uses them resulting in desynchronizing the original wireless remote
control.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Solution:
SySS GmbH is not aware of a solution for this reported security
vulnerability.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Disclosure Timeline:
2018-11-21: Vulnerability reported to manufacturer
2018-11-28: Vulnerability reported to manufacturer once more
2018-12-12: E-mail to ABUS support asking if they are going to give
some feedback regarding the reported security issue
2018-12-12: Phone call with ABUS support, the reported security
advisories were forwarded to the ABUS Security Center
Support
2018-12-12: E-mail to ABUS Security Center Support asking if they are
going to give some feedback regarding the reported security
issue
2019-01-14: Updated information regarding remote control ABUS Secvest
FUBE50015
2019-03-25: Public release of security advisory
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
References:
[1] Product website for ABUS Secvest wireless remote control
https://www.abus.com/eng/Home-Security/Alarm-systems/Secvest-wireless-alarm-system/Control-devices-and-extensions/Secvest-Wireless-Remote-Control2
[2] SySS Security Advisory SYSS-2018-035
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2018-035.txt
[3] SySS Security Advisory SYSS-2018-034
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2018-034.txt
[4] Product website YARD Stick One
https://greatscottgadgets.com/yardstickone/
[5] SySS Security Advisory SYSS-2018-036
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2018-036.txt
[6] SySS GmbH, SySS Responsible Disclosure Policy
https://www.syss.de/en/news/responsible-disclosure-policy/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Credits:
This security vulnerability was found by Thomas Detert.
Mr. Detert reported his finding to SySS GmbH where it was verified and
later reported to the manufacturer by Matthias Deeg.
E-Mail: matthias.deeg (at) syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Matthias_Deeg.asc
Key fingerprint = D1F0 A035 F06C E675 CDB9 0514 D9A4 BF6A 34AD 4DAB
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Disclaimer:
The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS Web
site.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Copyright:
Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE0fCgNfBs5nXNuQUU2aS/ajStTasFAlyUoMMACgkQ2aS/ajSt
TatXPw/8CKe79eTckW/tXs4iIXP3hRTwy3+doB5r92txbd5OkayGRvfY6nGLX+LB
naael/ZimlLq6QfNZsMiFli1+L9PS3IB52Suo2w7thHcTvz+fPJVfMt0fTkeGTvX
mTfm8/ZsQ1vH0uU2EccwL5aVatiVHzuowJd6yv9afWBQ+ci8fShFmm7FGgfeCWoP
Z3iOfttXlpPNMUsk9gMum+UeyqBsGSj0KjJxy3Cuugz783IPB+hdDWLPigmdtZPO
chO7jEC6JXQJXt5UK/F8CdSZ1xF1NhfpQ9NvzvIBeEMy7V19S3EUnsow88i8HOSL
pkRtISvp98QHfomJMCUUXRe6DSnXFyVy416zgw753610vCvlVH9pgKZ2JlyHragA
YKSbadah2qqmYOm6Z7NMuXVNA+TqNh70u14IOl1bdr+Gp1nbvdcORMdU0aoBZfO+
KdyVBbeZgOQ9jOFs8dZzzMCuCx3eMsby4Ynwwnuu/YS4j1fwaK6l+G+nOEHLzc+J
U2txKilfISr3kupFj/UBYzd7AjHul7C7Uu8LzI/HcAWSlv/zwtc0PiluAjFV1C7x
pyaICS9AISt4YzNXUyH/bm2NkehxXz6lMnvJ4j8jvJJbdbvlgyhnKXovZMzRlN8Y
0WLRQtlTx/zYjZyD+qw5/L53qx3An0OYBVLLYFduU9FgZbgnbnM=
=Zb9J
-----END PGP SIGNATURE-----