ABUS Secvest 3.01.01 Unchecked Message Transmission Error Condition

Thomas Detert found out that the jamming detection of the ABUS alarm central does not detect short jamming signals that are shorter than normal ABUS RF messages. Thus, an attacker is able to perform a "reactive jamming" attack. The reactive jamming simply detects the start of a RF message sent by a component of the ABUS Secvest wireless alarm system, for instance a wireless motion detector (FUBW50000) or a remote control (FUBE50014 or FUBE50015), and overlays it with random data before the original RF message ends. Thereby, the receiver (alarm central) is not able to properly decode the original transmitted signal. This enables an attacker to suppress correctly received RF messages of the wireless alarm system in an unauthorized manner, for instance status messages sent by a detector indicating an intrusion. Version 3.01.01 is affected.


MD5 | 76815f6211ebd7667925f44206c9f69c

Advisory ID: SYSS-2019-004
Product: ABUS Secvest (FUAA50000)
Manufacturer: ABUS
Affected Version(s): v3.01.01
Tested Version(s): v3.01.01
Vulnerability Type: Message Transmission - Unchecked Error Condition
(CWE-391)
Risk Level: High
Solution Status: Open
Manufacturer Notification: 2019-03-02
Solution Date: -
Public Disclosure: 2019-07-26
CVE Reference: CVE-2019-14261
Authors of Advisory: Matthias Deeg (SySS GmbH), Thomas Detert

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

ABUS Secvest (FUAA50000) is a wireless alarm system with different
features.

Some of the supported features as described by the manufacturer are
(see [1]):

"
* Convenient operation via the app (Android/iOS), integrated web
browser and also at the alarm panel
* For up to 50 users with freely selectable control options
(code/chip key/remote control)
* Active intrusion protection in combination with additional mechatronic
wireless window/door locks
* Video verification of alarms via email, push notifications or via the
app
* Up to 48 individually identifiable wireless detectors, eight control
panels, 50 remote controls
* Integrated dialling device
* VdS Home certified and EN 50131-1 Level 2
* Alarm verification via the integration of up to six IP cameras
* 32 additional wireless outputs for flexible event control
* Switching to monitoring station via protocols possible
"

Due to an insufficient implementation of the jamming detection, an
attacker is able to suppress correctly received RF messages sent between
wireless peripheral components, for example wireless detectors or remote
controls, and the ABUS Secvest alarm central.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

Thomas Detert found out that the jamming detection of the ABUS alarm
central does not detect short jamming signals that are shorter than
normal ABUS RF messages.

Thus, an attacker is able to perform a "reactive jamming" attack. The
reactive jamming simply detects the start of a RF message sent by a
component of the ABUS Secvest wireless alarm system, for instance a
wireless motion detector (FUBW50000) or a remote control (FUBE50014 or
FUBE50015), and overlays it with random data before the original RF
message ends. Thereby, the receiver (alarm central) is not able to
properly decode the original transmitted signal.

This enables an attacker to suppress correctly received RF messages of
the wireless alarm system in an unauthorized manner, for instance status
messages sent by a detector indicating an intrusion.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

Thomas Detert developed a Teensy-based PoC tool using a CC1101 sub-1GHz
transceiver that allows suppressing arming the alarm system in an
unauthorized way. He provided his tool including documentation and
source to SySS GmbH for responsible disclosure purposes.

SySS GmbH could successfully perform the described reactive jamming attack
against an ABUS Secvest wireless alarm system. RF messages sent by the
configured ABUS Secvest components FUBE50015 (remote control), FUBW50000
(motion detector), and FUMK50000W (magnetic contact detector) were
successfully suppressed and no alarm was triggered.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

SySS GmbH is not aware of a solution for this reported security
vulnerability.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2019-03-02: Vulnerability reported to manufacturer
2019-07-26: Public release of security advisory

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for ABUS Secvest wireless alarm system

https://www.abus.com/eng/Home-Security/Alarm-systems/Secvest-wireless-alarm-system/Alarm-panels-and-kits/Secvest-Wireless-Alarm-System
[2] SySS Security Advisory SYSS-2019-004

https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2019-004.txt
[3] SySS GmbH, SySS Responsible Disclosure Policy
https://www.syss.de/en/news/responsible-disclosure-policy/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Thomas Detert.

Mr. Detert reported his finding to SySS GmbH where it was verified and
later reported to the manufacturer by Matthias Deeg.

E-Mail: matthias.deeg (at) syss.de
Public Key:
https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Matthias_Deeg.asc
Key fingerprint = D1F0 A035 F06C E675 CDB9 0514 D9A4 BF6A 34AD 4DAB

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS Web
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en


Related Posts