Merry Christmas.

---------------------------------------------------------------------

http://www.modzero.ch/advisories/MZ-14-01-Ekahau-RTLS.txt

---------------------------------------------------------------------

modzero  Security  Advisory: Vulnerabilities  in  Ekahau
Real-Time Location System [MZ-14-01] - CVE-ID: CVE-2014-2716

-----------------------------------------------------------------v1.3

Table of Contents

1. Timeline
2. Summary
3. Vulnerabilities
4. Recommendations
5. Vendor Response
6. Credits
7. About modzero
8. References
9. Disclaimer

Vendor: Ekahau, Inc., Helsinki [1]
Products known to be affected: Ekahau Real-Time Location System [2]

The following products were used  during the security analysis. Other
versions are likely to be affected as well:

* Ekahau B4 staff badge tag hardware rev 5.7, firmware rev 1.4.52 [3]
* Ekahau RTLS Controller version 6.0.5-FINAL
* Ekahau Activator 3 software [4]

---------------------------------------------------------------------

1. Timeline

---------------------------------------------------------------------

* 2014-03-04: Advisory sent to the vendor
* 2014-03-13: Vendor acknowledged the initial contact
* 2014-04-01: Vendor did not provide timeline
* 2014-04-02: modzero sends a preliminary summary to MITRE
* 2014-04-03: CVE received and added: CVE-2014-2716
* 2014-10-23: modzero releases the comprehensive security advisory to
              the public
* 2014-12-15: Full release of the advisory to the public

---------------------------------------------------------------------

2. Summary

---------------------------------------------------------------------

Ekahau's  real-time  location  tracking  uses  battery-powered  Wi-Fi
tokens to  track assets or  staff. Signal measurements (RSSI)  of the
802.11-based  Wi-Fi communication  are processed  in the  Ekahau RTLS
software component, which calculates the exact position of the token.
Depending  on   the  token-model  that  is   being  used,  additional
information can  be exchanged  (e.g. alarm events  from the  token or
custom  text  messages could  be  sent).  According to  the  vendor's
website,  the solution  is used  in hospitals  and schools  as "panic
buttons"  and  should  simplify  workflows, due  to  the  ability  to
precisely  track  persons  and  items.  The  solution  only  supports
Pre-Shared-Key  (PSK) based  radio  transport  layer encryption  WPA2
schemes, every  person with access to  a token can get  access to the
radio keys  within a tag's EEPROM  to gain access to  the network and
sniff Ekahau data  packets. As there is no easy  way of key rotation,
it is assumed that the key is known to a large amount of individuals.

modzero found that the encryption used in Ekahau's Real-Time Location
System messages suffers  from severe weaknesses. An  attacker is able
to  read and  generate  arbitrary messages  including button  events,
text/alarm messages or sending reconfiguration events.


---------------------------------------------------------------------

3. Vulnerabilities


3.1. RC4 Cipher Stream Reuse
----------------------------

Severity: high

The  message payload  of the  affected solution  is always  encrypted
using  the  same RC4  cipher  stream.  When combining  two  encrypted
messages with  an XOR operation,  the cipher stream will  cancel out.
With this, an  attacker is able to recover the  bitwise difference of
two plain texts.

Encryption of two messages m1 and  m2 using the same cipher stream s,
resulting in two ciphertexts c1 and c2. s is a pseudo-random sequence
of bytes, generated using the RC4 algorithm:

    c1 = m1 XOR s
    c2 = m2 XOR s

An attacker is  able to record the ciphertexts c1  and c2 and combine
them in an XOR operation. This reveals all bits, where the plaintexts
m1 and m2 differ:

      c1 XOR c2
    = (m1 XOR s) XOR (m2 XOR s)
    = (m1 XOR m2) XOR (s XOR s)
    = m1 XOR m2


3.2. Weak Key Derivation
------------------------

Severity: high

The 128  bit RC4 key  used in the  Ekahau setup is  trivially derived
from the  three least significant bytes  of the MAC address.  The key
derivation scheme  can be  recovered from publicly  available program
code [4] or any Ekahau tag's EEPROM.

According  to  the IEEE  802.11  standard  [5],  the MAC  address  is
required to be  publicly transported in clear text  within the 802.11
MAC headers.  An attacker  capable of  sniffing the  wireless network
(independant  of  its  encryption  state) is  able  to  extract  this
information.  Using  the   gathered  MAC  address,  he   is  able  to
immediately reconstruct the employed RC4 key in the following way:

    prefix = "*ixpiyacoc"
    mac[3:5] = three least significant bytes of the MAC address
    suffix = "+*+"
    key =  prefix | mac[3:5] | suffix

The effective key entropy is only 24 bit, thus even a key recovery by
brute-force search would be possible in a short amount of time if the
MAC address is unknown.

---------------------------------------------------------------------

4. Recommendations

---------------------------------------------------------------------

It is recommended that Ekahau corrects their implementation to ensure
message   confidentiality,   authenticity   and  integrity.   it   is
recommended to protect  secret information and prevent  access to key
material on  all levels.  Static PSK  based radio  encryption without
automated key rotation is not recommended.


---------------------------------------------------------------------

5. Vendor Response

---------------------------------------------------------------------

Qualified  vendor response  pending.  Vendor  protects the  activator
download [4]  with a login  & password.  The software might  still be
available from other sources.

---------------------------------------------------------------------

6. Credits

---------------------------------------------------------------------

  * David Gullasch (dagu (_at_) modzero.ch)
  * Max Moser (mmo (_at_) modzero.ch)

---------------------------------------------------------------------

7. About modzero

---------------------------------------------------------------------

The  independent  Swiss  company  modzero  AG  assists  clients  with
security analysis  in the complex  areas of computer  technology. The
focus  lies  on  highly  detailed  technical  analysis  of  concepts,
software  and  hardware components  as  well  as the  development  of
individual solutions.  Colleagues at  modzero AG work  exclusively in
practical, highly  technical computer-security areas and  can draw on
decades  of experience  in  various platforms,  system concepts,  and
designs.

http://modzero.ch
info@modzero.ch

---------------------------------------------------------------------

8. References

---------------------------------------------------------------------

[1] http://www.ekahau.com/
[2] http://www.ekahau.com/real-time-location-system/solutions
[3] http://www.ekahau.com/userData/ekahau/documents/datasheets/
    B4_datasheet_letter.pdf
[4] http://sw.ekahau.com/download/activator/

---------------------------------------------------------------------

9. Disclaimer

---------------------------------------------------------------------

The information  in the advisory  is believed  to be accurate  at the
time of publishing  based on currently available  information. Use of
the information constitutes acceptance for use in an AS IS condition.
There are no warranties with  regard to this information. Neither the
author  nor  the publisher  accepts  any  liability for  any  direct,
indirect, or  consequential loss  or damage arising  from use  of, or
reliance on, this information.