what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Uhlmann And Zacher Clex Insufficient Integrity Checks

Uhlmann And Zacher Clex Insufficient Integrity Checks
Posted Jan 2, 2016
Authored by Ralf Spenneberg, Hendrik Schwartke

Uhlmann and Zacher Clex prime locking systems using 125 kHz EM4450 transponders suffer from having insufficient integrity checks.

tags | advisory
SHA-256 | daca1134ee0122b60473b3eb96d21505b1bbe82dfa2c1dd7013a416f61106342

Uhlmann And Zacher Clex Insufficient Integrity Checks

Change Mirror Download
OS-S Security Advisory 2016-01

Date: January 1st, 2016
Updated: January 1st, 2016
Authors: Hendrik Schwartke, Ralf Spenneberg
CVE: Not yet assigned
CVSS: 6.2 (AV:L/AC:L/Au:S/C:C/I:C/A:N)
Title: Insufficient integrity checks in Uhlmann & Zacher Clex prime locking
systems using 125 kHz EM4450 transponders
Severity: Critical. The locking permissions may be arbitrarily manipulated and
Ease of Exploitation: Trivial
Vulnerability: Insufficient integrity protection
Product: U&Z Clex prime locking system using 125 kHz EM4450 transponder

Non-Technical Description
The Clex prime locking system has several vulnerabilities which allow an
attacker to generate keys and to arbitrarily manipulate the locking
permissions without authorization. For the successful attack the following
requirements need to be met:
Brief possession of a (former) valid key of locking system. A lost and revoked
key will work as well.
Access to hardware and software to sniff the 125kHz communication between the
lock and the key.
Knowledge of the algorithm to calculation the checksum
Brief unobserved access to a lock of the locking system to sniff and log a
communication attempt.

Vulnerabilities in the algorithms used for integrity protection and encryption
may be used by the attacker for targeted modification and copying of a key.
These vulnerabilites have been found by OpenSource Security Ralf Spenneberg
and reported to the vendor Uhlmann & Zacher GmbH. The vendor as reproduced the
vulnerabilities and provided an updated version. Uhlmann & Zacher GmbH tasked
OpenSource Security Ralf Spenneberg to check the update.
The removal of the vulnerability requires a firmware update of the used locks,
the update of the Keyvi3 software, the replacement of the servicekeys and an
update of all keys in use.
Clex prime locking systems using Mifare DESFire and Legic advant technology
are not affected by this vulnerability.

Technical Background
The Clex prime locking system may be used with different transponder
technologies. When using the 125 kHz variant with the EM4450 transponder an
attacker may create arbitrary keys for the locking system.
To protect the confidentiality and integrity of the locking permissions stored
on the transponder three different methods are used:
1. The transponder provides access protection using a password. The password
can be retrieved over the air by an attacker having brief access to a lock of
the locking system using appropiate hardware.
2. The data on the transponder is protected by a checksum. Manipulation of
copying of the locking permissions to a different transponder is detected. With
the knowledge of the underlying checksum algorithm the attacker may calculate
a valid checksum. The manipulated or copied data is then not detected by the
locking system anymore. Only the analysis of the protocols may allow the
3. Alternative to the checksum the data on the transponder may be encrypted.
Since no checksum is used in this mode targeted manipulation of the Cipher-
Block-Chaining may be used to set or remove specific locking permissions.

Vendor Contact
We contacted the vendor the first time in October 2014. The last
vulnerabilities were reported to the vendor on April 15th 2015.
OpenSource Security Ralf Spenneberg http://www.os-s.de
Am Bahnhof 3-5 48565 Steinfurt Germany
Fon: +49(0)2552 638 755 Fax: +49(0)2552 638 757
Login or Register to add favorites

File Archive:

August 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    20 Files
  • 2
    Aug 2nd
    4 Files
  • 3
    Aug 3rd
    6 Files
  • 4
    Aug 4th
    55 Files
  • 5
    Aug 5th
    16 Files
  • 6
    Aug 6th
    0 Files
  • 7
    Aug 7th
    0 Files
  • 8
    Aug 8th
    13 Files
  • 9
    Aug 9th
    13 Files
  • 10
    Aug 10th
    34 Files
  • 11
    Aug 11th
    16 Files
  • 12
    Aug 12th
    5 Files
  • 13
    Aug 13th
    0 Files
  • 14
    Aug 14th
    0 Files
  • 15
    Aug 15th
    25 Files
  • 16
    Aug 16th
    3 Files
  • 17
    Aug 17th
    0 Files
  • 18
    Aug 18th
    0 Files
  • 19
    Aug 19th
    0 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By