OS-S Security Advisory 2016-01

Date: January 1st,  2016
Updated: January 1st, 2016
Authors: Hendrik Schwartke, Ralf Spenneberg
CVE: Not yet assigned
CVSS: 6.2 (AV:L/AC:L/Au:S/C:C/I:C/A:N)
Title: Insufficient integrity checks in Uhlmann & Zacher Clex prime locking 
systems using 125 kHz EM4450 transponders
Severity: Critical. The locking permissions may be arbitrarily manipulated and 
extended.
Ease of Exploitation: Trivial
Vulnerability: Insufficient integrity protection
Product: U&Z Clex prime locking system using 125 kHz EM4450 transponder

Non-Technical Description
The Clex prime locking system has several vulnerabilities which allow an 
attacker to generate keys and to arbitrarily manipulate the locking 
permissions without authorization. For the successful attack the following 
requirements need to be met:
Brief possession of a (former) valid key of locking system. A lost and revoked 
key will work as well. 
Access to hardware and software to sniff the 125kHz communication between the 
lock and the key.
Knowledge of the algorithm to calculation the checksum
Brief unobserved access to a lock of the locking system to sniff and log a 
communication attempt.

Vulnerabilities in the algorithms used for integrity protection and encryption 
may be used by the attacker for targeted modification and copying of a key. 
These vulnerabilites have been found by OpenSource Security Ralf Spenneberg 
and reported to the vendor Uhlmann & Zacher GmbH. The vendor as reproduced the 
vulnerabilities and provided an updated version. Uhlmann & Zacher GmbH tasked 
OpenSource Security Ralf Spenneberg to check the update. 
The removal of the vulnerability requires a firmware update of the used locks, 
the update of the Keyvi3 software, the replacement of the servicekeys and an 
update of all keys in use. 
Clex prime locking systems using Mifare DESFire and Legic advant technology 
are not affected by this vulnerability.

Technical Background
The Clex prime locking system may be used with different transponder 
technologies. When using the 125 kHz variant with the EM4450 transponder an 
attacker may create arbitrary keys for the locking system. 
To protect the confidentiality and integrity of the locking permissions stored 
on the transponder three different methods are used:
1. The transponder provides access protection using a password. The password 
can be retrieved over the air by an attacker having brief access to a lock of 
the locking system using appropiate hardware.
2. The data on the transponder is protected by a checksum. Manipulation of 
copying of the locking permissions to a different transponder is detected. With 
the knowledge of the underlying checksum algorithm the attacker may calculate 
a valid checksum. The manipulated or copied data is then not detected by the 
locking system anymore. Only the analysis of the protocols may allow the 
detection.
3. Alternative to the checksum the data on the transponder may be encrypted. 
Since no checksum is used in this mode targeted manipulation of the Cipher-
Block-Chaining may be used to set or remove specific locking permissions.

Vendor Contact
We contacted the vendor the first time in October 2014. The last 
vulnerabilities were reported to the vendor on April 15th 2015.
-- 
OpenSource Security Ralf Spenneberg         http://www.os-s.de
Am Bahnhof 3-5                          48565 Steinfurt         Germany
Fon:   +49(0)2552 638 755            Fax: +49(0)2552 638 757