what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

M2B GSM Wireless Alarm System Replay Attacks

M2B GSM Wireless Alarm System Replay Attacks
Posted Nov 24, 2016
Authored by Gerhard Klostermeier | Site syss.de

Due to an insecure implementation of the used 433 MHz radio communication, the wireless alarm system M2B GSM is vulnerable to replay attacks.

tags | advisory
SHA-256 | b19e73ae566f67141fff01b385e124ffe916d02b99d2f4b1eb6581a9331a10b9

M2B GSM Wireless Alarm System Replay Attacks

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID: SYSS-2016-066
Product: M2B GSM Wireless Alarm System
Manufacturer: Multi Kon Trade
Affected Version(s): Unspecified
Tested Version(s): Unspecified
Vulnerability Type: Missing Protection against Replay Attacks
Risk Level: Medium
Solution Status: Open
Manufacturer Notification: 2016-07-05
Solution Date: -
Public Disclosure: 2016-11-23
CVE Reference: Not yet assigned
Author of Advisory: Gerhard Klostermeier, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

The M2B GSM wireless alarm system by Multi Kon Trade (MKT) was tested
for possible security issues.

Some features of this alarm system as described by the manufacturer are
(see [1]):

* You will be noticed of any alarm by call or by SMS message.
* The alarm system has a battery which will last 6 to 8 hours in case
of a blackout.
* You can pair up to 99 devices (sensors, remote control, etc.).
* You do not have to run any cables. Everything is wireless.
* It is possible to trigger alarms in case of fire, even if the
alarm is disabled.
* It is possible to trigger the alarm with a delay.

Due to an insecure implementation of the used 433 MHz radio
communication, the wireless alarm system M2B GSM is vulnerable to
replay attacks.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

SySS GmbH found out that the radio communication protocol used by the
M2B GSM wireless alarm system and its remote control is not protected
against replay attacks. Therefore, an attacker can record the radio
signal of a wireless remote control, for example using a software
defined radio, when the alarm system is disarmed by its owner, and play
it back at a later time in order to disable the alarm system at will.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

SySS GmbH build a small device that is able to perform replay attacks
against the 433 MHz radio communication of the M2B GSM wireless alarm
system, for example in order to arm and disarm the wireless remote
system in an unauthorized manner.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

Do not use the 433 MHz remote control to arm or disarm the system.
Instead it is recommended to use the app for iOS and Android smartphones
or to arm and disarm the system manually with the on-board keypad.
(Solution as suggested by the vendor.)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2016-07-05: Vulnerability reported to manufacturer
2016-10-13: Response from the vendor with the solution on how to
mitigate the risk
2016-11-23: Public release of security advisory

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] M2B GSM Wireless Alarm System, Multi Kon Trade
http://multikontrade.de/GSM-Funk-Alarmanlage
[2] PT2260 Remote Control Encoder, Princeton Technology Corp.
http://www.princeton.com.tw/Portals/0/Product/PT2260_4.pdf
[3] SySS Security Advisory SYSS-2016-066

https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2016-066.txt
[4] SySS GmbH, SySS Responsible Disclosure Policy
https://www.syss.de/en/news/responsible-disclosure-policy/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Gerhard Klostermeier of SySS
GmbH.

E-Mail: gerhard.klostermeier (at) syss.de
Public Key:
https://www.syss.de/fileadmin/dokumente/PGPKeys/Gerhard_Klostermeier.asc
Key fingerprint = 8A9E 75CC D510 4FF6 8DB5 CC30 3802 3AAB 573E B2E7

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS Web
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJYNCg9AAoJENmkv2o0rU2rtIMP/3OZVr9igvbqmDaOWyvdQbkS
q5wF+qf48ACbeqzWJHbzp7y5GE+hsvuMvnpLa2JMwg8E+Wqo7P9/TBKJ/F/W8YRb
b2skOQFDuuF3CNG1Uco+hDhPs1FvWVAtOy+YUPPI45IMm+/hOXTRttosns++ZSug
GGW8AOtr1KdNQc4UWm0Xex/d71mpP+a1Y4zKTQXXoIw1i2zSxloX1pv/n+WYyRho
CKOmfaZnzNAakrmHjfQAMYzUk9Ed30H8YA6Y80QwJgns+LqYGu3updNpD8u4cabq
cDC0YOrnyOVuLZgr6itVq6kNu5jPhVkM7ECuTdHWkZOrS1gArti6by5um/xtmO7U
fpBjUNtIxqj6yymkkGZ3HK3nxtvlfJk2zqwwJA+z0j1YyzpZwIHB7EUqe/lsiDVx
Fu1OGURRlbU2ES3LFfKWwG3S4ZQSa7sI6CZFJjMR8m9E3UNSwYLhMisK8FuooY4A
xFOusWlNTj6yPMUe2RXoCUD8lmbOJpPUqIbzfIcK4ek2xGtwWb/9AkmSJhxrFcEg
ktCFV2DzFCwkgfYjrKPx4baOpFWYh+A99YzK8rDqVkWTsOSAV/M9NON3jiN3Ai46
Vubtn1bAIzwnaLpzZ2YESOvifFxDlQhpuQCAm4enWkOU2WIicalwJTngbEc0dHDV
sBKBNoQ8Rav8oKfVj2J0
=Z0mu
-----END PGP SIGNATURE-----



Login or Register to add favorites

File Archive:

July 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    27 Files
  • 2
    Jul 2nd
    10 Files
  • 3
    Jul 3rd
    35 Files
  • 4
    Jul 4th
    27 Files
  • 5
    Jul 5th
    18 Files
  • 6
    Jul 6th
    0 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    28 Files
  • 9
    Jul 9th
    44 Files
  • 10
    Jul 10th
    24 Files
  • 11
    Jul 11th
    25 Files
  • 12
    Jul 12th
    11 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    28 Files
  • 16
    Jul 16th
    6 Files
  • 17
    Jul 17th
    34 Files
  • 18
    Jul 18th
    6 Files
  • 19
    Jul 19th
    34 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    19 Files
  • 23
    Jul 23rd
    17 Files
  • 24
    Jul 24th
    47 Files
  • 25
    Jul 25th
    31 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close