Exploit the possiblities

EASY HOME Alarmanlagen-Set MAS-S01-09 Cryptographic Issues

EASY HOME Alarmanlagen-Set MAS-S01-09 Cryptographic Issues
Posted Nov 24, 2016
Authored by Gerhard Klostermeier

SySS GmbH found out that the 125 kHz RFID technology used by the EASY HOME MAS-S01-09 wireless alarm system has no protection by means of authentication against rogue/cloned RFID tokens. The information stored on the used RFID tokens can be read easily in a very short time from distances up to 1 meter, depending on the used RFID reader. A working cloned RFID token is ready for use within a couple of seconds using freely available tools.

tags | advisory
MD5 | 1e8305e16302deb63edb52838d0c7462

EASY HOME Alarmanlagen-Set MAS-S01-09 Cryptographic Issues

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID: SYSS-2016-107
Product: EASY HOME Alarmanlagen-Set
Manufacturer: monolith GmbH
Affected Version(s): Model No. MAS-S01-09
Tested Version(s): Model No. MAS-S01-09
Vulnerability Type: Cryptographic Issues (CWE-310)
Risk Level: Low
Solution Status: Open
Manufacturer Notification: 2016-10-05
Solution Date: -
Public Disclosure: 2016-11-23
CVE Reference: Not yet assigned
Author of Advisory: Gerhard Klostermeier (SySS GmbH)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

The EASY HOME MAS-S01-09 is a wireless alarm system with different
features sold by ALDI SAD.

Some of the features as described in the German product manual are
(see [1]):

"
- - Alarmanlagen-Set mit drahtlosen Sensoren und Mobilfunk-Anbindung
- - SOS-Modus, Stiller Alarm, Aberwachungs- und Intercom-Funktion
- - Integrierte Quad-Band Mobilfunkeinheit fA1/4r GSM-Netze im 850 / 900 /
1800 / 1900 MHz-Bereich
- - Alarmbenachrichtigung auf externe Telefone
- - Eingebaute Sirene (ca. 90 dB), inkl. Anschluss fA1/4r externe Sirene
- - UnterstA1/4tzung fA1/4r bis zu 98 kabellosen Sensoren / bis zu 4
kabelgebundene Sensoren
- - Stromausfallsicherung der Basiseinheit durch 4 x AAA
Alkaline-Batterien
- - Fernbedienbar per Telefon
"

Due to the use of an insecure 125 kHz RFID technology, RFID tokens of
the EASY HOME MAS-S01-09 wireless alarm system can easily be cloned and
used to deactivate the alarm system in an unauthorized way.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

SySS GmbH found out that the 125 kHz RFID technology used by the EASY
HOME MAS-S01-09 wireless alarm system has no protection by means of
authentication against rogue/cloned RFID tokens.

The information stored on the used RFID tokens can be read easily in a
very short time from distances up to 1 meter, depending on the used
RFID reader. A working cloned RFID token is ready for use within a
couple of seconds using freely available tools.

Thus, an attacker with one-time access to the information of an RFID
token of an EASY HOME MAS-S01-09 wireless alarm system is able to create
a rogue RFID token that can be used to deactivate the alarm system in
an unauthorized manner.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

SySS GmbH could successfully clone an RFID token of an EASY HOME
MAS-S01-09 wireless alarm system using a freely available off-the-shelf
tool and disarm the wireless alarm system in an unauthorized way.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

SySS GmbH is not aware of a solution for this reported security
vulnerability concerning the tested product version.

For further information please contact the manufacturer.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2016-10-05: Vulnerability reported to manufacturer
2016-10-12: E-mail to manufcaturer concerning the status of the reported
security issue
2016-11-23: Public release of security advisory

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product manual of EASY HOME MAS-S01-09 wireless alarm system

http://monolith-shop.de/wp-content/uploads/2016/09/MAS-S01-09_Alarmanlage_Bedienungsanleitung.pdf
[2] SySS Security Advisory SYSS-2016-107

https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2016-107.txt
[3] SySS GmbH, SySS Responsible Disclosure Policy
https://www.syss.de/en/news/responsible-disclosure-policy/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Gerhard Klostermeier of SySS
GmbH.

E-Mail: gerhard.klostermeier (at) syss.de
Public Key:
https://www.syss.de/fileadmin/dokumente/PGPKeys/Gerhard_Klostermeier.asc
Key fingerprint = 8A9E 75CC D510 4FF6 8DB5 CC30 3802 3AAB 573E B2E7

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS Web
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJYNChyAAoJENmkv2o0rU2r4MwQAKTTTRhqNyMi34MxOxUBDAQu
ro3KnFe9C20jiDgnXhLNpwEjsDhqiI4VizScDPQ9EvLE5j5qA0M4SaPn3AZtIiDh
XzKQFJ9Zqoe9COetmx8bEEtCTE1zz5WNy+MNNNqBPGKoIaM54Bcfp9u2W1fQhYW6
m0oTM/y3PPBG7R1xX5el5XPvrqu1Ic2Wr3aT7/MCSApk2cWQic4btERsnhFv4m1N
8bP0Ez9gNsgMRMzxV0vAS1f7AXJLh2tXxdFARhf5S6hnyMxiRpwDeStr6sOUWOTm
iMWIGvptD/kFyJXsg8wLM7h4pqA/Ie9IXe3qETzH83bAEALggb3nT0vFRcPiMeOG
mod89SkoyYNLFxIiwPGu4pBbO/7KYMhv7g9hWsG6vr3TDEe5YTKyLj3XtBiDZsow
pVi2ZazSSbVRuuX8u64H81A5x3s/uNjkGccgHAn82sadq4sLeoLTS0feTP1yeZMD
XdjpmjAt8eLS2CZ/BZlFLGWCdEgBaJ0J2eq/9kmLQ5jiw7nQ6eq0U2Yfpf4B8Q2O
cmrLf3zdILD2Mu3PIGYKFvoEU5CZUXyND/ZaP87ct//lxLfUDeZKhP75aaeYu12I
1osGB8bYRbRxvhU9drTYSEjWUY4r6uiZKsX4BNdCZ/VLo0wNQ/30Qd5SMvYchJeg
9UJ3zmd/Ski5EX2Lfj+x
=6RpX
-----END PGP SIGNATURE-----



Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

January 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    2 Files
  • 2
    Jan 2nd
    13 Files
  • 3
    Jan 3rd
    16 Files
  • 4
    Jan 4th
    39 Files
  • 5
    Jan 5th
    26 Files
  • 6
    Jan 6th
    40 Files
  • 7
    Jan 7th
    2 Files
  • 8
    Jan 8th
    16 Files
  • 9
    Jan 9th
    25 Files
  • 10
    Jan 10th
    28 Files
  • 11
    Jan 11th
    44 Files
  • 12
    Jan 12th
    32 Files
  • 13
    Jan 13th
    2 Files
  • 14
    Jan 14th
    4 Files
  • 15
    Jan 15th
    31 Files
  • 16
    Jan 16th
    0 Files
  • 17
    Jan 17th
    0 Files
  • 18
    Jan 18th
    0 Files
  • 19
    Jan 19th
    0 Files
  • 20
    Jan 20th
    0 Files
  • 21
    Jan 21st
    0 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    0 Files
  • 24
    Jan 24th
    0 Files
  • 25
    Jan 25th
    0 Files
  • 26
    Jan 26th
    0 Files
  • 27
    Jan 27th
    0 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close