what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

ABUS Secvest Remote Control Eavesdropping Issue

ABUS Secvest Remote Control Eavesdropping Issue
Posted Mar 25, 2019
Authored by Matthias Deeg, Thomas Detert | Site syss.de

Thomas Detert found out that the claimed "Encrypted signal transmission" of the Secvest wireless remote control FUBE50014 is not present at all. Thus, an attacker observing radio signals of an ABUS FUBE50014 wireless remote control is able to see all sensitive data of transmitted packets as cleartext and can analyze the used packet format and the communication protocol. For instance, this security issue could successfully be exploited to observe the current rolling code state of the wireless remote control and deduce the cryptographically weak used rolling code algorithm. SySS found out that the new ABUS Secvest remote control FUBE50015 is also affected by this security vulnerability.

tags | advisory, remote, protocol
advisories | CVE-2019-9862
SHA-256 | 4fb6b1bb33c005b26a8192228bc5ffdcbbcb440ba5889e85c120133752973a41

ABUS Secvest Remote Control Eavesdropping Issue

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID: SYSS-2018-035
Product: ABUS Secvest Remote Control (FUBE50014, FUBE50015)
Manufacturer: ABUS
Affected Version(s): n/a
Tested Version(s): n/a
Vulnerability Type: Missing Encryption of Sensitive Data (CWE-311)
Risk Level: High
Solution Status: Open
Manufacturer Notification: 2018-11-21
Solution Date: -
Public Disclosure: 2019-03-25
CVE Reference: CVE-2019-9862
Authors of Advisory: Matthias Deeg (SySS GmbH), Thomas Detert

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

ABUS Secvest FUBE50014 and FUBE50015 are wireless remote controls for
the ABUS Secvest wireless alarm system.

Some of the device features as described by the manufacturer are
(see [1]):

"
* User-friendly remote control with easily identifiable symbols
* Features ‘arm’, ‘disarm’ and ‘status query’ keys
* 8 LEDs provide an overview and display current system status
* Button for custom configuration available (Secvest wireless alarm
system only)
* Optional manual panic alarm available (Secvest wireless alarm system
only)
* Encrypted signal transmission
* Rolling Code
Thanks to the rolling code process this product is protected against
so-called replay attacks. All controlling signals between this product
and the Secvest alarm panel are in individualised and thus, are not
able to be reproduced by third parties. This process is protected
from third party tampering, and exceeds the requirements of the
DIN EN 50131-1 level 2 security standard.
"

Due to the missing "Encrypted signal transmission", an attacker is able
to eavesdrop sensitive data as cleartext, for instance the current
rolling code state.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

Thomas Detert found out that the claimed "Encrypted signal transmission"
of the Secvest wireless remote control FUBE50014 is not present at all.

Thus, an attacker observing radio signals of an ABUS FUBE50014
wireless remote control is able to see all sensitive data of
transmitted packets as cleartext and can analyze the used packet format
and the communication protocol.

For instance, this security issue could successfully be exploited to
observe the current rolling code state of the wireless remote control
and deduce the cryptographically weak used rolling code algorithm
(see SySS security advisory SYSS-2018-034 [2]).

SySS found out that the new ABUS Secvest remote control FUBE50015 is
also affected by this security vulnerability.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

Thomas Detert developed a Teensy-based PoC tool using a CC1101 sub-1GHz
transceiver that allows disarming the alarm system in an unauthorized
way. He provided his tool including documentation and source to SySS
GmbH for responsible disclosure purposes.

SySS GmbH could successfully perform a disarming attack against an ABUS
Secvest wireless alarm system by exploiting the unencrypted signal
transmission of the ABUS Secvest wireless remote controls FUBE50014 and
FUBE50015 and the predictable rolling code implementation using either
Mr. Detert's PoC tool, a developed Python tool for the RFCat-based radio
dongle YARD Stick One (see [3]), or a eZ430-Chronos (see [4]) with a
specially developed firmware.

Successful disarming attacks against an ABUS Secvest wireless alarm
system are shown in our SySS proof-of-concept video "ABUS Secvest
Rolling Code PoC Attack" [7].

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

SySS GmbH is not aware of a solution for this reported security
vulnerability.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2018-11-21: Vulnerability reported to manufacturer
2018-11-28: Vulnerability reported to manufacturer once more
2018-12-12: E-mail to ABUS support asking if they are going to give
some feedback regarding the reported security issue
2018-12-12: Phone call with ABUS support, the reported security
advisories were forwarded to the ABUS Security Center
Support
2018-12-12: E-mail to ABUS Security Center Support asking if they are
going to give some feedback regarding the reported security
issue
2019-01-14: Updated information regarding remote control ABUS Secvest
FUBE50015
2019-03-25: Public release of security advisory

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for ABUS Secvest wireless remote control
https://www.abus.com/eng/Home-Security/Alarm-systems/Secvest-wireless-alarm-system/Control-devices-and-extensions/Secvest-Wireless-Remote-Control2
[2] SySS Security Advisory SYSS-2018-034
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2018-034.txt
[3] Product website YARD Stick One
https://greatscottgadgets.com/yardstickone/
[4] Product website for Texas Instruments eZ430-Chronos
http://www.ti.com/tool/EZ430-CHRONOS
[5] SySS Security Advisory SYSS-2018-035
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2018-035.txt
[6] SySS GmbH, SySS Responsible Disclosure Policy
https://www.syss.de/en/news/responsible-disclosure-policy/
[7] SySS Proof-of-Concept Video: ABUS Secvest Rolling Code PoC Attack
https://youtu.be/pSdsMVn-7gM

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Thomas Detert.

Mr. Detert reported his finding to SySS GmbH where it was verified and
later reported to the manufacturer by Matthias Deeg.

E-Mail: matthias.deeg (at) syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Matthias_Deeg.asc
Key fingerprint = D1F0 A035 F06C E675 CDB9 0514 D9A4 BF6A 34AD 4DAB

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS Web
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE0fCgNfBs5nXNuQUU2aS/ajStTasFAlyUoLoACgkQ2aS/ajSt
TauU4Q/8CZRBKZPUkuVKjWkxurI4k9zH2+FRpVGlddz7Icx547VJdYUFLmGGXtQW
yH5DrxrDJTM6IjPh8l6Dw3Vrf5EwP/AN5NAKKEeWGam+SVtF4jq2xZu7O+XgL5Q7
MO2BrqMFv5v/8R8bYkWTczMcwnznMZB/9xQnFaGr4Tp//LH8VQ54UfQH/7fCgVGT
RcHMKKx05EuRD4coU1uogwdsjfXDmY+hTEl9vArV6S6dtqKa1vXv54PN07mvlZNW
CvojEpWXmkzlev4mDmS+WsjvDRKDE5AW9Dflg1pcQLH0/20eK4PAjJAlk+2qaxM0
g1t3U6O/pjotp4BxHhrYvcPjAY0iLz4S1yCVte8VdQ1zZ1LQ0+N8zMBx3sp+Sfo0
mCJuj/GBpgtS/AsBcsNiSlHgUhl6tIkhbrocJ5F8f5yx0NLWeSZ+iZPp2IxHqT/b
ZZj5xZd+WQjRnwN/Rp5Pe3Fgg/PBiCOpW4BmTiZytkm9fu23u3BDYC3daXzGgQmg
WiodnGM/TsLWryuckh5blqP/595PNbvc/zdjofWHkz9fGX29hsvkoXo3AjFBYsFw
mbtGKHPO9qod7Gp6xwLUVq4PXMP8Yhrif4/ZzHh2gzNFQ5gFH+6lUYpomwIqyw51
3knWk51fjOd1suaXGzxN87zbhqKhVh+GsopwsrG5OvbSQXhnYIA=
=5FYg
-----END PGP SIGNATURE-----


Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close