Merry Christmas. --------------------------------------------------------------------- http://www.modzero.ch/advisories/MZ-14-01-Ekahau-RTLS.txt --------------------------------------------------------------------- modzero Security Advisory: Vulnerabilities in Ekahau Real-Time Location System [MZ-14-01] - CVE-ID: CVE-2014-2716 -----------------------------------------------------------------v1.3 Table of Contents 1. Timeline 2. Summary 3. Vulnerabilities 4. Recommendations 5. Vendor Response 6. Credits 7. About modzero 8. References 9. Disclaimer Vendor: Ekahau, Inc., Helsinki [1] Products known to be affected: Ekahau Real-Time Location System [2] The following products were used during the security analysis. Other versions are likely to be affected as well: * Ekahau B4 staff badge tag hardware rev 5.7, firmware rev 1.4.52 [3] * Ekahau RTLS Controller version 6.0.5-FINAL * Ekahau Activator 3 software [4] --------------------------------------------------------------------- 1. Timeline --------------------------------------------------------------------- * 2014-03-04: Advisory sent to the vendor * 2014-03-13: Vendor acknowledged the initial contact * 2014-04-01: Vendor did not provide timeline * 2014-04-02: modzero sends a preliminary summary to MITRE * 2014-04-03: CVE received and added: CVE-2014-2716 * 2014-10-23: modzero releases the comprehensive security advisory to the public * 2014-12-15: Full release of the advisory to the public --------------------------------------------------------------------- 2. Summary --------------------------------------------------------------------- Ekahau's real-time location tracking uses battery-powered Wi-Fi tokens to track assets or staff. Signal measurements (RSSI) of the 802.11-based Wi-Fi communication are processed in the Ekahau RTLS software component, which calculates the exact position of the token. Depending on the token-model that is being used, additional information can be exchanged (e.g. alarm events from the token or custom text messages could be sent). According to the vendor's website, the solution is used in hospitals and schools as "panic buttons" and should simplify workflows, due to the ability to precisely track persons and items. The solution only supports Pre-Shared-Key (PSK) based radio transport layer encryption WPA2 schemes, every person with access to a token can get access to the radio keys within a tag's EEPROM to gain access to the network and sniff Ekahau data packets. As there is no easy way of key rotation, it is assumed that the key is known to a large amount of individuals. modzero found that the encryption used in Ekahau's Real-Time Location System messages suffers from severe weaknesses. An attacker is able to read and generate arbitrary messages including button events, text/alarm messages or sending reconfiguration events. --------------------------------------------------------------------- 3. Vulnerabilities 3.1. RC4 Cipher Stream Reuse ---------------------------- Severity: high The message payload of the affected solution is always encrypted using the same RC4 cipher stream. When combining two encrypted messages with an XOR operation, the cipher stream will cancel out. With this, an attacker is able to recover the bitwise difference of two plain texts. Encryption of two messages m1 and m2 using the same cipher stream s, resulting in two ciphertexts c1 and c2. s is a pseudo-random sequence of bytes, generated using the RC4 algorithm: c1 = m1 XOR s c2 = m2 XOR s An attacker is able to record the ciphertexts c1 and c2 and combine them in an XOR operation. This reveals all bits, where the plaintexts m1 and m2 differ: c1 XOR c2 = (m1 XOR s) XOR (m2 XOR s) = (m1 XOR m2) XOR (s XOR s) = m1 XOR m2 3.2. Weak Key Derivation ------------------------ Severity: high The 128 bit RC4 key used in the Ekahau setup is trivially derived from the three least significant bytes of the MAC address. The key derivation scheme can be recovered from publicly available program code [4] or any Ekahau tag's EEPROM. According to the IEEE 802.11 standard [5], the MAC address is required to be publicly transported in clear text within the 802.11 MAC headers. An attacker capable of sniffing the wireless network (independant of its encryption state) is able to extract this information. Using the gathered MAC address, he is able to immediately reconstruct the employed RC4 key in the following way: prefix = "*ixpiyacoc" mac[3:5] = three least significant bytes of the MAC address suffix = "+*+" key = prefix | mac[3:5] | suffix The effective key entropy is only 24 bit, thus even a key recovery by brute-force search would be possible in a short amount of time if the MAC address is unknown. --------------------------------------------------------------------- 4. Recommendations --------------------------------------------------------------------- It is recommended that Ekahau corrects their implementation to ensure message confidentiality, authenticity and integrity. it is recommended to protect secret information and prevent access to key material on all levels. Static PSK based radio encryption without automated key rotation is not recommended. --------------------------------------------------------------------- 5. Vendor Response --------------------------------------------------------------------- Qualified vendor response pending. Vendor protects the activator download [4] with a login & password. The software might still be available from other sources. --------------------------------------------------------------------- 6. Credits --------------------------------------------------------------------- * David Gullasch (dagu (_at_) modzero.ch) * Max Moser (mmo (_at_) modzero.ch) --------------------------------------------------------------------- 7. About modzero --------------------------------------------------------------------- The independent Swiss company modzero AG assists clients with security analysis in the complex areas of computer technology. The focus lies on highly detailed technical analysis of concepts, software and hardware components as well as the development of individual solutions. Colleagues at modzero AG work exclusively in practical, highly technical computer-security areas and can draw on decades of experience in various platforms, system concepts, and designs. http://modzero.ch info@modzero.ch --------------------------------------------------------------------- 8. References --------------------------------------------------------------------- [1] http://www.ekahau.com/ [2] http://www.ekahau.com/real-time-location-system/solutions [3] http://www.ekahau.com/userData/ekahau/documents/datasheets/ B4_datasheet_letter.pdf [4] http://sw.ekahau.com/download/activator/ --------------------------------------------------------------------- 9. Disclaimer --------------------------------------------------------------------- The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.