-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2016-117 Product: ABUS Secvest (FUAA50000) Manufacturer: ABUS Affected Version(s): v1.01.00 Tested Version(s): v1.01.00 Vulnerability Type: Missing Protection against Replay Attacks Risk Level: Medium Solution Status: Open Manufacturer Notification: 2016-11-28 Solution Date: - Public Disclosure: 2017-02-20 CVE Reference: Not yet assigned Author of Advisory: Matthias Deeg (SySS GmbH) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: ABUS Secvest (FUAA50000) is a wireless alarm system with different features. Some of the supported features as described by the manufacturer are (see [1]): " * Convenient operation via the app (Android/iOS), integrated web browser and also at the alarm panel * For up to 50 users with freely selectable control options (code/chip key/remote control) * Active intrusion protection in combination with additional mechatronic wireless window/door locks * Video verification of alarms via email, push notifications or via the app * Up to 48 individually identifiable wireless detectors, eight control panels, 50 remote controls * Integrated dialling device * VdS Home certified and EN 50131-1 Level 2 * Alarm verification via the integration of up to six IP cameras * 32 additional wireless outputs for flexible event control * Switching to monitoring station via protocols possible " Due to an insecure implementation of the used 868 MHz radio communication, the wireless alarm system ABUS Secvest is vulnerable to replay attacks. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: SySS GmbH found out that the radio communication protocol used by the ABUS Secvest wireless alarm system (FUAA50000) and its remote control (FUBE50013) is not protected against replay attacks. Therefore, an attacker can record the radio signal of a wireless remote control, for example using a software-defined radio, when the alarm system is disarmed by its owner, and play it back at a later time in order to disable the alarm system at will. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): SySS GmbH could successfully perform a replay attack as described in the previous section using a software-defined radio and disarm an ABUS Secvest wireless alarm system in an unauthorized way. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: SySS GmbH is not aware of a solution for this reported security vulnerability. For further information please contact the manufacturer. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2016-11-28: Vulnerability reported to manufacturer 2016-12-05: Vulnerability reported to manufacturer again 2016-12-06: Manufacturer responded to emails 2016-12-08: Exchanged further information with manufacturer 2017-02-07: Asked manufacturer for current status concerning the reported security issue 2017-02-20: Public release of security advisory ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for ABUS Secvest wireless alarm system https://www.abus.com/eng/Home-Security/Alarm-systems/Secvest-wireless-alarm-system/Alarm-panels-and-kits/Secvest-Wireless-Alarm-System [2] SySS Security Advisory SYSS-2016-117 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2016-117.txt [3] SySS GmbH, SySS Responsible Disclosure Policy https://www.syss.de/en/news/responsible-disclosure-policy/ [4] Plusminus video: Von wegen sicher - Wie leicht Alarmanlagen zu knacken sind http://www.daserste.de/information/wirtschaft-boerse/plusminus/videos/von-wegen-sicher-wie-leicht-alarmanlagen-zu-knacken-sind-100.html ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Matthias Deeg of SySS GmbH. E-Mail: matthias.deeg (at) syss.de Public Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Matthias_Deeg.asc Key fingerprint = D1F0 A035 F06C E675 CDB9 0514 D9A4 BF6A 34AD 4DAB ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS Web site. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE0fCgNfBs5nXNuQUU2aS/ajStTasFAliqyqgACgkQ2aS/ajSt TauDyBAAooHv0j6CNMghjO72OmILNbjUhXovwiPj4XqpQjKxb7NOxDpSzEfrKZPy B2m2Ki6dUW52a0wBEoWec4ONAH+c1eDFBehFlhryGkSqqFGLpSKpoM4+FVL11hwO aW4vyzAurW6QuyywreSxL+U2/TuruRZOuTaMDInUubJ41ODj4p0mEFvz0KeADy0o qyQDDCWE3c6IPCSHy7wa98GnF8pGC+0CSDlfr2Vi1q2H/sc1hSZcxGiVN7j6A3y4 X1DqV9bEfJBIpFoIotHIenm8mBO36/N08vetH6XKGP0ZKlvkgilpSrrF9KHCkDAO /5dmdXVvTIKYiEpUYevEUdGiaY/ZUj2Day7Z+w9t1y7TmMnKSrljTNR9Aai10lYi 06PmMeU1kLkaMvaz89lkAFT/tkqnWHgw40zGDCs1KfQyo58DUWjapKuiXsjkOUu6 4pF57dE548qDZaWyJMn/shRNHKz7l7TdZ2DqAT+WTtQ/LjTkn2rFCJJVDdzadPOh CEm/ARctIfM8PM7cFM8xffQA4Bcwte0xh+1qQGsPfndH9dq+9Ep3HLhAv5GTCw/5 Z4OlVuTiXHTnVssh4zTBVyecHlSE6gEIl0At5wzAGr9AlKqTKNCvysH5ayMZzkhl 13jSS0RL+kEsabiNV23IeFLtKKU7fSdTrbCZFHCYpHcjCxAwjYA= =Lm07 -----END PGP SIGNATURE-----