Product: EASY HOME Alarmanlagen-Set
Manufacturer: monolith GmbH
Affected Version(s): Model No. MAS-S01-09
Tested Version(s): Model No. MAS-S01-09
Vulnerability Type: Missing Protection against Replay Attacks
Risk Level: Medium
Solution Status: Open
Manufacturer Notification: 2016-09-26
Solution Date: -
Public Disclosure: 2016-11-23
CVE Reference: Not yet assigned
Author of Advisory: Matthias Deeg (SySS GmbH)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Overview:
The EASY HOME MAS-S01-09 is a wireless alarm system with different
features sold by ALDI SÜD.
Some of the features as described in the German product manual are
(see [1]):
"
- - Alarmanlagen-Set mit drahtlosen Sensoren und Mobilfunk-Anbindung
- - SOS-Modus, Stiller Alarm, Überwachungs- und Intercom-Funktion
- - Integrierte Quad-Band Mobilfunkeinheit für GSM-Netze im 850 / 900 /
1800 / 1900 MHz-Bereich
- - Alarmbenachrichtigung auf externe Telefone
- - Eingebaute Sirene (ca. 90 dB), inkl. Anschluss für externe Sirene
- - Unterstützung für bis zu 98 kabellosen Sensoren / bis zu 4
kabelgebundene Sensoren
- - Stromausfallsicherung der Basiseinheit durch 4 x AAA
Alkaline-Batterien
- - Fernbedienbar per Telefon
"
Due to an insecure implementation of the used 433 MHz radio
communication, the EASY HOME MAS-S01-09 wireless alarm system is
vulnerable to replay attacks.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Vulnerability Details:
SySS GmbH found out that the radio communication protocol used by the
EASY HOME MAS-S01-09 wireless alarm system and its remote control is
not protected against replay attacks. Therefore, an attacker can record
the 433 MHz radio signal of a wireless remote control, for example using
a software-defined radio, when the alarm system is disarmed by its
owner, and play it back at a later time in order to disable the alarm
system at will.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Proof of Concept (PoC):
SySS GmbH could successfully perform a replay attack as described in the
previous section using a software-defined radio and disarm an EASY HOME
MAS-S01-09 wireless alarm system in an unauthorized way.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Solution:
SySS GmbH is not aware of a solution for this reported security
vulnerability concerning the tested product version.
For further information please contact the manufacturer.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Disclosure Timeline:
2016-09-26: Vulnerability reported to manufacturer
2016-09-30: Manufacturer responds to reported security issue and that
the information will be integrated in the next product
version
2016-09-30: E-mail to manufacturer concerning a security advice in the
product manual
2016-10-04: Response concerning security advice in product manual
2016-11-23: Public release of security advisory
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
References:
[1] Product manual of EASY HOME MAS-S01-09 wireless alarm system
http://monolith-shop.de/wp-
[2] SySS Security Advisory SYSS-2016-106
https://www.syss.de/fileadmin/
[3] SySS GmbH, SySS Responsible Disclosure Policy
https://www.syss.de/en/news/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Credits:
This security vulnerability was found by Matthias Deeg of SySS GmbH.
E-Mail: matthias.deeg (at) syss.de
Public Key: https://www.syss.de/fileadmin/
Key fingerprint = D1F0 A035 F06C E675 CDB9 0514 D9A4 BF6A 34AD 4DAB
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Disclaimer:
The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS Web
site.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Copyright:
Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/
Komentarų nėra:
Rašyti komentarą