-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2016-071 Product: Smart GSM Alarm SA 2500 Kit Manufacturer: Blaupunkt Affected Version(s): v1.0 Tested Version(s): v1.0 Vulnerability Type: Missing Protection against Replay Attacks Risk Level: Medium Solution Status: Open Manufacturer Notification: 2016-07-14 Solution Date: - Public Disclosure: 2016-11-23 CVE Reference: Not yet assigned Author of Advisory: Matthias Deeg (SySS GmbH) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: The Blaupunkt Smart GSM Alarm SA 2500 Kit is a wireless alarm system with different features. The manufacturer describes the product as follows (see [1]): "Home is priceless. Protecting home should be anyone's top priority. Blaupunkt Smart Alarm Series SA 2500/ SA 2700 Kit offers you an easy and efficient way to do 'DIY security, DIY protection.' You can set up a quality security system all by yourself and control/monitor your home from your smartphone anytime, anywhere." Due to an insecure implementation of the used 868 MHz radio communication, the wireless alarm system Blaupunkt Smart GSM Alarm SA 2500 Kit is vulnerable to replay attacks. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: SySS GmbH found out that the radio communication protocol used by the Blaupunkt Smart GSM Alarm SA 2500 wireless alarm system and its remote control is not protected against replay attacks. Therefore, an attacker can record the radio signal of a wireless remote control, for example using a software-defined radio, when the alarm system is disarmed by its owner, and play it back at a later time in order to disable the alarm system at will. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): SySS GmbH could successfully perform a replay attack as described in the previous section using a software-defined radio and disarm a Blaupunkt Smart GSM Alarm SA 2500 wireless alarm system in an unauthorized way. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: SySS GmbH is not aware of a solution for this reported security vulnerability. For further information please contact the manufacturer. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2016-07-14: Vulnerability reported to manufacturer via e-mail and a ticket in the Blaupunkt customer service portal 2016-07-14: Received an e-mail from the manufacturer confirming the ticket 2016-07-15: Manufacturer closed the ticket without any further notification or solution regarding the reported security vulnerability 2016-11-23: Public release of security advisory ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Blaupunkt Smart GSM Alarm Series SA 2500/SA 2700 KIT http://www.blaupunkt.com/uploads/tx_ddfproductsbp/2500-2700_39.pdf [2] SySS Security Advisory SYSS-2016-071 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2016-071.txt [3] SySS GmbH, SySS Responsible Disclosure Policy https://www.syss.de/en/news/responsible-disclosure-policy/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Matthias Deeg of SySS GmbH. E-Mail: matthias.deeg (at) syss.de Public Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Matthias_Deeg.asc Key fingerprint = D1F0 A035 F06C E675 CDB9 0514 D9A4 BF6A 34AD 4DAB ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS Web site. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJYNChPAAoJENmkv2o0rU2rnc4P/ihKlrRMJuTtJo3y72pi8i7O Y/FrOpcUn8zW04PGUBBIC2YK4GfhMfjIQCHY74TNEdGWOMY4lshvbsN9mY2ChSvx MnIllcklXHGbEAAyuu8LafnXVSVIHQtSsCV0H0XPoOhZxj0u5CzziK2xUIYCwcsp fRO0+67PQzUtx9HebiR/sf/fJZj6KdrgLbN2PLQeeZRd6QWDNnF2C5IdBScrFKB3 cVS4AkhuybIwq9LUluIUr3UiA5G8fVSEUbjs7kym2LrLw00ZsJRQxYusIVcJF+Aw nP0fHj1/ybCMlqQmGMtHKGqsxScHf7lflXhfkLbjic6eJmsJxeV3XIWDLV98D455 /bHyhVHDsiYHbhbPVV7FVBPnmbGKzJ/y2RNInkGpkMJN79tLeJZqNOuZv4AH7MYg nswPMxVpmyMixv9RA3K6t7Zv/EyQruMhOvvtfR4ib3GQFO/68O+Jzvc0eQbm2gfF OxM1BeU8HfWEP0FTz+B6h2945ms3N6gsbua4RZUJ1kJDibyIhzww7hIclvlCpo2D 5fPwoWMoT7qV+GAB/RXh9putNcVgk5fIuKAfjcpUwJegv/DDZ6KO2am05OZSRvS/ I6+Oaq4F8RwFKR3j28GJT3gxm++oJ/TOPE+sVF3vD3rZz3wOolMl46K2eD1Sh3/7 QvdQCxoqw2TR+xOL3LkL =0Wia -----END PGP SIGNATURE-----