-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2016-106 Product: EASY HOME Alarmanlagen-Set Manufacturer: monolith GmbH Affected Version(s): Model No. MAS-S01-09 Tested Version(s): Model No. MAS-S01-09 Vulnerability Type: Missing Protection against Replay Attacks Risk Level: Medium Solution Status: Open Manufacturer Notification: 2016-09-26 Solution Date: - Public Disclosure: 2016-11-23 CVE Reference: Not yet assigned Author of Advisory: Matthias Deeg (SySS GmbH) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: The EASY HOME MAS-S01-09 is a wireless alarm system with different features sold by ALDI SÜD. Some of the features as described in the German product manual are (see [1]): " - - Alarmanlagen-Set mit drahtlosen Sensoren und Mobilfunk-Anbindung - - SOS-Modus, Stiller Alarm, Überwachungs- und Intercom-Funktion - - Integrierte Quad-Band Mobilfunkeinheit für GSM-Netze im 850 / 900 / 1800 / 1900 MHz-Bereich - - Alarmbenachrichtigung auf externe Telefone - - Eingebaute Sirene (ca. 90 dB), inkl. Anschluss für externe Sirene - - Unterstützung für bis zu 98 kabellosen Sensoren / bis zu 4 kabelgebundene Sensoren - - Stromausfallsicherung der Basiseinheit durch 4 x AAA Alkaline-Batterien - - Fernbedienbar per Telefon " Due to an insecure implementation of the used 433 MHz radio communication, the EASY HOME MAS-S01-09 wireless alarm system is vulnerable to replay attacks. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: SySS GmbH found out that the radio communication protocol used by the EASY HOME MAS-S01-09 wireless alarm system and its remote control is not protected against replay attacks. Therefore, an attacker can record the 433 MHz radio signal of a wireless remote control, for example using a software-defined radio, when the alarm system is disarmed by its owner, and play it back at a later time in order to disable the alarm system at will. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): SySS GmbH could successfully perform a replay attack as described in the previous section using a software-defined radio and disarm an EASY HOME MAS-S01-09 wireless alarm system in an unauthorized way. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: SySS GmbH is not aware of a solution for this reported security vulnerability concerning the tested product version. For further information please contact the manufacturer. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2016-09-26: Vulnerability reported to manufacturer 2016-09-30: Manufacturer responds to reported security issue and that the information will be integrated in the next product version 2016-09-30: E-mail to manufacturer concerning a security advice in the product manual 2016-10-04: Response concerning security advice in product manual 2016-11-23: Public release of security advisory ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product manual of EASY HOME MAS-S01-09 wireless alarm system http://monolith-shop.de/wp-content/uploads/2016/09/MAS-S01-09_Alarmanlage_Bedienungsanleitung.pdf [2] SySS Security Advisory SYSS-2016-106 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2016-106.txt [3] SySS GmbH, SySS Responsible Disclosure Policy https://www.syss.de/en/news/responsible-disclosure-policy/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Matthias Deeg of SySS GmbH. E-Mail: matthias.deeg (at) syss.de Public Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Matthias_Deeg.asc Key fingerprint = D1F0 A035 F06C E675 CDB9 0514 D9A4 BF6A 34AD 4DAB ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS Web site. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJYNChqAAoJENmkv2o0rU2rznUP/R2Pg/9Dkc3GPJDKGd1HTaSo AC/qluqMjGs8FcPj03WPewT2MlTRBLdkEsgP9kUluC8ohvPS6ybBsogTjcNPQ+vp Qu0gqbhPohTv2VcRlMFAlLycuv2jG56OZ9H6hyNxhCTb8rY8RUI1Ox8R+KQEEFTW fASLsoGt6aRRucHSQW0v/W8MfAVM4oo7JGTt5NG5aJ6Fl7pzJJ2a31KZ/lFnAXo3 4WJf5z3WbiHVb9nHs9d95+RrbCQWOAi34VRvlENlc6Sw6dYQ6QvaC0L+SA7CKhbe z0qy0xiz0H14ISnX+7MeVQzvw/MFCA75qRljMoTNVxM3Sm8jxEh7KxYIXL9/KdY6 e76zGYo70YUYRq5lvwI9YRtcTWELzEQ5kanD0W0f8BnrT76l3DDFiCprK4By8dwP rxJKjPKIgt6hdibQ5BQnUeU4w/euGj5c5+uowE7jvNLQqWx7Npo4iC3NuM0KaW1f Qp8UbCy7ak3KGg2t6t9k7GsKlHS8lg9agOOFlJsBJpemmSqpwoQw9TImYPsWmNCj 2SK1DGmuf5FmiY/i6Q5CGw1PrfO4R6OIRS4h1NSQ3KPVM5li1CMmk9wXSYGAcCYC YBtgJ6PNusPMYgXxUNaXo+5wWI1U2EZPMHdEf+IrCLiTc3ozonkVSnQ51v6ZyWLz GVXDS2B/F8R3/jcD8Gmh =ujGR -----END PGP SIGNATURE-----