-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID: SYSS-2019-004
Product: ABUS Secvest (FUAA50000)
Manufacturer: ABUS
Affected Version(s): v3.01.01
Tested Version(s): v3.01.01
Vulnerability Type: Message Transmission - Unchecked Error Condition (CWE-391)
Risk Level: High
Solution Status: Open
Manufacturer Notification: 2019-03-02
Solution Date: -
Public Disclosure: 2019-07-26
CVE Reference: CVE-2019-14261
Authors of Advisory: Matthias Deeg (SySS GmbH), Thomas Detert

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

ABUS Secvest (FUAA50000) is a wireless alarm system with different
features.

Some of the supported features as described by the manufacturer are 
(see [1]):

"
* Convenient operation via the app (Android/iOS), integrated web
  browser and also at the alarm panel
* For up to 50 users with freely selectable control options
  (code/chip key/remote control)
* Active intrusion protection in combination with additional mechatronic
  wireless window/door locks
* Video verification of alarms via email, push notifications or via the
  app
* Up to 48 individually identifiable wireless detectors, eight control
  panels, 50 remote controls
* Integrated dialling device
* VdS Home certified and EN 50131-1 Level 2
* Alarm verification via the integration of up to six IP cameras
* 32 additional wireless outputs for flexible event control
* Switching to monitoring station via protocols possible
"

Due to an insufficient implementation of the jamming detection, an
attacker is able to suppress correctly received RF messages sent between
wireless peripheral components, for example wireless detectors or remote
controls, and the ABUS Secvest alarm central.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

Thomas Detert found out that the jamming detection of the ABUS alarm
central does not detect short jamming signals that are shorter than
normal ABUS RF messages. 

Thus, an attacker is able to perform a "reactive jamming" attack. The
reactive jamming simply detects the start of a RF message sent by a
component of the ABUS Secvest wireless alarm system, for instance a
wireless motion detector (FUBW50000) or a remote control (FUBE50014 or
FUBE50015), and overlays it with random data before the original RF
message ends. Thereby, the receiver (alarm central) is not able to
properly decode the original transmitted signal. 

This enables an attacker to suppress correctly received RF messages of
the wireless alarm system in an unauthorized manner, for instance status
messages sent by a detector indicating an intrusion.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

Thomas Detert developed a Teensy-based PoC tool using a CC1101 sub-1GHz
transceiver that allows suppressing arming the alarm system in an 
unauthorized way. He provided his tool including documentation and 
source to SySS GmbH for responsible disclosure purposes. 

SySS GmbH could successfully perform the described reactive jamming attack
against an ABUS Secvest wireless alarm system. RF messages sent by the
configured ABUS Secvest components FUBE50015 (remote control), FUBW50000
(motion detector), and FUMK50000W (magnetic contact detector) were
successfully suppressed and no alarm was triggered.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

SySS GmbH is not aware of a solution for this reported security
vulnerability.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2019-03-02: Vulnerability reported to manufacturer
2019-07-26: Public release of security advisory

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for ABUS Secvest wireless alarm system
    https://www.abus.com/eng/Home-Security/Alarm-systems/Secvest-wireless-alarm-system/Alarm-panels-and-kits/Secvest-Wireless-Alarm-System
[2] SySS Security Advisory SYSS-2019-004
    https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2019-004.txt
[3] SySS GmbH, SySS Responsible Disclosure Policy
    https://www.syss.de/en/news/responsible-disclosure-policy/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Thomas Detert.

Mr. Detert reported his finding to SySS GmbH where it was verified and
later reported to the manufacturer by Matthias Deeg.

E-Mail: matthias.deeg (at) syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Matthias_Deeg.asc
Key fingerprint = D1F0 A035 F06C E675 CDB9 0514 D9A4 BF6A 34AD 4DAB

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS Web
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE0fCgNfBs5nXNuQUU2aS/ajStTasFAl05UeYACgkQ2aS/ajSt
TavmyA//UbBZrmr1KiLHhZpU7W59aAKzUOcDX5sS9MoJqXA07JNrwZ5MIUPoWfhE
8C216n8IJDQvwjeyIibz34YC4rqYF7fI2JBvr0I2oJ1tZGupnn/sIeoIg7N4S7um
POgBAsh60PpNZsODL8+IusObAJkAUh/03j7Vm691ezDzI8IrIKcbif/0d7QsRUvg
+wII5BbTLL16PRaW6umRFwxYUP0EMv2DemgK6WiGbu9ei3Wtd71bkQQqw9YmWG9D
LCPuUgreFe5UQ30cMk8St8ggKe4w3vd1jwbnR69/soca11PfyF4C/jd9+h2F9aDR
BGugY4HXk52FNc9u9NC5tVztPZWP9/6hyUGNpsNBRHXlAxq0tc1bTFieDtcBJPuk
u4rM9gB6lUSBM1qdDWc6dcj6vbTIrTGlQPI0tkRImf2nXnFegUAjRUshCylJ5HXp
P5MCnw+fRh7rdEN5uI7CeTKgW+rsu4SnOA9FK6uGVUi2qj0hwILZ4o+XA33ckL21
C5TLdO7lpXuMG74h/C7xX30VXy9b33X8zWBORqoNSisgJ6OJZyPmIHfmDExuFhY0
pEfYldrlBTxt8RAI6gKlco0t1ntt0+u0MvAQRfLIQG8YtQSzK8z44tiZcGnwJKxj
r97v2/DADGWZu7hHDKynW95MyGjKYnPrpyNXppuIBEnfheuNVH8=
=/Yo1
-----END PGP SIGNATURE-----