-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2024-071 Product: PGST Security Alarm System Manufacturer: Shenzhen Pilot Guards Safety Technology Co., Ltd (PGST) Affected Version(s): 2024-08-19 (No version number) Tested Version(s): 2024-08-19 (No version number) Vulnerability Type: Use of a Broken or Risky Cryptographic Algorithm (CWE-327) Risk Level: High Solution Status: Open Manufacturer Notification: 2024-10-16 Solution Date: TBA Public Disclosure: 2024-12-04 CVE Reference: Not yet assigned Author of Advisory: Sebastian Auwärter, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: The PGST Security Alarm System is a home alarm system. The manufacturer describes the product as follows (see [1]): "Our WiFi/GSM alarm system offers reliable and comprehensive protection for your home, garage, apartments and shops or other buildings on your property." Since it is possible to calculate the key for closing an "RF Door and Windows Detector" from the signal which is sent when opening the window, the alarm system can be tricked into thinking a window (or door) is closed again while it is in fact still open. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: When an RF Door and Windows Detector is opened (meaning the magnet lock gets removed from the device), a 433 MHz signal is sent with a certain code, for example 0x002D5F56. If the RF Door and Windows Detector is closed, another signal is sent with another code, which can be calculated from the code sent while opening the window. The code sent for the "window is closed" event is the key for opening the window plus three. In this example: 0x002D5F59. By sending the "window is closed" signal right after the window has been opened, the alarm system can be tricked into thinking a window is closed, although it is still open. Since there is no protection mechanism against replay attacks, both signals (window closed and window opened) always have the same key on a per-detector basis. The main issue is that the signal is unencrypted, which enables attackers to calculate and adjust the bits used for button events. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): Hardware which is able to read, calculate and send 433 MHz signals is necessary to execute this attack. For example, a Flipper Zero[6] can be used. To demonstrate this issue, a Sub Ghz Fixed scan can be used to capture the radio signals sent on "window opened" and "window closed" events. Once the "window open" signals have been captured, the key for the "window closed" signal can be calculated and the signal can be emulated to make the alarm system think the window has been closed again. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: TBA ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2024-08-19: Vulnerability discovered 2024-10-16: Vulnerability reported to manufacturer 2024-11-08: Reminder sent to the manufacturer 2024-12-04: Public disclosure of vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Amazon link for the PGST Security Alarm System https://www.amazon.de/PGST-Komplettsystem-120-dB-Alarmsirene-Intelligenter-Fernbedienung/dp/B0CLHVRPFX/ref=sr_1_6?th=1 [2] Product website for the PGST Security Alarm System https://www.cn-pgst.com/ [3] SySS Security Advisory SYSS-2024-071 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-071.txt [4] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy [5] EM4100 protocol description https://www.priority1design.com.au/em4100_protocol.html [6] Flipper Zero homepage https://flipperzero.one/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Sebastian Auwärter of SySS GmbH. E-Mail: sebastian.auwaerter@syss.de LinkedIn: https://de.linkedin.com/in/sebastian-auw%C3%A4rter-156035305 Public Key: https://www.syss.de/kontakt/pgp-keys Key Fingerprint: F98C 3E12 6713 19D9 9E2F BE3E E9A3 0D48 E2F0 A8B6 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE+Yw+EmcTGdmeL74+6aMNSOLwqLYFAmdQRukACgkQ6aMNSOLw qLZaHg//R08H6Rz5o7vDK3colR7NjQujiz+1733vaU5ae+E2HStALwcG1Lq+g9G4 w+2dd/2tsh2xyBM91+AZwJc+tjNXw6c6l0CXiLRFcAjRaPwuGSRZKOtOZvV1enp0 sjlSxUDw64IwNOitYh91H3nfRvGT/TSi2Us9fucjoc4CViYzPoT+3y75BAJmsMK6 qzKcVW3pH9BV784Lw0/4gA/uCdIWlA+k7CPGzZeXa8d48Bq72lMO7l70I/YTZ+zy ooHfI+llTEZKXG+Foobt3gdzFr490G+7jAK6ckh2UmN2QLLT2aK8CNozkv2qYWFZ Y8OLR19xTkkpmoZVybhyVougv7my8g5yNH031AqQ8AjoKg9eyuvp+2zmU6fblGcJ ii2QvllooVXEtEr1tlLa7G9tGSOiTl/6/7HrZHxpUBeuWC/J9uCpSvaMFtq27xE7 L+W0abUhft58bTgySLno6Mhldmhkhd5Kvg8/VfaFHMfv3+2sL3xg8C/7Gmm6enyc nz7tltSMzzQalz1D7u5R0rdjlm58a33Ska6W8ZkQ1194pxmaZXzdCWpuiItHJgMh /WryZw3OtV4e4dXOjLpjqZqU8R9A6Nc7IXkAcvns+33Q7G6X1kh4Xphy6X7PCNDA z5Z5czFvRA5qWplx+bWABPnQ6iZCGIFrR9mV0Ukumx+OdyeFqcs= =Z0NO -----END PGP SIGNATURE-----