-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2024-072 Product: PGST Security Alarm System Manufacturer: Shenzhen Pilot Guards Safety Technology Co., Ltd (PGST) Affected Version(s): 2024-08-19 (No version number) Tested Version(s): 2024-08-19 (No version number) Vulnerability Type: Improper Handling of Exceptional Conditions (CWE-755) Risk Level: High Solution Status: Open Manufacturer Notification: 2024-10-16 Solution Date: TBA Public Disclosure: 2024-12-04 CVE Reference: Not yet assigned Author of Advisory: Sebastian Auwärter, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: The PGST Security Alarm System is a home alarm system. The manufacturer describes the product as follows (see [1]): "Our WiFi/GSM alarm system offers reliable and comprehensive protection for your home, garage, apartments and shops or other buildings on your property." The alarm system can be disrupted by sending white noise or randomized signals on the 433 MHz channel. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: Since no security measures exist to check if a device is still communicating with the alarm station, white noise or otherwise undiscernable data can be sent on the 433 MHz channel to prevent the station from capturing any signals sent on certain events like opened windows, doors or movement in reach of a movement sensor. The alarm system does not detect being disconnected from its sensors. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): Hardware which is able to send arbitrary signals on the 433 MHz channel is necessary to reproduce this attack, for example a Flipper Zero[6] with custom firmware. Moreover, files containing random signals for this channel are necessary. After "Sub Gigahertz -> Saved -> the file - -> Send" is pressed on the Flipper Zero, white noise is sent on the channel and no events are received on the alarm station, thus cicumventing any protection the alarm system provides. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: TBA ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2024-08-19: Vulnerability discovered 2024-10-16: Vulnerability reported to manufacturer 2024-11-08: Reminder sent to the manufacturer 2024-12-04: Public disclosure of vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Amazon link for the PGST Security Alarm System https://www.amazon.de/PGST-Komplettsystem-120-dB-Alarmsirene-Intelligenter-Fernbedienung/dp/B0CLHVRPFX/ref=sr_1_6?th=1 [2] Product website for the PGST Security Alarm System https://www.cn-pgst.com/ [3] SySS Security Advisory SYSS-2024-070 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-070.txt [4] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy [5] EM4100 protocol description https://www.priority1design.com.au/em4100_protocol.html [6] Flipper Zero homepage https://flipperzero.one/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Sebastian Auwärter of SySS GmbH. E-Mail: sebastian.auwaerter@syss.de LinkedIn: https://de.linkedin.com/in/sebastian-auw%C3%A4rter-156035305 Public Key: https://www.syss.de/kontakt/pgp-keys Key Fingerprint: F98C 3E12 6713 19D9 9E2F BE3E E9A3 0D48 E2F0 A8B6 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE+Yw+EmcTGdmeL74+6aMNSOLwqLYFAmdQRvoACgkQ6aMNSOLw qLZ3KBAAlH1Z6i3j1DkS6QTIJwnGhxSTicumEY5FA+YUotnL8FwYJ7a1L5l6YS8/ ZSsTJ0poX0kDB3g2UaGnRV/0Jb3fWfLmQfqd4zN2bc89laCdju+FTF0o26Y7XF9Y rJ1lKZ6Dk2gfQXV8cZO3PPZu94NtC94//7Nn/JO0nCubC/OWczXJWuUzVPKKhhip b/n0C+xgT0Yt6jOWDUboaD45D055da7CejQrgWTKUVTerUvYnUMHcuZJd0I0H+dG C10RPiTIXH0utoBEFNcFCjXr0eZVRg9wRW+t0mH7kXrsYM3jeAmYigLmAb9c91Zj AERZr7zKZCYxKuJFUAI/PEaPU5dZ13DEiobXdXlWyAERx6h0HOcw0mIZuXmX8bBt 0om3Qt3l1rbbitJVFkdPo+aGVuH4JYxyn89bNAcFyT5MxrzRLb6S212wMg426Eoy ijAveUWUhnX8fM37JCyqBXtMVwg1lFDQTO7FuIuBuDh7urnqo83vjcmMdMYSJbZ7 4VlyIGPhJo2WP5oVuebYnlU7picOTcKfg+whIdYBYOuyl07pnZubLuQnRpUy6tbF X+zo/FqSg2JJCIjrEkEQIGwvTVNZoG63QPrddRRt8tk5kQQMntj+flp3s1/iETsn GZA4ZAmRgKEn6+GZZOaHjbPgohf6iA9RH0teBHlImPBpl3JbM8U= =RmH8 -----END PGP SIGNATURE-----