-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2024-073 Product: PGST Security Alarm System Manufacturer: Shenzhen Pilot Guards Safety Technology Co., Ltd (PGST) Affected Version(s): 2024-08-19 (No version number) Tested Version(s): 2024-08-19 (No version number) Vulnerability Type: Authentication Bypass by Capture-replay (CWE-294) Risk Level: Medium Solution Status: Open Manufacturer Notification: 2024-10-16 Solution Date: TBA Public Disclosure: 2024-12-04 CVE Reference: Not yet assigned Author of Advisory: Sebastian Auwärter, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: The PGST Security Alarm System is a home alarm system. The manufacturer describes the product as follows (see [1]): "Our WiFi/GSM alarm system offers reliable and comprehensive protection for your home, garage, apartments and shops or other buildings on your property." Components that use radio signals are vulnerable to replay attacks. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: Protective measures against replay attacks are not implemented for any of the components using radio signals to communicate with the alarm system. Therefore, any signal, such as disarming the alarm system with the remote control or the signal being sent after a window or door has been closed, can be replayed once it has been captured. Since the range of the various components is good (100 meters, according to the manufacturer), the signals can be captured from relatively far away. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): Hardware which is able to read and replay Sub Gigahertz signals is necessary to reproduce a replay attack. For example, a Flipper Zero[6] can be used. After capturing a signal with "Sub Ghz -> Read or Sub Ghz -> Read Raw", it can be replayed with the send button. Since only a static ID is sent for each signal, the base station assumes the event happened again. In case the disarm signal of the alarm system is captured, the function of the alarm device can be circumvented, open doors and windows can be simulated as being closed, or false alarms can be produced. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: TBA ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2024-08-19: Vulnerability discovered 2024-10-16: Vulnerability reported to manufacturer 2024-11-08: Reminder sent to the manufacturer 2024-12-04: Public disclosure of vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Amazon link for the PGST Security Alarm System https://www.amazon.de/PGST-Komplettsystem-120-dB-Alarmsirene-Intelligenter-Fernbedienung/dp/B0CLHVRPFX/ref=sr_1_6?th=1 [2] Product website for the PGST Security Alarm System https://www.cn-pgst.com/ [3] SySS Security Advisory SYSS-2024-070 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-070.txt [4] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy [5] EM4100 protocol description https://www.priority1design.com.au/em4100_protocol.html [6] Flipper Zero homepage https://flipperzero.one/ [7] RFID fuzzer https://github.com/DarkFlippers/Multi_Fuzzer [8] Crunch https://github.com/jim3ma/crunch ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Sebastian Auwärter of SySS GmbH. E-Mail: sebastian.auwaerter@syss.de LinkedIn: https://de.linkedin.com/in/sebastian-auw%C3%A4rter-156035305 Public Key: https://www.syss.de/kontakt/pgp-keys Key Fingerprint: F98C 3E12 6713 19D9 9E2F BE3E E9A3 0D48 E2F0 A8B6 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE+Yw+EmcTGdmeL74+6aMNSOLwqLYFAmdQRwMACgkQ6aMNSOLw qLZXORAArcQ9D6oFUyv63sxvJ0b4tVP5GW/E4AHUo8GJTbmnLxzTnMb5JsBkFCLA UMTbUwMhyqyGvc5mJujlTgcWqB/15EHhvz9a0eXrPZC+J9mXv3QfP3rTe5StB/Rq SKX1RkrlUa249KShCMb+GwLiMt3HmmuG4zPEIoXDQJ/drr7sKI7IhhdlaH4ikYKx bz6QHS52gPIz5CWJanRsRulHBp7D7TxNcr2nQ3QSwI3bBLrz+K4wjoDA4a1z+u3m 2gXvE2O6ObYR1oxuj8AfrpZAbXP+CMrV8Y/kvFgVritRa/f0WE1l75RKjpwRnS76 d/MuIAMXgL0PDTJh/rRKXXZbVPPCjf2wbZMjPmCF5xkJcFeG/91fnKVUh9dKfdzh wLoMjrOzwDRHY9MJ8hnH5QgOJacgQNsmMzRUeuBCvUpiqFseiSu9A7PQXz7OC2s+ PNX4mcoH9NDpo0wMmdZ/mXgEAI/Ib7rF/WsA5kiwJZsFwvZS05P3JSO/1TBoPSAi wXYwUotQcPtHEqJr5YQhFcoSmlcMTJ75L2TqBWl9dCpXUYjvObEkOLuL1qZfEeZh QggOwFdBpvUolATf0qab5bybDU9NMH4SI4eVECbXfM8OPe3uxltm57Av1GsRko6s IhpxAT024vbogI8t8z0IFKF2MS9Dkwu05HL2rQi4VKjp8d5z86U= =Wd+Z -----END PGP SIGNATURE-----