The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers). An example of a network attack is an attacker causing a denial of service by sending a specially crafted TCP packet across a wide area network (e.g., CVE-2004-0230).
Attack Complexity
Low
AC
The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
Privileges Required
None
PR
The attacker is unauthenticated prior to attack, and therefore does not require any access to settings or files of the vulnerable system to carry out an attack.
User Interaction
None
UI
The vulnerable system can be exploited without interaction from any human user, other than the attacker. Examples include: a remote attacker is able to send packets to a target system a locally authenticated attacker executes code to elevate privileges
Scope
Unchanged
S
An exploited vulnerability can only affect resources managed by the same security authority. In the case of a vulnerability in a virtualized environment, an exploited vulnerability in one guest instance would not affect neighboring guest instances.
Confidentiality
High
C
There is total information disclosure, resulting in all data on the system being revealed to the attacker, or there is a possibility of the attacker gaining control over confidential data.
Integrity
High
I
There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the attacker being able to modify any file on the target system.
Availability
High
A
There is a total shutdown of the affected resource. The attacker can deny access to the system or data, potentially causing significant loss to the organization.
Below is a copy: ABUS Secvest Wireless Control Device Missing Encryption
Advisory ID: SYSS-2020-014
Product: ABUS Secvest Wireless Control Device (FUBE50001)
Manufacturer: ABUS
Affected Version(s): N/A
Tested Version(s): N/A
Vulnerability Type: Missing Encryption of Sensitive Data (CWE-311)
Risk Level: High
Solution Status: Open
Manufacturer Notification: 2020-04-03
Solution Date: -
Public Disclosure: 2020-06-17
CVE Reference: CVE-2020-14157
Authors of Advisory: Michael Rttgers, Thomas Detert,
Matthias Deeg (SySS GmbH)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Overview:
ABUS Secvest Wireless Control Device (FUBE50001) is a wireless control
panel for the ABUS Secvest wireless alarm system.
Some of the device features as described by the manufacturer are
(see [1]):
"
* Easy operation via code or proximity keyfob
The Secvest wireless control panel is an optional Secvest accessory.
Every wireless control panel can be operated from your system via PIN
code. It is possible to arm and disarm the panel via proximity keyfob.
* Flexible use in entrance areas
Up to 8 control panels can be integrated into the alarm system. These
additional modules can be placed in various areas of the building.
This provides added convenience for you, because Secvest can be armed
and disarmed directly on the wireless control panel, without the need
to go back to the central alarm panel every time.
In addition to internal arming or arming individual sub-areas, you can
also switch a single output, such as the garage door, if desired.
* Secure wireless communication
Thanks to a secure wireless communication procedure, this product is
protected against replay attacks, as are the Secvest wireless alarm
system and Secvest Touch alarm systems. This procedure for preventing
third-party tampering exceeds the requirements of the DIN EN 50131-1
level 2 security standard.
"
Due to the missing encryption of the wireless communication, an attacker
is able to eavesdrop sensitive data as cleartext, for instance, used PINs
or proximity token IDs.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Vulnerability Details:
Michael Rttgers found out that the wireless communication of the ABUS
Secvest Wireless Control Device (FUBE50001) for transmitting sensitive
data like PIN codes or IDs of used proximity chip keys (RFID tokens) is
not encrypted.
This security issue is related to the insecure wireless transmission of
sensitive data of the ABUS Secvest remote controls FUBE50014 and
FUBE50015 reported back in 2018 (see SySS security advisory
SYSS-2018-035 [2]).
Thus, an attacker observing radio signals of an ABUS FUBE50001
wireless control panel is able to see all sensitive data of transmitted
packets as cleartext and can analyze the used packet format and the
communication protocol.
For instance, this security issue could successfully be exploited to
sniff used PIN codes and used proximity chip key IDs.
By knowing the correct PIN code or the ID of a valid ABUS Secvest
proximity chip key, an attacker is able to disarm the wireless alarm
system in an unauthorized way.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Proof of Concept (PoC):
Michael Rttgers, Thomas Detert, and Matthias Deeg developed different
PoC software tools, either for the RFCat-based radio dongle YARD Stick
One [3] in one version, or the GreatFet One neighbor Erica [4] in another
one, that allowed sniffing out used PIN codes or used proximity chip key
IDs when eavesdropping on the FUBE50001 wireless communication.
The following output exemplarily shows a successful PIN code sniffing
attack:
$ python2 abus_fube50001_pin_sniffer.py
ABUS Secvest FUBE50001 PIN Code Sniffer PoC - SySS GmbH (c) 2020
by Thomas Detert, Michael Rttgers, and Matthias Deeg
---
[*] Listening for ABUS FUBE50001 packets ...
[*] Received packet:
f0f352b4ccb4ccd52aab52d2acd2d34d4cb34cb333332b34d4b530f0f0f352b4ccb4ccd52aab52d2acd2d34d4cb34cb333332b34d4b530f0f0f333333333117162f5
[*] Decoded packet : da0a077ed5c549888800626b
[*] Received packet:
f0f352b4b32b4d352ad5332aab2cb34cd3332cccb4ccacb354acaaaaccccd2ab32aab54d30f0f0f352b4b32b4d352ad5332aab2cb34cd3332cccb4ccacb354acaaaa
[*] Decoded packet : da86937707e4884040a0c8ecff005e1fb9
[*] Detected FUBE50001 packet with FUBE50001 PIN
[+] Sniffed PIN code: 1337
(...)
An example of a successful sniffing attack regarding the ID of an ABUS
proximity chip key is illustrated in the following output:
$ python2 abus_fube50001_chip_key_id_sniffer.py
ABUS Secvest FUBE50001 Proximity Chip Key ID Sniffer PoC - SySS GmbH (c)
2020
by Thomas Detert, Michael Rttgers, and Matthias Deeg
---
[*] Listening for ABUS FUBE50001 packets ...
[*] Received packet:
f0f352b4b332b2cad52accd554d34cb32cccd33332b34ab2cd2b2d4ad32ad2aacaacd32b30f0f0f3057c0764bf788b6ce7d0de43f6c1cb71e7374b7bd7c7a1abe567
[*] Decoded packet: da81937707e488404018b9165b475f3c46
[*] Detected FUBE50001 packet with proximity token ID
[+] Sniffed proximity chip key ID: 3805964445
(...)
The described sniffing attacks are also demonstrated in the SySS
Proof-of-Concept Video titled "ABUS Secvest Sniffing Attack" which is
available on the SySS YouTube Channel [8].
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Solution:
SySS GmbH is not aware of a solution for this reported security
vulnerability.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Disclosure Timeline:
2020-04-03: Vulnerability reported to manufacturer
2020-06-17: Public release of security advisory
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
References:
[1] Product website for ABUS Secvest wireless control device
https://www.abus.com/eng/Home-Security/Alarm-systems/Secvest-wireless-alarm-system/Control-devices-and-extensions/Secvest-Wireless-Control-Device
[2] SySS Security Advisory SYSS-2018-035
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2018-035.txt
[3] Product website YARD Stick One
https://greatscottgadgets.com/yardstickone/
[4] GreatFET One neighbor Erica targeting the 315/433/868/915 MHz
freqency bands
https://github.com/AsFaBw/erica
[5] GreatFET wiki
https://github.com/greatscottgadgets/greatfet/wiki
[6] SySS Security Advisory SYSS-2020-014
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2020-014.txt
[7] SySS GmbH, SySS Responsible Disclosure Policy
https://www.syss.de/en/news/responsible-disclosure-policy/
[8] SySS Proof of Concept Video: ABUS Secvest Sniffing Attack
https://www.youtube.com/watch?v=kCqAVYyahLc
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Credits:
This security vulnerability was found by Michael Rttgers and Thomas
Detert.
Mr. Rttgers and Mr. Detert reported this finding to SySS GmbH where it
was verified and later reported to the manufacturer by Matthias Deeg.
E-Mail: matthias.deeg (at) syss.de
Public Key:
https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Matthias_Deeg.asc
Key fingerprint = D1F0 A035 F06C E675 CDB9 0514 D9A4 BF6A 34AD 4DAB
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Disclaimer:
The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS website.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Copyright:
Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum