EASY HOME Alarmanlagen-Set MAS-S01-09 Cryptographic Issues
Posted on 30 November -0001
<HTML><HEAD><TITLE>EASY HOME Alarmanlagen-Set MAS-S01-09 Cryptographic Issues</TITLE><META http-equiv="Content-Type" content="text/html; charset=utf-8"></HEAD><BODY>Advisory ID: SYSS-2016-107 Product: EASY HOME Alarmanlagen-Set Manufacturer: monolith GmbH Affected Version(s): Model No. MAS-S01-09 Tested Version(s): Model No. MAS-S01-09 Vulnerability Type: Cryptographic Issues (CWE-310) Risk Level: Low Solution Status: Open Manufacturer Notification: 2016-10-05 Solution Date: - Public Disclosure: 2016-11-23 CVE Reference: Not yet assigned Author of Advisory: Gerhard Klostermeier (SySS GmbH) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: The EASY HOME MAS-S01-09 is a wireless alarm system with different features sold by ALDI SAD. Some of the features as described in the German product manual are (see [1]): " - - Alarmanlagen-Set mit drahtlosen Sensoren und Mobilfunk-Anbindung - - SOS-Modus, Stiller Alarm, Aberwachungs- und Intercom-Funktion - - Integrierte Quad-Band Mobilfunkeinheit fA1/4r GSM-Netze im 850 / 900 / 1800 / 1900 MHz-Bereich - - Alarmbenachrichtigung auf externe Telefone - - Eingebaute Sirene (ca. 90 dB), inkl. Anschluss fA1/4r externe Sirene - - UnterstA1/4tzung fA1/4r bis zu 98 kabellosen Sensoren / bis zu 4 kabelgebundene Sensoren - - Stromausfallsicherung der Basiseinheit durch 4 x AAA Alkaline-Batterien - - Fernbedienbar per Telefon " Due to the use of an insecure 125 kHz RFID technology, RFID tokens of the EASY HOME MAS-S01-09 wireless alarm system can easily be cloned and used to deactivate the alarm system in an unauthorized way. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: SySS GmbH found out that the 125 kHz RFID technology used by the EASY HOME MAS-S01-09 wireless alarm system has no protection by means of authentication against rogue/cloned RFID tokens. The information stored on the used RFID tokens can be read easily in a very short time from distances up to 1 meter, depending on the used RFID reader. A working cloned RFID token is ready for use within a couple of seconds using freely available tools. Thus, an attacker with one-time access to the information of an RFID token of an EASY HOME MAS-S01-09 wireless alarm system is able to create a rogue RFID token that can be used to deactivate the alarm system in an unauthorized manner. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): SySS GmbH could successfully clone an RFID token of an EASY HOME MAS-S01-09 wireless alarm system using a freely available off-the-shelf tool and disarm the wireless alarm system in an unauthorized way. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: SySS GmbH is not aware of a solution for this reported security vulnerability concerning the tested product version. For further information please contact the manufacturer. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2016-10-05: Vulnerability reported to manufacturer 2016-10-12: E-mail to manufcaturer concerning the status of the reported security issue 2016-11-23: Public release of security advisory ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product manual of EASY HOME MAS-S01-09 wireless alarm system http://monolith-shop.de/wp-content/uploads/2016/09/MAS-S01-09_Alarmanlage_Bedienungsanleitung.pdf [2] SySS Security Advisory SYSS-2016-107 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2016-107.txt [3] SySS GmbH, SySS Responsible Disclosure Policy https://www.syss.de/en/news/responsible-disclosure-policy/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Gerhard Klostermeier of SySS GmbH. E-Mail: gerhard.klostermeier (at) syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Gerhard_Klostermeier.asc Key fingerprint = 8A9E 75CC D510 4FF6 8DB5 CC30 3802 3AAB 573E B2E7 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS Web site. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en </BODY></HTML>