EASY HOME Alarmanlagen-Set MAS-S01-09 Replay Attack
Posted on 30 November -0001
<HTML><HEAD><TITLE>EASY HOME Alarmanlagen-Set MAS-S01-09 Replay Attack</TITLE><META http-equiv="Content-Type" content="text/html; charset=utf-8"></HEAD><BODY>Advisory ID: SYSS-2016-106 Product: EASY HOME Alarmanlagen-Set Manufacturer: monolith GmbH Affected Version(s): Model No. MAS-S01-09 Tested Version(s): Model No. MAS-S01-09 Vulnerability Type: Missing Protection against Replay Attacks Risk Level: Medium Solution Status: Open Manufacturer Notification: 2016-09-26 Solution Date: - Public Disclosure: 2016-11-23 CVE Reference: Not yet assigned Author of Advisory: Matthias Deeg (SySS GmbH) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: The EASY HOME MAS-S01-09 is a wireless alarm system with different features sold by ALDI SUD. Some of the features as described in the German product manual are (see [1]): " - - Alarmanlagen-Set mit drahtlosen Sensoren und Mobilfunk-Anbindung - - SOS-Modus, Stiller Alarm, Uberwachungs- und Intercom-Funktion - - Integrierte Quad-Band Mobilfunkeinheit fur GSM-Netze im 850 / 900 / 1800 / 1900 MHz-Bereich - - Alarmbenachrichtigung auf externe Telefone - - Eingebaute Sirene (ca. 90 dB), inkl. Anschluss fur externe Sirene - - Unterstutzung fur bis zu 98 kabellosen Sensoren / bis zu 4 kabelgebundene Sensoren - - Stromausfallsicherung der Basiseinheit durch 4 x AAA Alkaline-Batterien - - Fernbedienbar per Telefon " Due to an insecure implementation of the used 433 MHz radio communication, the EASY HOME MAS-S01-09 wireless alarm system is vulnerable to replay attacks. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: SySS GmbH found out that the radio communication protocol used by the EASY HOME MAS-S01-09 wireless alarm system and its remote control is not protected against replay attacks. Therefore, an attacker can record the 433 MHz radio signal of a wireless remote control, for example using a software-defined radio, when the alarm system is disarmed by its owner, and play it back at a later time in order to disable the alarm system at will. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): SySS GmbH could successfully perform a replay attack as described in the previous section using a software-defined radio and disarm an EASY HOME MAS-S01-09 wireless alarm system in an unauthorized way. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: SySS GmbH is not aware of a solution for this reported security vulnerability concerning the tested product version. For further information please contact the manufacturer. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2016-09-26: Vulnerability reported to manufacturer 2016-09-30: Manufacturer responds to reported security issue and that the information will be integrated in the next product version 2016-09-30: E-mail to manufacturer concerning a security advice in the product manual 2016-10-04: Response concerning security advice in product manual 2016-11-23: Public release of security advisory ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product manual of EASY HOME MAS-S01-09 wireless alarm system http://monolith-shop.de/wp-content/uploads/2016/09/MAS-S01-09_Alarmanlage_Bedienungsanleitung.pdf [2] SySS Security Advisory SYSS-2016-106 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2016-106.txt [3] SySS GmbH, SySS Responsible Disclosure Policy https://www.syss.de/en/news/responsible-disclosure-policy/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Matthias Deeg of SySS GmbH. E-Mail: matthias.deeg (at) syss.de Public Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Matthias_Deeg.asc Key fingerprint = D1F0 A035 F06C E675 CDB9 0514 D9A4 BF6A 34AD 4DAB ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS Web site. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en </BODY></HTML>