-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Advisory ID: SYSS-2016-064
Product: M2B GSM Wireless Alarm System
Manufacturer: Multi Kon Trade
Affected Version(s): Unspecified
Tested Version(s): Unspecified
Vulnerability Type: Improper Restriction of Excessive Authentication
Attempts (CWE-307)
Risk Level: High
Solution Status: Open
Manufacturer Notification: 2016-07-05
Solution Date: -
Public Disclosure: 2016-11-23
CVE Reference: Not yet assigned
Author of Advisory: Gerhard Klostermeier, SySS GmbH
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Overview:
The M2B GSM wireless alarm system by Multi Kon Trade (MKT) was tested
for possible security issues.
Some features of this alam system as described by the manufacturer are
(see [1]):
* You will be noticed of any alarm by call or by SMS message.
* The alarm system has a battery which will last 6 to 8 hours in case
of a blackout.
* You can pair up to 99 devices (sensors, remote control, etc.).
* You do not have to run any cables. Everything is wireless.
* It is possible to trigger alarms in case of fire, even if the
alarm is disabled.
* It is possible to trigger the alarm with a delay.
Due to an insecure implementation of the used 433 MHz radio
communication, the wireless alarm system M2B GSM is vulnerable to
brute-force attacks.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Vulnerability Details:
SySS GmbH found out that the 433 MHz radio communication of the wireless
alarm system M2B GSM has no protection against brute-force attacks.
A valid (paired) remote control is identified through its eight
characters long identifier. A character is either "0", "1" or "f"
(floating) (see [2]). Thus, it is possible to send any command signal
for all possible identifiers. Via such a brute-force attack, for
instance, it is possible to disarm an armed M2B GSM wireless alarm
system remotely in an unauthorized manner.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Proof of Concept (PoC):
SySS GmbH build a small device that is able to arm and disarm every M2B
GSM wireless alarm system within its radio range in max. 40 minutes.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Solution:
An extra anti-jammer device is purchasable by the Vendor. This sensor
should detect malicious devices that are trying to disarm system using
the brute-force method. If such a device is detected the alarm will
be triggered. (Solution as suggested by the vendor.)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Disclosure Timeline:
2016-07-05: Vulnerability reported to manufacturer
2016-10-13: Response from the vendor with the solution on how to
mitigate the risk
2016-11-23: Public release of security advisory
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
References:
[1] M2B GSM Wireless Alarm System, Multi Kon Trade
http://multikontrade.de/GSM-Funk-Alarmanlage
[2] PT2260 Remote Control Encoder, Princeton Technology Corp.
http://www.princeton.com.tw/Portals/0/Product/PT2260_4.pdf
[3] SySS Security Advisory SYSS-2016-064
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2016-064.txt
[4] SySS GmbH, SySS Responsible Disclosure Policy
https://www.syss.de/en/news/responsible-disclosure-policy/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Credits:
This security vulnerability was found by Gerhard Klostermeier of SySS
GmbH.
E-Mail: gerhard.klostermeier (at) syss.de
Public Key:
https://www.syss.de/fileadmin/dokumente/PGPKeys/Gerhard_Klostermeier.asc
Key fingerprint = 8A9E 75CC D510 4FF6 8DB5 CC30 3802 3AAB 573E B2E7
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Disclaimer:
The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS Web
site.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Copyright:
Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJYNCglAAoJENmkv2o0rU2rgBYQAJB8N3DfO1TbmMszMRv7XBOS
TIENtQ2lVEGiKV6TMReHu/7GjFYa/KNvE6129fBs6CC/LokySV6OttU7vLbpxXf4
z1Kcur/W7ztd6eRm0YCsBby908tEB0t/vW0pzDd58b76AAJkyxHW4/uGYSlXaJdl
IkUUU1kYkuKuiLsqtjNTsEYCxDB9ZGslngFdZsGCZbXSwYiZOCNIuHWi+rb+Auu2
ypNf6/JdDV7G2iKTZy8oOQBk2oOsiF09CeuNJ5DNS5Mr+NJupFK4PsxoHYWqZnaq
95tMcuXAJacPHb+tBmzEeiE303pCFuCOwRxPAUDG+iwlBfbY1+s5RqvbYyP1PFRI
xMbCSFwUoG5Kyko6JHV/lDAleKP2Dt4IgFu9VN6Tg2BARF6wtAaVa74RfjSm9YjA
g1HUfm2hz+qKM6pbSdVx4JeKDMi6/8tk3KzFb+APNqhEvgNQa3GGiJEH6KpqGhzN
bwUrqlqHPuGX+07CG42Y3klWXJXEqfW0p7LEMq2FDP514JLk2JxmBwrnHrW7nkQb
fzNH9qBEzYfY4Wli+3lAK3wN2+lNlmMecymGTzhu3HGnCOhbbc5Q1gd4cwxayZPJ
nbGAIcG8N4QyNTdJIHTod7Ic6wZH2D3hezoxSW7ConI8NogYaNRwZ3Gg3biNsG5t
61wisI5oiJ7tShQnO1p2
=8JO2
-----END PGP SIGNATURE-----