M2B GSM Wireless Alarm System Replay Attacks

2016.11.28
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2016-066 Product: M2B GSM Wireless Alarm System Manufacturer: Multi Kon Trade Affected Version(s): Unspecified Tested Version(s): Unspecified Vulnerability Type: Missing Protection against Replay Attacks Risk Level: Medium Solution Status: Open Manufacturer Notification: 2016-07-05 Solution Date: - Public Disclosure: 2016-11-23 CVE Reference: Not yet assigned Author of Advisory: Gerhard Klostermeier, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: The M2B GSM wireless alarm system by Multi Kon Trade (MKT) was tested for possible security issues. Some features of this alarm system as described by the manufacturer are (see [1]): * You will be noticed of any alarm by call or by SMS message. * The alarm system has a battery which will last 6 to 8 hours in case of a blackout. * You can pair up to 99 devices (sensors, remote control, etc.). * You do not have to run any cables. Everything is wireless. * It is possible to trigger alarms in case of fire, even if the alarm is disabled. * It is possible to trigger the alarm with a delay. Due to an insecure implementation of the used 433 MHz radio communication, the wireless alarm system M2B GSM is vulnerable to replay attacks. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: SySS GmbH found out that the radio communication protocol used by the M2B GSM wireless alarm system and its remote control is not protected against replay attacks. Therefore, an attacker can record the radio signal of a wireless remote control, for example using a software defined radio, when the alarm system is disarmed by its owner, and play it back at a later time in order to disable the alarm system at will. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): SySS GmbH build a small device that is able to perform replay attacks against the 433 MHz radio communication of the M2B GSM wireless alarm system, for example in order to arm and disarm the wireless remote system in an unauthorized manner. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Do not use the 433 MHz remote control to arm or disarm the system. Instead it is recommended to use the app for iOS and Android smartphones or to arm and disarm the system manually with the on-board keypad. (Solution as suggested by the vendor.) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2016-07-05: Vulnerability reported to manufacturer 2016-10-13: Response from the vendor with the solution on how to mitigate the risk 2016-11-23: Public release of security advisory ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] M2B GSM Wireless Alarm System, Multi Kon Trade http://multikontrade.de/GSM-Funk-Alarmanlage [2] PT2260 Remote Control Encoder, Princeton Technology Corp. http://www.princeton.com.tw/Portals/0/Product/PT2260_4.pdf [3] SySS Security Advisory SYSS-2016-066 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2016-066.txt [4] SySS GmbH, SySS Responsible Disclosure Policy https://www.syss.de/en/news/responsible-disclosure-policy/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Gerhard Klostermeier of SySS GmbH. E-Mail: gerhard.klostermeier (at) syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Gerhard_Klostermeier.asc Key fingerprint = 8A9E 75CC D510 4FF6 8DB5 CC30 3802 3AAB 573E B2E7 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS Web site. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJYNCg9AAoJENmkv2o0rU2rtIMP/3OZVr9igvbqmDaOWyvdQbkS q5wF+qf48ACbeqzWJHbzp7y5GE+hsvuMvnpLa2JMwg8E+Wqo7P9/TBKJ/F/W8YRb b2skOQFDuuF3CNG1Uco+hDhPs1FvWVAtOy+YUPPI45IMm+/hOXTRttosns++ZSug GGW8AOtr1KdNQc4UWm0Xex/d71mpP+a1Y4zKTQXXoIw1i2zSxloX1pv/n+WYyRho CKOmfaZnzNAakrmHjfQAMYzUk9Ed30H8YA6Y80QwJgns+LqYGu3updNpD8u4cabq cDC0YOrnyOVuLZgr6itVq6kNu5jPhVkM7ECuTdHWkZOrS1gArti6by5um/xtmO7U fpBjUNtIxqj6yymkkGZ3HK3nxtvlfJk2zqwwJA+z0j1YyzpZwIHB7EUqe/lsiDVx Fu1OGURRlbU2ES3LFfKWwG3S4ZQSa7sI6CZFJjMR8m9E3UNSwYLhMisK8FuooY4A xFOusWlNTj6yPMUe2RXoCUD8lmbOJpPUqIbzfIcK4ek2xGtwWb/9AkmSJhxrFcEg ktCFV2DzFCwkgfYjrKPx4baOpFWYh+A99YzK8rDqVkWTsOSAV/M9NON3jiN3Ai46 Vubtn1bAIzwnaLpzZ2YESOvifFxDlQhpuQCAm4enWkOU2WIicalwJTngbEc0dHDV sBKBNoQ8Rav8oKfVj2J0 =Z0mu -----END PGP SIGNATURE-----


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top