-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Advisory ID: SYSS-2016-071
Product: Smart GSM Alarm SA 2500 Kit
Manufacturer: Blaupunkt
Affected Version(s): v1.0
Tested Version(s): v1.0
Vulnerability Type: Missing Protection against Replay Attacks
Risk Level: Medium
Solution Status: Open
Manufacturer Notification: 2016-07-14
Solution Date: -
Public Disclosure: 2016-11-23
CVE Reference: Not yet assigned
Author of Advisory: Matthias Deeg (SySS GmbH)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Overview:
The Blaupunkt Smart GSM Alarm SA 2500 Kit is a wireless alarm system
with different features.
The manufacturer describes the product as follows (see [1]):
"Home is priceless. Protecting home should be anyone's top priority.
Blaupunkt Smart Alarm Series SA 2500/ SA 2700 Kit offers you an easy
and efficient way to do 'DIY security, DIY protection.' You can set up
a quality security system all by yourself and control/monitor your home
from your smartphone anytime, anywhere."
Due to an insecure implementation of the used 868 MHz radio
communication, the wireless alarm system Blaupunkt Smart GSM Alarm SA
2500 Kit is vulnerable to replay attacks.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Vulnerability Details:
SySS GmbH found out that the radio communication protocol used by the
Blaupunkt Smart GSM Alarm SA 2500 wireless alarm system and its remote
control is not protected against replay attacks. Therefore, an attacker
can record the radio signal of a wireless remote control, for example
using a software-defined radio, when the alarm system is disarmed by its
owner, and play it back at a later time in order to disable the alarm
system at will.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Proof of Concept (PoC):
SySS GmbH could successfully perform a replay attack as described in the
previous section using a software-defined radio and disarm a Blaupunkt
Smart GSM Alarm SA 2500 wireless alarm system in an unauthorized way.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Solution:
SySS GmbH is not aware of a solution for this reported security
vulnerability.
For further information please contact the manufacturer.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Disclosure Timeline:
2016-07-14: Vulnerability reported to manufacturer via e-mail and a
ticket in the Blaupunkt customer service portal
2016-07-14: Received an e-mail from the manufacturer confirming the
ticket
2016-07-15: Manufacturer closed the ticket without any further
notification or solution regarding the reported security
vulnerability
2016-11-23: Public release of security advisory
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
References:
[1] Blaupunkt Smart GSM Alarm Series SA 2500/SA 2700 KIT
http://www.blaupunkt.com/uploads/tx_ddfproductsbp/2500-2700_39.pdf
[2] SySS Security Advisory SYSS-2016-071
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2016-071.txt
[3] SySS GmbH, SySS Responsible Disclosure Policy
https://www.syss.de/en/news/responsible-disclosure-policy/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Credits:
This security vulnerability was found by Matthias Deeg of SySS GmbH.
E-Mail: matthias.deeg (at) syss.de
Public Key:
https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Matthias_Deeg.asc
Key fingerprint = D1F0 A035 F06C E675 CDB9 0514 D9A4 BF6A 34AD 4DAB
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Disclaimer:
The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS Web
site.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Copyright:
Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJYNChPAAoJENmkv2o0rU2rnc4P/ihKlrRMJuTtJo3y72pi8i7O
Y/FrOpcUn8zW04PGUBBIC2YK4GfhMfjIQCHY74TNEdGWOMY4lshvbsN9mY2ChSvx
MnIllcklXHGbEAAyuu8LafnXVSVIHQtSsCV0H0XPoOhZxj0u5CzziK2xUIYCwcsp
fRO0+67PQzUtx9HebiR/sf/fJZj6KdrgLbN2PLQeeZRd6QWDNnF2C5IdBScrFKB3
cVS4AkhuybIwq9LUluIUr3UiA5G8fVSEUbjs7kym2LrLw00ZsJRQxYusIVcJF+Aw
nP0fHj1/ybCMlqQmGMtHKGqsxScHf7lflXhfkLbjic6eJmsJxeV3XIWDLV98D455
/bHyhVHDsiYHbhbPVV7FVBPnmbGKzJ/y2RNInkGpkMJN79tLeJZqNOuZv4AH7MYg
nswPMxVpmyMixv9RA3K6t7Zv/EyQruMhOvvtfR4ib3GQFO/68O+Jzvc0eQbm2gfF
OxM1BeU8HfWEP0FTz+B6h2945ms3N6gsbua4RZUJ1kJDibyIhzww7hIclvlCpo2D
5fPwoWMoT7qV+GAB/RXh9putNcVgk5fIuKAfjcpUwJegv/DDZ6KO2am05OZSRvS/
I6+Oaq4F8RwFKR3j28GJT3gxm++oJ/TOPE+sVF3vD3rZz3wOolMl46K2eD1Sh3/7
QvdQCxoqw2TR+xOL3LkL
=0Wia
-----END PGP SIGNATURE-----