EASY HOME Alarmanlagen-Set MAS-S01-09 suffers from missing protection against replay attacks.
aa11c4d5d771f9d150ecfead9f82a16873ca84a8146387dc50c052e29720ecb1
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Advisory ID: SYSS-2016-106
Product: EASY HOME Alarmanlagen-Set
Manufacturer: monolith GmbH
Affected Version(s): Model No. MAS-S01-09
Tested Version(s): Model No. MAS-S01-09
Vulnerability Type: Missing Protection against Replay Attacks
Risk Level: Medium
Solution Status: Open
Manufacturer Notification: 2016-09-26
Solution Date: -
Public Disclosure: 2016-11-23
CVE Reference: Not yet assigned
Author of Advisory: Matthias Deeg (SySS GmbH)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Overview:
The EASY HOME MAS-S01-09 is a wireless alarm system with different
features sold by ALDI SUD.
Some of the features as described in the German product manual are
(see [1]):
"
- - Alarmanlagen-Set mit drahtlosen Sensoren und Mobilfunk-Anbindung
- - SOS-Modus, Stiller Alarm, Uberwachungs- und Intercom-Funktion
- - Integrierte Quad-Band Mobilfunkeinheit fur GSM-Netze im 850 / 900 /
1800 / 1900 MHz-Bereich
- - Alarmbenachrichtigung auf externe Telefone
- - Eingebaute Sirene (ca. 90 dB), inkl. Anschluss fur externe Sirene
- - Unterstutzung fur bis zu 98 kabellosen Sensoren / bis zu 4
kabelgebundene Sensoren
- - Stromausfallsicherung der Basiseinheit durch 4 x AAA
Alkaline-Batterien
- - Fernbedienbar per Telefon
"
Due to an insecure implementation of the used 433 MHz radio
communication, the EASY HOME MAS-S01-09 wireless alarm system is
vulnerable to replay attacks.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Vulnerability Details:
SySS GmbH found out that the radio communication protocol used by the
EASY HOME MAS-S01-09 wireless alarm system and its remote control is
not protected against replay attacks. Therefore, an attacker can record
the 433 MHz radio signal of a wireless remote control, for example using
a software-defined radio, when the alarm system is disarmed by its
owner, and play it back at a later time in order to disable the alarm
system at will.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Proof of Concept (PoC):
SySS GmbH could successfully perform a replay attack as described in the
previous section using a software-defined radio and disarm an EASY HOME
MAS-S01-09 wireless alarm system in an unauthorized way.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Solution:
SySS GmbH is not aware of a solution for this reported security
vulnerability concerning the tested product version.
For further information please contact the manufacturer.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Disclosure Timeline:
2016-09-26: Vulnerability reported to manufacturer
2016-09-30: Manufacturer responds to reported security issue and that
the information will be integrated in the next product
version
2016-09-30: E-mail to manufacturer concerning a security advice in the
product manual
2016-10-04: Response concerning security advice in product manual
2016-11-23: Public release of security advisory
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
References:
[1] Product manual of EASY HOME MAS-S01-09 wireless alarm system
http://monolith-shop.de/wp-content/uploads/2016/09/MAS-S01-09_Alarmanlage_Bedienungsanleitung.pdf
[2] SySS Security Advisory SYSS-2016-106
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2016-106.txt
[3] SySS GmbH, SySS Responsible Disclosure Policy
https://www.syss.de/en/news/responsible-disclosure-policy/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Credits:
This security vulnerability was found by Matthias Deeg of SySS GmbH.
E-Mail: matthias.deeg (at) syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Matthias_Deeg.asc
Key fingerprint = D1F0 A035 F06C E675 CDB9 0514 D9A4 BF6A 34AD 4DAB
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Disclaimer:
The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS Web
site.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Copyright:
Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJYNChqAAoJENmkv2o0rU2rznUP/R2Pg/9Dkc3GPJDKGd1HTaSo
AC/qluqMjGs8FcPj03WPewT2MlTRBLdkEsgP9kUluC8ohvPS6ybBsogTjcNPQ+vp
Qu0gqbhPohTv2VcRlMFAlLycuv2jG56OZ9H6hyNxhCTb8rY8RUI1Ox8R+KQEEFTW
fASLsoGt6aRRucHSQW0v/W8MfAVM4oo7JGTt5NG5aJ6Fl7pzJJ2a31KZ/lFnAXo3
4WJf5z3WbiHVb9nHs9d95+RrbCQWOAi34VRvlENlc6Sw6dYQ6QvaC0L+SA7CKhbe
z0qy0xiz0H14ISnX+7MeVQzvw/MFCA75qRljMoTNVxM3Sm8jxEh7KxYIXL9/KdY6
e76zGYo70YUYRq5lvwI9YRtcTWELzEQ5kanD0W0f8BnrT76l3DDFiCprK4By8dwP
rxJKjPKIgt6hdibQ5BQnUeU4w/euGj5c5+uowE7jvNLQqWx7Npo4iC3NuM0KaW1f
Qp8UbCy7ak3KGg2t6t9k7GsKlHS8lg9agOOFlJsBJpemmSqpwoQw9TImYPsWmNCj
2SK1DGmuf5FmiY/i6Q5CGw1PrfO4R6OIRS4h1NSQ3KPVM5li1CMmk9wXSYGAcCYC
YBtgJ6PNusPMYgXxUNaXo+5wWI1U2EZPMHdEf+IrCLiTc3ozonkVSnQ51v6ZyWLz
GVXDS2B/F8R3/jcD8Gmh
=ujGR
-----END PGP SIGNATURE-----