An expansion module for the Secvest alarm system from Abus provides more range and more functions by connecting wired devices such as motion detectors to the alarm system by radio. But the radio link lacks basic security functions, which means that the entire alarm system can be deactivated remotely. The pentesting company Syss now has the third Vulnerability releasedthat Abus did not fix within 90 days. The gap was discovered by security researchers Michael Rüttgers and Thomas Detert.
The radio communication between the alarm system and the extension Secvest Hybrid Module (FUMO50110) lack of confidentiality and integrity, explains the pentesting company. The information exchanged by radio could therefore be recorded or falsified. With this security hole (CVE-2020-14158) the alarm system can be deactivated from the outside, Syss writes. Interaction with the person who owns the alarm system is not necessary for the attack.
“For example, if a Wapploxx locking cylinder is connected to an Abus Secvest wireless alarm system via the hybrid module, an attacker can record a status message from the hybrid module that is sent at regular time intervals, and on the basis of this a valid radio message to deactivate the Create alarm system “, writes Syss. Wapploxx markets Abus as a smart access control that can be used to manage access rights to homes or company premises. However, with the security hole discovered, the doors cannot be opened, but only the alarm when unauthorized entry is deactivated – the doors must be opened in a different way.
Proof of concept, but not a fix from Abus
Matthias Deeg, security researcher at Syss, demonstrates the attack in a proof-of-concept video. With a Python script and a Yard Stick One, with which radio connections can be recorded and broadcast, he records a status package transmitted every 2.5 minutes between the expansion module and the alarm system. The Python tool then makes it possible to deactivate the alarm system with a spoofed package at the touch of a button. Only four bytes have to be changed. The alarm system is thus deprived of its central function – to report unauthorized intrusion.
At the end of April, Syss had already informed the manufacturer Abus of the vulnerability, since the problem was not resolved within three months, the pentesting company has now published the vulnerability. The company had published several other security gaps in the Secvest system last year, which could be used, for example, to clone keys for the alarm system or to deactivate the alarm system remotely.