Researchers from Eye Security have found thousands of unpatched ABUS Secvest home alarm systems exposed online despite the vendor has addressed a critical bug (CVE-2020-28973) in January. A remote attacker could exploit the vulnerability to disable alarm systems and expose homes and corporate buildings to intrusions.
“The ABUS Secvest wireless alarm system FUAA50000 (v3.01.17) fails to properly authenticate some requests to its built-in HTTPS interface. Someone can use this vulnerability to obtain sensitive information from the system, such as usernames and passwords. This information can then be used to reconfigure or disable the alarm system.” reads the description of the vulnerability.
The Secvest FUAA50000 controller costs about EUR400, it is used to control motion sensors, sirens door/window sensors.
Unfortunately, experts noticed that more than 90% of the installs are still using flawed firmware versions and have yet to install the security updates (V3.01.21) provided by the vendor. The vendor also recommends as a temporary fix tp remove the port forward to port 4433 in customers’ routers to prevent the remote control of the devices.
At the time of the discovery in October, Rapid7 researchers found around 11,000 alarm systems connected online, and according to EYE security only 1,000 of them were running the latest firmware versions.
“The alarm system can be controlled via the alarm panel, web interface or via the Secvest app (iPhone or Android). To control the system via an app of web interface, the alarm system needs to be connected to the internet and a HTTPS port (4433 by default) needs to be forwarded to the system.” states the report published by Eye security.
“Based on this information, we did a quick investigation to see how popular the system is. For this we used publicly available HTTPS scans from Rapid7:
Country | Count |
---|---|
Germany | 10.184 |
Switzerland | 445 |
Austria | 426 |
Netherlands | 376 |
Luxembourg | 89 |
France | 37 |
Belgium | 35 |
Other | 87 |
Total | 11.679 |
Most of the vulnerable installs are used in Germany, Switzerland, and Austria.
The flaw affects the web administration panel implemented to control the Secvest systems, experts noticed that many requests accepted by the devices lack of authentication.
Experts also pointed out that the authentication to the device’s web interface was implemented using a username and a 4-digit alarm PIN that could easily brute-forced in a few minutes.
Experts demonstrated that using a web request to the Secvest alarm is possible to control the siren:
curl -kv https://192.168.99.230:4433/<redacted> -d 'events={"panelTest_intSirensState":1}'
The researchers also discovered that it is possible to access and download the alarm system’s configuration file, which contains useful info to carry out an attack.
The file contained the usernames and passwords of the users registered on the alarm system.
“By extracting the configuration file we can obtain all usernames and passwords and login to the system. We now have the same privileges as the owner (or installer) of the alarm system. An attacker can now reconfigure or deactivate the system, view the logs to establish a pattern-of-life or look for clues to find the physical location of the system (such as the owners name, which installers often enter as the system name).” continues the report. “Also included in the configuration file are plain text passwords for connected systems. If a user has connected camera’s to the system, we will be able to access the video feed using the passwords from the configuration file.”
The configuration file also contains passwords for connected systems in plain text, they could be used by attackers to access connected cameras and other devices.
Unfortunately, the update process is not simple, the experts highlighted that only users with special “installer” permissions could install firmware updates, but in many cases, the owners of the smart alarms don’t have them because the systems were installed and managed by a service provider.
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
Follow me on Twitter: @securityaffairs and Facebook
[adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, ABUS Secvest)
[adrotate banner=”5″]
[adrotate banner=”13″]