Markus Muellner and Markus Kammerstetter
Hoermann BiSecur is a bi-directional wireless access control system “for the convenient and secure operation of garage and entrance gate operators, door operators, lights […]” and smart home devices. The radio signal is AES-128 encrypted and the system is marketed to be “as secure as online banking”. In comparison to conventional and often trivial to break wireless access control systems, the system should thus make it practically infeasible to clone a genuine transmitter so that attackers can get unauthorized access. We used the low-cost CCC rad1o software defined radio (SDR) platform to intercept and analyze the wireless radio signal. We took apart several Hoermann BiSecur hand transmitters and subsequently utilized a vulnerability in the microcontroller to successfully extract the firmware. In order to conduct a security audit, the extracted firmware was disassembled and analyzed so that the encryption mechanism, the key material, the cryptographic operations as well as the RF interface could be reverse engineered. Our security analysis shows that the overall security design is sound, but the manufacturer failed to properly initialize the random seed of the transmitters. As a result, an attacker can intercept an arbitrary radio frame and trivially compute the utilized encryption key within less than a second. Once the key is known to the attacker, a genuine transmitter can be cloned with an SDR platform such as the CCC rad1o. In addition to unauthorized operation of gates and doors, there is a likely (although currently untested) impact on Smart Home appliances that use the BiSecur system. We tested a total of 7 hand transmitters from 3 different model series and with manufacturing dates between 2015 and 2017. All analyzed hand transmitters shared the same static random seed and were found to be vulnerable to our attack. The vulnerability can easily be fixed so that future hand transmitters and radio transmission are protected from our attack.
In our CCC talk we plan to give a step-by-step presentation on how we analyzed and subsequently broke the Hoermann BiSecur system. This includes the following topics:
- Overall system overview
- Radio signal analysis with the CCC rad1o SDR platform
- Reverse engineering of the radio signal
- Hardware analysis of BiSecur transmitters
- Firmware extraction from the microcontroller by exploiting a security flaw in the PIC18F controller
- Firmware disassembly and reverse engineering with IDA Pro
- Analysis results providing a technical overview of how the BiSecur system operates including the encryption scheme (with AES-128 at its core) and RF operations
- Presentation of our attacks (signal cloning of genuine transmitters)
- Live-Hacking Demo with the CCC rad1o SDR platform
- Suggested security fix
This Talk was translated into multiple languages. The files available for download contain all languages as separate audio-tracks. Most desktop video players allow you to choose between them.
Please look for "audio tracks" in your desktop video player.