漏洞关键信息 Advisory ID: SYSS-2019-004 Product: ABUS Secvest (FUAA50000) Manufacturer: ABUS Affected Version(s): v3.01.01 Tested Version(s): v3.01.01 Vulnerability Type: Message Transmission - Unchecked Error Condition (CWE-391) Risk Level: High Solution Status: Open Manufacturer Notification: 2019-03-02 Solution Date: - Public Disclosure: 2019-07-26 CVE Reference: CVE-2019-14261 Authors of Advisory: Matthias Deeg (SySS GmbH), Thomas Detert Overview ABUS Secvest (FUAA50000) is a wireless alarm system with various features. Due to insufficient jamming detection implementation, attackers can suppress correctly received RF messages sent between wireless peripheral components and the ABUS Secvest alarm central. Vulnerability Details Thomas Detert found that short jamming signals are not detected by the ABUS alarm central, allowing unauthorized message suppression. Proof of Concept (PoC) Thomas Detert developed a Teensy-based PoC tool using a CC1101 sub-1GHz transceiver to suppress arming the alarm system in an unauthorized way. Solution SySS GmbH is not aware of a solution for this reported security vulnerability. Disclosure Timeline 2019-03-02: Vulnerability reported to manufacturer 2019-07-26: Public release of security advisory References [1] Product website for ABUS Secvest wireless alarm system: https://wwwimbuscomenghome_securityalarm_systemsecvest_wireless_alarm_systemalarm_panels_and_kitssecvest_wireless_alarm_system [2] SySS Security Advisory SYSS-2019-004: https://wwwsysde/fileadmin/dokumentepublikationenadvisesSYSS-2019-004txt