CVE-2017-17910

On Hoermann BiSecur devices before 2018, a vulnerability can be exploited by recording a single radio transmission. An attacker can intercept an arbitrary radio frame exchanged between a BiSecur transmitter and a receiver to obtain the encrypted packet and the 32-bit serial number. The interception of the one-time pairing process is specifically not required. Due to use of AES-128 with an initial static random value and static data vector (all of this static information is the same across different customers' installations), the attacker can easily derive the utilized encryption key and decrypt the intercepted packet. The key can be verified by decrypting the intercepted packet and checking for known plaintext. Subsequently, an attacker can create arbitrary radio frames with the correct encryption key to control BiSecur garage and entrance gate operators and possibly other BiSecur systems as well ("wireless cloning"). To conduct the attack, a low cost Software Defined Radio (SDR) is sufficient. This affects Hoermann Hand Transmitter HS5-868-BS, HSE1-868-BS, and HSE2-868-BS devices.
References
Configurations

Configuration 1 (hide)

AND
cpe:2.3:o:hoermann:hs5-868-bs_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:hoermann:hs5-868-bs:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND
cpe:2.3:o:hoermann:hse2-868-bs_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:hoermann:hse2-868-bs:-:*:*:*:*:*:*:*

Configuration 3 (hide)

AND
cpe:2.3:o:hoermann:hse1-868-bs_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:hoermann:hse1-868-bs:-:*:*:*:*:*:*:*

History

21 Nov 2024, 03:18

Type Values Removed Values Added
References () https://docs.wixstatic.com/ugd/28ba71_6ecc3158975a484d827e935edda4fa17.pdf - Technical Description, Third Party Advisory () https://docs.wixstatic.com/ugd/28ba71_6ecc3158975a484d827e935edda4fa17.pdf - Technical Description, Third Party Advisory
References () https://www.trustworks.at/publications - Third Party Advisory () https://www.trustworks.at/publications - Third Party Advisory

Information

Published : 2017-12-29 19:29

Updated : 2024-11-21 03:18


NVD link : CVE-2017-17910

Mitre link : CVE-2017-17910

CVE.ORG link : CVE-2017-17910


JSON object : View

Products Affected

hoermann

  • hse2-868-bs_firmware
  • hs5-868-bs
  • hse2-868-bs
  • hse1-868-bs_firmware
  • hse1-868-bs
  • hs5-868-bs_firmware
CWE
CWE-330

Use of Insufficiently Random Values