Skip to content
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
write-ups/CVE-2019-9659/
write-ups/CVE-2019-9659/

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 

CVE-2019-9659

Special shout out to Mattijs van Ommeren for all the outstanding help!

[Suggested description]

The Chuango 433 MHz burglar-alarm product line uses static codes in the RF remote control, 
allowing an attacker to arm, disarm, or trigger the alarm remotely
via replay attacks, as demonstrated by Chuango branded products, 
and non-Chuango branded products such as the Eminent EM8617 OV2 Wifi Alarm System.

[Additional Information]

Security Researcher Riccardo ten Cate discovered a vulnerability in

==Vendor details==

Established in Fuzhou, China in 2001, Chuango Security Technology
Corporation specializes in wireless smart home technology, ranging
from DIY security and home automation to energy and health management
systems. http://www.chuango.com

==Other affected products==

Chuango is an OEM manufacturer that produces devices for several vendors. Known vulnerable includes (but not limited to)
* Eminent EM8617 OV2 Wifi Alarm System

==Disclosure timeline==

December 6, 2018 Vulnerability discovery
December 7, 2018 First attempt to contact Chuango (by e-mail and phone)
December 18, 2018 Initial contact with General Manager Chuango Europe
January 9, 2018  Shared vulnerability details with product security contact Chuango
January 15, 2019 Shared PoC with product security contact Chuango
January 15, 2019 Shared vulnerability details with Eminent
January 28, 2019 Sent reminder and request for status update
January 29, 2019 Acknowledgement by Eminent
February 11, 2019 Confirmation of vulnerability on all devices using
433MHz RF technology. Not able to provide after sales fix. Promised
additional details for remediation.
February 17, 2019 Sent reminder to Chuango and another request for fix timeline.
March 8, 2019  Requested CVE ID
March 11, 2019  Public disclosure

[VulnerabilityType Other]

Replay vulnerability

[Vendor of Product]

Chuango

[Affected Product Code Base]

Chuango Wifi Alarm System - All versions
Chuango Wifi/Cellular Smart Home System H4 Plus - All versions
Chuango Wifi Alarm System AWV Plus - All versions
Chuango G5W 3G - All versions
Chuango GSM/SMS/RFID Touch Alarm System G5 Plus - All versions
Chuango GSM/SMS Alarm System G3 - All versions
Chuango G5W - All versions
Chuango Dual-Network Alarm System B11 - All versions
Chuango PSTN Alarm System A8 - All versions
Chuango PSTN/LCD/RFID Touch Alarm System A11 - All versions
Chuango CG-105S On-Site Alarm System - All versions

[Affected Component]

433MHz RF interface

[Attack Type]

Remote

[CVE Impact Other]

Arm,disarm or trigger the alarm remotely

[Attack Vectors]

Record and replay or brute force commands through the 433MHz RF interface

[Reference]

https://github.com/RiieCco/write-ups/tree/master/CVE-2019-9659

[Has vendor confirmed or acknowledged the vulnerability?]

true

[Discoverer]

Riccardo ten Cate

0