Headline
CVE-2021-34600: Telenot complex: Insecure AES Key Generation
Telenot CompasX versions prior to 32.0 use a weak seed for random number generation leading to predictable AES keys used in the NFC tags used for authorization of users.
Advisory X41-2021-003: Telenot complex: Insecure AES Key Generation
Severity Rating: High
Confirmed Affected Versions: <32.0
Confirmed Patched Versions: >=32.0
Vendor: TELENOT ELECTRONIC GMBH
Vendor URL: https://www.telenot.com/
Vendor Reference: -
Vector: Physical / Remote
Credit: X41 D-SEC GmbH, Markus Vervier, Yaşar Klawohn
Status: Private
CVE: CVE-2021-34600
CWE: 340, 338
CVSS Score: N/A
CVSS Vector: N/A
Advisory-URL: https://www.x41-dsec.de/lab/advisories/x41-2021-003-telenot-complex-insecure-keygen/
Summary and Impact
The complex alarm system manufactured by Telenot supports the use of NFC
tags for the authorization of users using DESFire EV2[6] tags that support
AES encryption.
The supplied management software compasX can generate the secret AES keys
that are stored both on the system and the NFC tag and are used for the mutual
authentication between them.
It was found that keys generated using compasX are predictable,
which allows attackers to clone NFC tags and gain unauthorized access to
secured areas, unless further security controls, like the requirement to provide
a PIN, are in place.
Deployments which use both
- NFC tags of type MIFARE DESFire EV1 or EV2
- AES keys generated with vulnerable compasX versions for use
with the above tags
are vulnerable. All such AES keys should be replaced (including those
used for remote access) by either a manually generated key or
by using a recent compasX software revision (32.0) that is using a cryptographically
secure random number generator.
Root Cause Analysis
compasX versions older than 32.0 use random numbers supplied by
the cryptographically insecure PRNG implementation of the rand()
function
to create AES keys.
The PRNG instance is seeded with the current system time as UNIX timestamp
via calls to srand(time())
. Because the supplied timestamp value is a
32-bit number, the amount of possible seeds is bounded by the maximum
unsigned 32 bit value of 4294967295
, down from
2128 possible keys for the used AES128. It is feasible
to search the whole key space on a modern Desktop system in reasonable time.
The possible key space can be even further reduced when assuming that
MIFARE DESFire EV1 seems to have first been introduced in 2006. Between
2006-01-01 00:00:00 GMT (timestamp 1136073600
) and 2021-11-30 00:00:00 GMT
(timestamp 1638230400
) there are 502156800
timestamps that could have been
used as seeds.
The Borland C/C++ library used in compasX, states that “rand uses a multiplicative
congruential random number generator”1, which is not a cryptographically secure
pseudorandom number generator (CSPRNG).
It’s important to note that even if the seed hadn’t been time-based, rand()
“generates a well-known sequence and isn’t appropriate for use as a
cryptographic function”2. While the previous quote is from Microsoft’s
documentation about their own implementation, a comparable warning is missing
from the documentation of the used implementation of rand()
.
The current recommended CSPRNG on modern Windows systems is
BCryptGenRandom
3, which is part of the “Cryptography API: Next
Generation”4.
Proof of Concept
Head over to the blog post for a detailed description and our proof of concept!
Workaround
It is strongly recommended to raise the security level during the time window
until the AES keys can be changed to securely generated ones.
The complex alarm systems supports alternative authentication factors that
can be combined with the Desfire NFC tag authentication.
An example for such an additional factor is a requirement for a valid
PIN entry on the complex alarm system in addition to a successful
Desfire authentication to disarm the alarm.
Timeline
2021-09-02 Problem discovered during internal audit and impact assessed
2021-09-07 Initial contact with Telenot
2021-09-20 Disclosure and discussion of all technical details to Telenot
2021-12-01 Telenot releases of a fixed version of compasX, notifies customers
2021-12-01 CVE requested
2021-12-02 CVE-2021-34600 assigned
2021-01-18 Public disclosure
About X41 D-SEC GmbH
X41 is an expert provider for application security services. Having extensive
industry experience and expertise in the area of information security, a strong
core security team of world class security experts enables X41 to perform
premium security services.
Fields of expertise in the area of application security are security centered
code reviews, binary reverse engineering and vulnerability discovery. Custom
research and IT security consulting and support services are core competencies
of X41.