Hormann BiSecur Gateway and Home Server multiple vulnerabilities

Project Description

The Hörmann BiSecur Gateway product contained multiple vulnerabilities. The tested device (just like many other IoT devices) would require a complete redesign on all levels including hardware, protocol, back-end infrastructure. Hörmann was informed by SEC Consult about the potential security risks of the BiSecur gateway and responded promptly. Without delay, the registration option on the official BiSecur portal was switched off and the production of BiSecur Gateways temporarily suspended. 

SEC Consult also published a blog post regarding the identified security issues with further background information: 
Hörmann – opening doors for everyone


Vendor description

“In today’s construction components market, doors, frames, and operators are associated with the name Hörmann – as the Hörmann Group is Europe’s leading supplier in this sector.”

Source: https://www.hormann.co.uk/company/about-us/

Hörmann BiSecur Gateway and BiSecur Home is a framework to remotely control garage doors and other door/window/etc openers via the internet or local network.

Business recommendation

Discontinue the entire product line.

Vulnerability overview/description

1) Hardware issues

  • a) BiSecur Gateway device flash memory chip unprotected contents
  • b) BiSecur Gateway device flash memory chip contains client SSL keys in plain-text
  • c) BiSecur Gateway device flash memory chip contains user credentials in plain-text
  • d) BiSecur Gateway device unprotected PIC microcontroller debug interface allows dumping of firmware
  • e) BiSecur Gateway device flash memory chip certificate replacement facilitates MITM and protocol reverse engineering

2) Local network issues:

  • a) BiSecur Gateway custom network protocol used without session protection
  • b) BiSecur Gateway using UDP broadcast for device discovery
  • c) BiSecur Gateway custom network protocol prone to MITM, leaking user credentials
  • d) BiSecur Gateway default hardcoded credentials
  • e) BiSecur Gateway unprotected user creation allows arbitrary users to be created
  • f) BiSecur Gateway user creation command buffer overflow
  • g) BiSecur Gateway guessable session numbers result in session hijacking
  • h) BiSecur Gateway unprotected and undocumented network debug command
  • i) BiSecur Gateway WIFI enumeration

3) Server issues

  • a) BiSecur Home device registration weak algorithm
  • b) BiSecur Home relay mechanism allows impersonating of arbitrary device, allows attacker to steal credential of ALL BiSecur Gateways worldwide.

Proof of concept

The proof of concept can be found in the related blog article “Hörmann – opening doors for everyone“.

Solution

Complete framework redesign including hardware, protocol, server functionality.

Workaround

No workaround for the local issues without factory recall.

Advisory URL

https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html

EOF Tamas Jos / @2020

Interested to work with the experts of SEC Consult? Send us your application
Want to improve your own cyber security with the experts of SEC Consult? Contact our local offices.

Project Details

  • TitleHormann BiSecur Gateway and Home Server multiple vulnerabilities
  • ProductBiSecur Gateway and Home Server
  • Vulnerable versionN/A
  • ImpactCritical
  • Homepagehttps://www.hoermann.de
  • Found2018.05.05
  • ByTamas Jos (Office Zurich) | SEC Consult Vulnerability Lab