►► SEC Consult also published a blog post regarding the identified security issues with further background information: Hörmann - opening doors for everyone
“In today’s construction components market, doors, frames, and operators are associated with the name Hörmann – as the Hörmann Group is Europe’s leading supplier in this sector.”
Hörmann BiSecur Gateway and BiSecur Home is a framework to remotely control garage doors and other door/window/etc openers via the internet or local network.
Discontinue the entire product line.
Vulnerability Overview / Description
1) Hardware issues
- a) BiSecur Gateway device flash memory chip unprotected contents
- b) BiSecur Gateway device flash memory chip contains client SSL keys in plain-text
- c) BiSecur Gateway device flash memory chip contains user credentials in plain-text
- d) BiSecur Gateway device unprotected PIC microcontroller debug interface allows dumping of firmware
- e) BiSecur Gateway device flash memory chip certificate replacement facilitates MITM and protocol reverse engineering
2) Local network issues:
- a) BiSecur Gateway custom network protocol used without session protection
- b) BiSecur Gateway using UDP broadcast for device discovery
- c) BiSecur Gateway custom network protocol prone to MITM, leaking user credentials
- d) BiSecur Gateway default hardcoded credentials
- e) BiSecur Gateway unprotected user creation allows arbitrary users to be created
- f) BiSecur Gateway user creation command buffer overflow
- g) BiSecur Gateway guessable session numbers result in session hijacking
- h) BiSecur Gateway unprotected and undocumented network debug command
- i) BiSecur Gateway WIFI enumeration
3) Server issues
- a) BiSecur Home device registration weak algorithm
- b) BiSecur Home relay mechanism allows impersonating of arbitrary device, allows attacker to steal credential of ALL BiSecur Gateways worldwide.
Proof Of Concept
The proof of concept can be found in the related blog article “Hörmann – opening doors for everyone“.
Complete framework redesign including hardware, protocol, server functionality.
No workaround for the local issues without factory recall.
EOF Tamas Jos / @2020