what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Ekahau Real-Time Location System RC4 Cipher Stream Reuse / Weak Key Derivation

Ekahau Real-Time Location System RC4 Cipher Stream Reuse / Weak Key Derivation
Posted Dec 14, 2014
Authored by Max Moser, David Gullasch

Ekahau Real-Time Location System suffers from RC4 cipher stream reuse and weak key derivation flaws. The message payload of the affected solution is always encrypted using the same RC4 cipher stream. When combining two encrypted messages with an XOR operation, the cipher stream will cancel out. With this, an attacker is able to recover the bitwise difference of two plain texts. The 128 bit RC4 key used in the Ekahau setup is trivially derived from the three least significant bytes of the MAC address. The key derivation scheme can be recovered from publicly available program code or any Ekahau tag's EEPROM.

tags | exploit
advisories | CVE-2014-2716
SHA-256 | a6ce7b1308744e978d9de9d7f014e08f9af93014056f5d15361dbdf486a9720c

Ekahau Real-Time Location System RC4 Cipher Stream Reuse / Weak Key Derivation

Change Mirror Download
Merry Christmas.

---------------------------------------------------------------------

https://www.modzero.ch/advisories/MZ-14-01-Ekahau-RTLS.txt

---------------------------------------------------------------------

modzero Security Advisory: Vulnerabilities in Ekahau
Real-Time Location System [MZ-14-01] - CVE-ID: CVE-2014-2716

-----------------------------------------------------------------v1.3

Table of Contents

1. Timeline
2. Summary
3. Vulnerabilities
4. Recommendations
5. Vendor Response
6. Credits
7. About modzero
8. References
9. Disclaimer

Vendor: Ekahau, Inc., Helsinki [1]
Products known to be affected: Ekahau Real-Time Location System [2]

The following products were used during the security analysis. Other
versions are likely to be affected as well:

* Ekahau B4 staff badge tag hardware rev 5.7, firmware rev 1.4.52 [3]
* Ekahau RTLS Controller version 6.0.5-FINAL
* Ekahau Activator 3 software [4]

---------------------------------------------------------------------

1. Timeline

---------------------------------------------------------------------

* 2014-03-04: Advisory sent to the vendor
* 2014-03-13: Vendor acknowledged the initial contact
* 2014-04-01: Vendor did not provide timeline
* 2014-04-02: modzero sends a preliminary summary to MITRE
* 2014-04-03: CVE received and added: CVE-2014-2716
* 2014-10-23: modzero releases the comprehensive security advisory to
the public
* 2014-12-15: Full release of the advisory to the public

---------------------------------------------------------------------

2. Summary

---------------------------------------------------------------------

Ekahau's real-time location tracking uses battery-powered Wi-Fi
tokens to track assets or staff. Signal measurements (RSSI) of the
802.11-based Wi-Fi communication are processed in the Ekahau RTLS
software component, which calculates the exact position of the token.
Depending on the token-model that is being used, additional
information can be exchanged (e.g. alarm events from the token or
custom text messages could be sent). According to the vendor's
website, the solution is used in hospitals and schools as "panic
buttons" and should simplify workflows, due to the ability to
precisely track persons and items. The solution only supports
Pre-Shared-Key (PSK) based radio transport layer encryption WPA2
schemes, every person with access to a token can get access to the
radio keys within a tag's EEPROM to gain access to the network and
sniff Ekahau data packets. As there is no easy way of key rotation,
it is assumed that the key is known to a large amount of individuals.

modzero found that the encryption used in Ekahau's Real-Time Location
System messages suffers from severe weaknesses. An attacker is able
to read and generate arbitrary messages including button events,
text/alarm messages or sending reconfiguration events.


---------------------------------------------------------------------

3. Vulnerabilities


3.1. RC4 Cipher Stream Reuse
----------------------------

Severity: high

The message payload of the affected solution is always encrypted
using the same RC4 cipher stream. When combining two encrypted
messages with an XOR operation, the cipher stream will cancel out.
With this, an attacker is able to recover the bitwise difference of
two plain texts.

Encryption of two messages m1 and m2 using the same cipher stream s,
resulting in two ciphertexts c1 and c2. s is a pseudo-random sequence
of bytes, generated using the RC4 algorithm:

c1 = m1 XOR s
c2 = m2 XOR s

An attacker is able to record the ciphertexts c1 and c2 and combine
them in an XOR operation. This reveals all bits, where the plaintexts
m1 and m2 differ:

c1 XOR c2
= (m1 XOR s) XOR (m2 XOR s)
= (m1 XOR m2) XOR (s XOR s)
= m1 XOR m2


3.2. Weak Key Derivation
------------------------

Severity: high

The 128 bit RC4 key used in the Ekahau setup is trivially derived
from the three least significant bytes of the MAC address. The key
derivation scheme can be recovered from publicly available program
code [4] or any Ekahau tag's EEPROM.

According to the IEEE 802.11 standard [5], the MAC address is
required to be publicly transported in clear text within the 802.11
MAC headers. An attacker capable of sniffing the wireless network
(independant of its encryption state) is able to extract this
information. Using the gathered MAC address, he is able to
immediately reconstruct the employed RC4 key in the following way:

prefix = "*ixpiyacoc"
mac[3:5] = three least significant bytes of the MAC address
suffix = "+*+"
key = prefix | mac[3:5] | suffix

The effective key entropy is only 24 bit, thus even a key recovery by
brute-force search would be possible in a short amount of time if the
MAC address is unknown.

---------------------------------------------------------------------

4. Recommendations

---------------------------------------------------------------------

It is recommended that Ekahau corrects their implementation to ensure
message confidentiality, authenticity and integrity. it is
recommended to protect secret information and prevent access to key
material on all levels. Static PSK based radio encryption without
automated key rotation is not recommended.


---------------------------------------------------------------------

5. Vendor Response

---------------------------------------------------------------------

Qualified vendor response pending. Vendor protects the activator
download [4] with a login & password. The software might still be
available from other sources.

---------------------------------------------------------------------

6. Credits

---------------------------------------------------------------------

* David Gullasch (dagu (_at_) modzero.ch)
* Max Moser (mmo (_at_) modzero.ch)

---------------------------------------------------------------------

7. About modzero

---------------------------------------------------------------------

The independent Swiss company modzero AG assists clients with
security analysis in the complex areas of computer technology. The
focus lies on highly detailed technical analysis of concepts,
software and hardware components as well as the development of
individual solutions. Colleagues at modzero AG work exclusively in
practical, highly technical computer-security areas and can draw on
decades of experience in various platforms, system concepts, and
designs.

https://modzero.ch
info@modzero.ch

---------------------------------------------------------------------

8. References

---------------------------------------------------------------------

[1] https://www.ekahau.com/
[2] https://www.ekahau.com/real-time-location-system/solutions
[3] https://www.ekahau.com/userData/ekahau/documents/datasheets/
B4_datasheet_letter.pdf
[4] https://sw.ekahau.com/download/activator/

---------------------------------------------------------------------

9. Disclaimer

---------------------------------------------------------------------

The information in the advisory is believed to be accurate at the
time of publishing based on currently available information. Use of
the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close