Although the Wireless M-Bus Security mode 5 employs shared AES key, Enbra EWM software does not have any option to provide encryption key. We do not know the employed encryption key. Still, the Enbra EWM software can decrypt and parse the messages. Not only were we able to read messages produced by meters bought with the software but we were also able to read messages produces by meters with AT-WMBUS-16-2 modules deployed at a residential building. We do not know about any way to change the Hard-coded Cryptographic Key.
Base score 6.5 (Medium severity)
An adversary needs to be in a vicinity of the meters (tens of meters, with a good antenna probably more).
An adversary needs publicly available reading set, e.g. Odečtová wM-Bus sada ENBRA EWM s USB modemem EWMR-INT s vestavěnou interní anténou containing Enbra EWM software.
None. An adversary can correlate the position of the meters with the signal strength.
The meter identifier is sent in each message and it is readable on the front of the meter. A cooperating users can make the task for the adversary easier when they let the adversary see the meter or tell the meter number. Such cooperation is not necessary to carry an attack.
The adversary can learn all information that is available in Enbra EWM.
CWE-798: Use of Hard-coded Credentials
The encryption key of the meters should be configurable. If you have the meters deployed, force Enbra to change the keys in conformance with EN 13757-1. Alternatively, Enbra can release the encryption key and information how to change the keys.