Vulnerable components

• We tested Enbra EWM 1.7.29 build 03.11.2019.

Detailed technical description

Cyrill Brunschwiler reported several vulnerabilities of the Wireless M-Bus Security mode 5 at Black Hat USA 2013, see https://www.compass-security.com/fileadmin/Datein/Research/Praesentationen/blackhat_2013_wmbus_security_whitepaper.pdf (Section 4.4.2, 4.4.3).

Both Jam-and-Replay and Shield-and-Replay concern message replays. An attacker can intercept messages sent by Wireless M-Bus Security mode 5 devices at time T. The attacker can replay these messages during read outs at T + several months.

Although we lack technical documentation of the radio modules, we think that the meters send a timestamp:

1. Wireless M-Bus Security mode 5 initialization vectors repeats every 256 messages, or every 5.6 hours during peek hours in the default configuration of AT-WMBUS-16-2. As the cipher text of the observed messages with the same IV changes without consumption, hence the content of the message had to change. We suspect that this is due to the presence of a time stamp.
2. Enbra EWM displays a row called "Datum" [CZ] (Date [En]) that is the current date and not the system date. Such timestamp provides a protection against the replay attacks.

Enbra EWM can compare the time reported by the meter and the system time and detect Replay attacks (of course Enbra EWM should accommodate errors due to clock shifts). Enbra EWM provides an export functionality to the CSV format. Exported data can be used for further processing, e.g. to provide billing details. However, exported CSV data does not contain the time observed at the meter but instead provide system time of the readout. Enbra EWM does not notify the user that a readout from the past appeared and it is not able to check exported data if the contain replayed read outs.

CVSS vector

CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Base score 6.5 (Medium severity)

Attack vector

An adversary needs to be in a vicinity of the meters (tens of meters, with a good antenna probably more).

Attack complexity

An adversary needs to replay previously captured messages. Enbra EWM seems to process only the first captured message of the meter. So the most difficult task of the adversaries is to arrange the attack in a way that their messages are captured before the messages from the meter. As the meters send messages about every 80 seconds, generally, there is enough time to be faster.

Privileges and user interaction required

None. An adversary can correlate the position of the meters with the signal strength.

The meter identifier is sent in each message and it is readable on the front of the meter. A cooperating users can make the task for the adversary easier when they let the adversary see the meter or tell the meter number. Such cooperation is not necessary to carry an attack.

Effects on confidentiality, integrity and availability

The adversary can spoof the consumption and decrease the billing amount.

CWE

CWE-345: Insufficient Verification of Data Authenticity

Claim summary

• The plain text message changes between successive read outs with the same access number.
• Software Enbra EWM shows the time when a message was sent and not the system time for each read out.
• The exported CSV file contains the system time of the read out.
• Published attacks replay old messages to confuse the reader to report lower consumption.
• Such attacks seems to be detectable using the data in the message but not the exported data in CSV.

Risks

• Lower consumption means lower payments.

Advisory

Until Enbra EWM is fixed, one can display information on each read and check the time before the export.

Further reading

• C. Brunschwiler, Wireless M-Bus Security, Whitepaper Black Hat USA 2013.
• POLČÁK Libor and MATOUŠEK Petr. Metering Homes: Do Energy Efficiency and Privacy Need to be in Conflict?. In: Proceedings of the 19th International Conference on Security and Cryptography. Lisabon: SciTePress - Science and Technology Publications, 2022, pp. 47-58. ISBN 978-989-758-590-6.