Vulnerable components

• Kaden PICOFLUX AiR (we are not aware of any revision number).
• If you have information on other products of Kaden or ECOMESS Sp. z o.o., please, share with us.

Detailed technical description

Although the Wireless M-Bus Security mode 5 employs shared AES key, we did not receive any key in the box with the meter. The meter cannot receive any data as indicated at the protocol level. We do not see any port that can be used to change the AES key. It seems likely that the meter depends on a shared key or a key derived from the number of the meter so the software offered by Kaden can read the meter. In such case, the confidentiality of the water metering is endangered as an adversary only needs a compatible reader to read the consumption.

CVSS vector

CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Base score 6.5 (Medium severity)

Attack vector

An adversary needs to be in a vicinity of the meters (tens of meters, with a good antenna probably more).

Attack complexity

An adversary needs publicly available reading set offered by Kaden such as KADEN ZET810s.

Privileges and user interaction required

None. An adversary can correlate the position of the meters with the signal strength.

The meter identifier is sent in each message and it is readable on the front of the meter. A cooperating users can make the task for the adversary easier when they let the adversary see the meter or tell the meter number. Such cooperation is not necessary to carry an attack.

Effects on confidentiality, integrity and availability

The adversary can learn all information that a vulnerable meter sends.

CWE

CWE-798: Use of Hard-coded Credentials

Claim summary

• The meters are distributed without the encryption key.
• Kaden offers a reading device.
• It seems likely that the encryption depends on a common key, set of keys, or the keys are derived from the number of the meter and other parameters sent in the plain text part of each message.
• It seems likely that an adversary only needs a compatible reader to read the consumption. See a similar advisory for more details.

Risks

• An adversary can learn about home activities.
• An adversary can distinguish patterns of water consumption and fingerprint a device.
• An adversary can detect zero consumption and learn that no one is home.

Advisory

The encryption key of the meters is probably not configurable. You should replace the meters.

Further reading

• POLČÁK Libor. Wireless M-Bus: Kdo ví, že perete? DSM Data Security Management, roč. 2019, č. 4, s. 13-17. ISSN 1211-8737. (in Czech)
• POLČÁK Libor and MATOUŠEK Petr. Metering Homes: Do Energy Efficiency and Privacy Need to be in Conflict?. In: Proceedings of the 19th International Conference on Security and Cryptography. Lisabon: SciTePress - Science and Technology Publications, 2022, pp. 47-58. ISBN 978-989-758-590-6.