Ekahau Real-Time Location System RC4 Cipher Stream Reuse / Weak Key Derivation

`Merry Christmas.  
  
---------------------------------------------------------------------  
  
http://www.modzero.ch/advisories/MZ-14-01-Ekahau-RTLS.txt  
  
---------------------------------------------------------------------  
  
modzero Security Advisory: Vulnerabilities in Ekahau  
Real-Time Location System [MZ-14-01] - CVE-ID: CVE-2014-2716  
  
-----------------------------------------------------------------v1.3  
  
Table of Contents  
  
1. Timeline  
2. Summary  
3. Vulnerabilities  
4. Recommendations  
5. Vendor Response  
6. Credits  
7. About modzero  
8. References  
9. Disclaimer  
  
Vendor: Ekahau, Inc., Helsinki [1]  
Products known to be affected: Ekahau Real-Time Location System [2]  
  
The following products were used during the security analysis. Other  
versions are likely to be affected as well:  
  
* Ekahau B4 staff badge tag hardware rev 5.7, firmware rev 1.4.52 [3]  
* Ekahau RTLS Controller version 6.0.5-FINAL  
* Ekahau Activator 3 software [4]  
  
---------------------------------------------------------------------  
  
1. Timeline  
  
---------------------------------------------------------------------  
  
* 2014-03-04: Advisory sent to the vendor  
* 2014-03-13: Vendor acknowledged the initial contact  
* 2014-04-01: Vendor did not provide timeline  
* 2014-04-02: modzero sends a preliminary summary to MITRE  
* 2014-04-03: CVE received and added: CVE-2014-2716  
* 2014-10-23: modzero releases the comprehensive security advisory to  
the public  
* 2014-12-15: Full release of the advisory to the public  
  
---------------------------------------------------------------------  
  
2. Summary  
  
---------------------------------------------------------------------  
  
Ekahau's real-time location tracking uses battery-powered Wi-Fi  
tokens to track assets or staff. Signal measurements (RSSI) of the  
802.11-based Wi-Fi communication are processed in the Ekahau RTLS  
software component, which calculates the exact position of the token.  
Depending on the token-model that is being used, additional  
information can be exchanged (e.g. alarm events from the token or  
custom text messages could be sent). According to the vendor's  
website, the solution is used in hospitals and schools as "panic  
buttons" and should simplify workflows, due to the ability to  
precisely track persons and items. The solution only supports  
Pre-Shared-Key (PSK) based radio transport layer encryption WPA2  
schemes, every person with access to a token can get access to the  
radio keys within a tag's EEPROM to gain access to the network and  
sniff Ekahau data packets. As there is no easy way of key rotation,  
it is assumed that the key is known to a large amount of individuals.  
  
modzero found that the encryption used in Ekahau's Real-Time Location  
System messages suffers from severe weaknesses. An attacker is able  
to read and generate arbitrary messages including button events,  
text/alarm messages or sending reconfiguration events.  
  
  
---------------------------------------------------------------------  
  
3. Vulnerabilities  
  
  
3.1. RC4 Cipher Stream Reuse  
----------------------------  
  
Severity: high  
  
The message payload of the affected solution is always encrypted  
using the same RC4 cipher stream. When combining two encrypted  
messages with an XOR operation, the cipher stream will cancel out.  
With this, an attacker is able to recover the bitwise difference of  
two plain texts.  
  
Encryption of two messages m1 and m2 using the same cipher stream s,  
resulting in two ciphertexts c1 and c2. s is a pseudo-random sequence  
of bytes, generated using the RC4 algorithm:  
  
c1 = m1 XOR s  
c2 = m2 XOR s  
  
An attacker is able to record the ciphertexts c1 and c2 and combine  
them in an XOR operation. This reveals all bits, where the plaintexts  
m1 and m2 differ:  
  
c1 XOR c2  
= (m1 XOR s) XOR (m2 XOR s)  
= (m1 XOR m2) XOR (s XOR s)  
= m1 XOR m2  
  
  
3.2. Weak Key Derivation  
------------------------  
  
Severity: high  
  
The 128 bit RC4 key used in the Ekahau setup is trivially derived  
from the three least significant bytes of the MAC address. The key  
derivation scheme can be recovered from publicly available program  
code [4] or any Ekahau tag's EEPROM.  
  
According to the IEEE 802.11 standard [5], the MAC address is  
required to be publicly transported in clear text within the 802.11  
MAC headers. An attacker capable of sniffing the wireless network  
(independant of its encryption state) is able to extract this  
information. Using the gathered MAC address, he is able to  
immediately reconstruct the employed RC4 key in the following way:  
  
prefix = "*ixpiyacoc"  
mac[3:5] = three least significant bytes of the MAC address  
suffix = "+*+"  
key = prefix | mac[3:5] | suffix  
  
The effective key entropy is only 24 bit, thus even a key recovery by  
brute-force search would be possible in a short amount of time if the  
MAC address is unknown.  
  
---------------------------------------------------------------------  
  
4. Recommendations  
  
---------------------------------------------------------------------  
  
It is recommended that Ekahau corrects their implementation to ensure  
message confidentiality, authenticity and integrity. it is  
recommended to protect secret information and prevent access to key  
material on all levels. Static PSK based radio encryption without  
automated key rotation is not recommended.  
  
  
---------------------------------------------------------------------  
  
5. Vendor Response  
  
---------------------------------------------------------------------  
  
Qualified vendor response pending. Vendor protects the activator  
download [4] with a login & password. The software might still be  
available from other sources.  
  
---------------------------------------------------------------------  
  
6. Credits  
  
---------------------------------------------------------------------  
  
* David Gullasch (dagu (_at_) modzero.ch)  
* Max Moser (mmo (_at_) modzero.ch)  
  
---------------------------------------------------------------------  
  
7. About modzero  
  
---------------------------------------------------------------------  
  
The independent Swiss company modzero AG assists clients with  
security analysis in the complex areas of computer technology. The  
focus lies on highly detailed technical analysis of concepts,  
software and hardware components as well as the development of  
individual solutions. Colleagues at modzero AG work exclusively in  
practical, highly technical computer-security areas and can draw on  
decades of experience in various platforms, system concepts, and  
designs.  
  
http://modzero.ch  
[email protected]  
  
---------------------------------------------------------------------  
  
8. References  
  
---------------------------------------------------------------------  
  
[1] http://www.ekahau.com/  
[2] http://www.ekahau.com/real-time-location-system/solutions  
[3] http://www.ekahau.com/userData/ekahau/documents/datasheets/  
B4_datasheet_letter.pdf  
[4] http://sw.ekahau.com/download/activator/  
  
---------------------------------------------------------------------  
  
9. Disclaimer  
  
---------------------------------------------------------------------  
  
The information in the advisory is believed to be accurate at the  
time of publishing based on currently available information. Use of  
the information constitutes acceptance for use in an AS IS condition.  
There are no warranties with regard to this information. Neither the  
author nor the publisher accepts any liability for any direct,  
indirect, or consequential loss or damage arising from use of, or  
reliance on, this information.  
`