Back to list
OSS-2016-01: Insufficient integrity checks in Uhlmann & Zacher Clex prime locking systems using 125 kHz EM4450 transponders
Jan 01 2016 11:57AM
Ralf Spenneberg (info os-t de)
OS-S Security Advisory 2016-01
Date: January 1st, 2016
Updated: January 1st, 2016
Authors: Hendrik Schwartke, Ralf Spenneberg
CVE: Not yet assigned
CVSS: 6.2 (AV:L/AC:L/Au:S/C:C/I:C/A:N)
Title: Insufficient integrity checks in Uhlmann & Zacher Clex prime locking
systems using 125 kHz EM4450 transponders
Severity: Critical. The locking permissions may be arbitrarily manipulated and
Ease of Exploitation: Trivial
Vulnerability: Insufficient integrity protection
Product: U&Z Clex prime locking system using 125 kHz EM4450 transponder
The Clex prime locking system has several vulnerabilities which allow an
attacker to generate keys and to arbitrarily manipulate the locking
permissions without authorization. For the successful attack the following
requirements need to be met:
Brief possession of a (former) valid key of locking system. A lost and revoked
key will work as well.
Access to hardware and software to sniff the 125kHz communication between the
lock and the key.
Knowledge of the algorithm to calculation the checksum
Brief unobserved access to a lock of the locking system to sniff and log a
Vulnerabilities in the algorithms used for integrity protection and encryption
may be used by the attacker for targeted modification and copying of a key.
These vulnerabilites have been found by OpenSource Security Ralf Spenneberg
and reported to the vendor Uhlmann & Zacher GmbH. The vendor as reproduced the
vulnerabilities and provided an updated version. Uhlmann & Zacher GmbH tasked
OpenSource Security Ralf Spenneberg to check the update.
The removal of the vulnerability requires a firmware update of the used locks,
the update of the Keyvi3 software, the replacement of the servicekeys and an
update of all keys in use.
Clex prime locking systems using Mifare DESFire and Legic advant technology
are not affected by this vulnerability.
The Clex prime locking system may be used with different transponder
technologies. When using the 125 kHz variant with the EM4450 transponder an
attacker may create arbitrary keys for the locking system.
To protect the confidentiality and integrity of the locking permissions stored
on the transponder three different methods are used:
1. The transponder provides access protection using a password. The password
can be retrieved over the air by an attacker having brief access to a lock of
the locking system using appropiate hardware.
2. The data on the transponder is protected by a checksum. Manipulation of
copying of the locking permissions to a different transponder is detected. With
the knowledge of the underlying checksum algorithm the attacker may calculate
a valid checksum. The manipulated or copied data is then not detected by the
locking system anymore. Only the analysis of the protocols may allow the
3. Alternative to the checksum the data on the transponder may be encrypted.
Since no checksum is used in this mode targeted manipulation of the Cipher-
Block-Chaining may be used to set or remove specific locking permissions.
We contacted the vendor the first time in October 2014. The last
vulnerabilities were reported to the vendor on April 15th 2015.
OpenSource Security Ralf Spenneberg http://www.os-s.de
Am Bahnhof 3-5 48565 Steinfurt Germany
Fon: +49(0)2552 638 755 Fax: +49(0)2552 638 757
[ reply ]
Copyright 2010, SecurityFocus