10,000+ unpatched ABUS Secvest home alarms can be deactivated remotely
Thousands of smart home alarms from ABUS Secvest contain a vulnerability (CVE-2020-28973) that allows attackers to remotely disable alarm systems and expose homes and corporate premises to the risk of burglary and theft.
ABUS fixed the problem in January of this year, but even after three months, more than 90% of users have not applied the fix for the firmware.
According to experts from the Dutch information security company EYE, more than 10 thousand vulnerable security alarm systems Secvest have been identified on the Internet.
According to experts, most of the systems are located in Germany, Austria and Switzerland.
The vulnerability is contained in the web administration panel of the security alarm system, which users can use through a browser or mobile application to manage Secvest systems.
Attackers can send a specially crafted web request to the Secvest remote alarm connected to the Network and order it to turn on a loud siren.
Scripts can automate this process and trigger security alarms in thousands of locations throughout Germany and Western Europe.
Although an alarm cannot be disabled with a single request, an attacker could use the same vulnerability to access and download the alarm system configuration file in order to trigger other problems.
Since this file also contains the logins and passwords of all users registered with the burglar alarm system, an attacker is able to connect to the burglar alarm system with valid credentials and then disable it at a specific location.
Information from the configuration file, such as the alarm system name, IP address, and access to the camera’s raw channels, allows a cybercriminal to determine the physical location of the alarm system. Hackers working with criminal gangs can use problems to launch attacks on critical targets.