ABUS security systems error allows hackers to disable users’ alarms

A recently released security report ensures that thousands of ABUS Secvest smart alarms could be exposed to exploiting a flaw that would allow threat actors to disable security systems remotely, exposing all kinds of domestic, commercial and even industrial environments. While ABUS developers patched this error in early 2021, experts estimate that more than 90% of users still do not deploy updates.

The report was submitted in October 2020 by experts from the security firm EYE, who mention that the number of systems exposed would go from 11 thousand according to their first scans. Now, researcher Niels Teuskin mentioned that fewer than a thousand Internet-connected ABUS devices are already running the latest firmware version, so there are about 10,000 deployments exposed to the aforementioned attack variant.

The expert adds that most of the devices on display are located in Germany, although a few more can be found in Austria and Switzerland, countries where German is also spoken.

About the vulnerability, Teusink mentions that it resides in the smart alarm web management interface, which can be used through the web browser or a mobile app and allows you to control Secvest devices: “While HTTPS requests to disable the security system require authentication, many of the other features on these devices are completely unprotected” , adds the expert.

Teusink mentions that unauthenticated threat actors can send specially designed requests to a smart alarm to turn off their features. In addition, by adding some scripts, the process could be automated to compromise thousands of vulnerable devices.

Eye’s report adds that threat actors could extract sensitive information using this attack, including device name, IP address, approximate location, and more, including what might be relevant to subsequent attacks. As if that weren’t enough, experts mention that it is possible to deactivate the signal from ABUS security cameras, preventing evidence of possible malicious activity from being recorded.

As we can see, the security risks associated with exploiting this flaw are considerable, so experts tried to find an explanation of how widespread updates are for this issue. Teusink mentions that applying patches in many cases requires installer permissions, so they cannot be installed by some users. So far ABUS has not issued any communication on this.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.