Please find information about the CVE in the CVE database.

Vulnerable components

Detailed technical description

The radio module product description states that the meters should be able to detect events including "Backflow (Threshold: Backflow volume): This is a backflow with a volume that exceeds the Threshold.". We do not know what the volume threshold is. Nevertheless, we backflowed about 0,015m3. Enbra EWM software does not report the backflow event. We are not sure what is the issue - was the threshold reached? Is it a bug in a meter? Maybe the meter does signal the event but Enbra EWM cannot parse the event.

Additionally, Enbra EWM reports meter malfunction "Radio module was removed three times". However, there is an Apator seal that should indicate that the radio module was removed. The error was there during our first readout. Historical data shows that the meters were not used for several months so we expect that the condition for reporting the event of "No Flow (Thresholds: Maximum daily volume, Maximum total volume over a pre-set number of days, Number of days): A zero flow condition is detected when the total volume over a pre-set number of days is below the Threshold, or when the Maximum daily volume is not exceeded on any of the pre-set days." Such an event is not reported by Enbra EWM. Even more, we identified affected meters in a residential building. We noticed that the very same error is also shown but only on a limited number of meters. The only error that we saw reported by Enbra EWM is "Radiomodule was removed three times". We did not see any other error reported.

We suspect that the event reporting in Enbra EWM does not work as it should.

CVSS vector if the vulnerability is in the meter

CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Base score 4.6 (Medium severity)

CVSS vector if the vulnerability is in the software

CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Base score 6.2 (Medium severity)

Attack vector

Adversaries need to manipulate the meters, e.g. backflow water. So if the vulnerability is in the meter, they need physical access, if the vulnerability is in Enbra EWM, the adversaries need to access a different component (the meter).

Attack complexity

Depending on the event, no skills are required or just simple plumbing is required.

Privileges and user interaction required

None. An adversary is typically an inhabitant of the metered flat.

Effects on confidentiality, integrity and availability

The adversary can spoof the consumption and decrease the billing amount.

If the owner of the meter tries to detect water leaks through the events; and if Enbra EWM really does not show such event, a preventable water leak event would not be detected. This can result in property damage.

CWE

CWE-682: Incorrect Calculation

We are not sure of the exact root of the vulnerability. We suspect that it can also be CWE-436: Interpretation Conflict, CWE-704: Incorrect Type Conversion or Cast or its subtypes or maybe other bug.

Claim summary

Risks

Advisory

One should ignore the events displayed by Enbra EWM.

Further reading