Please find information about the CVE in the CVE database.

Vulnerable components

Detailed technical description

The meter sends two messages in a short time range. The shorter message of 48 bytes (application payload) seems to hold the current metered value. The messages are sent every minute between 9 a.m. and 7 p.m each day and every 15 minutes during nights. The meter employs Security Mode 5 of Wireless M-Bus. This mode depends on an 8-bit counter to generate the initial vector for AES-128-CBC. As each of the two message contain a different counter value, the counter value overflows every 256 messages - 2 hours 8 minutes during day, 15 hours 12 minutes during night.

It seems that the metered value is located in the starting 16 bytes of the 48-bytes-long-message. There seems to be a value that changes frequently located in the final 16 bytes of the message. The employed encryption scheme does not offer full confidentiality in such configuration. If there was no metered consumption between the messages with the repeated counter value, first 32 bytes of the cipher text of the payload of the shorter message repeat while the final 16 bytes are different. Hence, an adversary can observe if there was a water consumption or not during the overflow time range without the encryption key. Consequently, the attacker can infer information about someone being in the flat or not, daily patterns, and similar information.

For example, suppose that we observe a message with a counter a4 with the payload cipher text of 1fed8fed3eb52c0657a2d6519f216fff130b97b9d03e80423fe1c8e3ee83de7f8885e10ed984fa30859eae965244f30d, later when the counter overflows and reaches a4 again, one may observe cipher text 1fed8fed3eb52c0657a2d6519f216fff130b97b9d03e80423fe1c8e3ee83de7fe355b9175d5562f2a37c625d3ee984d3. Notice that the first 32 bytes of both messages are the same 1fed8fed3eb52c0657a2d6519f216fff130b97b9d03e80423fe1c8e3ee83de7f. This must be caused by the plain text of the starting 32-bytes not being changed during the time frame. However, if there is a metered water consumption, the payload cipher text changes completely, for example, to e7d2326b8fc40ccc8bc0894c85194bd473cc4a42370b1243e2ab1f0846931954.

CVSS vector

CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Base score 4.3 (Medium severity)

Attack vector

An adversary needs to be in a vicinity of the meters (tens of meters, with a good antenna probably more).

Attack complexity

An adversary needs any publicly available Wireless M-Bus T1 reader.

Privileges and user interaction required

None. An adversary can correlate the position of the meters with the signal strength.

The meter identifier is sent in each message and it is readable on the front of the meter. A cooperating users can make the task for the adversary easier when they let the adversary see the meter or tell the meter number. Such cooperation is not necessary to carry an attack.

Effects on confidentiality, integrity and availability

The adversary can learn if there was a consumption (or other change) in the transmitted data during the access no. counter overflow window or not.

CWE

CWE-203: Observable Discrepancy

Claim summary

Risks

Advisory

The encryption of the meters is probably not configurable. You should replace the meters.

Further reading