20 January 2022

KLCERT-20-037: Bosch AMC2. Information Disclosure due to Hard-coded Cryptographic Key

Researcher

Alexander Nochvay, Kaspersky ICS CERT

Timeline

Timeline

  • Kaspersky ICS CERT advisory published

    20 January 2022

  • Vendor advisory published

    January 2022

Description

An attacker can capture and decrypt the communication between the configuration software and the affected devices, since a symmetric encryption algorithm with a fixed key is used to encrypt the communication.


Exploitability

Adjacent

Attack complexity

Low

Privilege required

None

User interaction

Required: an operator must communicate with the device

Confidentiality

High

Impact

An attacker is able to decrypt captured data and encrypt their own crafted data to send to the device.

Affected products

Bosch AMC2, firmware versions distributed with:

  • Bosch AMS, all versions <4.0
  • Bosch APE, all versions <=3.8.x
  • Bosch BIS, all versions <4.9.1

Mitigation

The recommended approach is to update the affected Bosch software to an improved version. The latest versions BIS 4.9.1 and AMS 4.0 are immune against the discovered vulnerabilities.

Please note that AMS, and BIS will update AMC2 controllers with a strengthened firmware automatically. Please refer to technical documentation in the software release for more details.

For AMS and BIS installations which cannot be updated to version 4.0 resp. 4.9.1 immediately, Bosch has prepared patches which will distribute a hardened firmware to the AMC2 door controllers. A patch is also available for APE 3.8.x installations.

Please notice that these patches disable certain functionalities of the AMC2 communication and may require a different way of interacting with AMC2 controllers. Please refer to the patches’ technical documentation for details.

Kaspersky publishes information on newly identified vulnerabilities in order to raise user awareness of the IT security threats detected. Kaspersky does not make any guarantees in respect of information received from vendors of products in which vulnerabilities have been identified, which is included in the following sections of the advisory: Affected Products, Vendor Mitigation.

Timeline

  • Kaspersky ICS CERT advisory published

    20 January 2022

  • Vendor advisory published

    January 2022