Jump to content
Security Installer Community

cybergibbons

Member
  • Posts

    498
  • Joined

  • Last visited

  • Days Won

    7

Everything posted by cybergibbons

  1. Really depends on what they want to do. They can keep on with the smoke and mirrors, pitching themselves as "IoT poster boys", or they could actually start developing secure products.
  2. The ball is in CSL's court with that. They could let any pentesting company take a look at their systems and publish the report.
  3. I can't actually do anything except passive observation. If I connect to CSL's servers, or actually interfere with the operation of another device, I have broken the law. Computer Misuse Act.
  4. Me. For "formal communications". Seems odd, as I am a business. The law.
  5. They haven't communicated with me at all since they tried getting my home address 6 weeks ago. I believe it can, yes. Certainly the ones that use the IP path can be sniffed and spoofed with little trouble. The problem is that I can't push the boundaries any further to prove it. The real point is that their systems have been designed and operated by people who very clearly are incompetent. If anyone has looked at their security, CSL have totally ignored any findings. God knows what else is there. If you aren't regulated by the law, it could be awful.
  6. That's really no way to refer to Simon Banks.
  7. The vulnerability note from CERT has now gone live: http://www.kb.cert.org/vuls/id/428280
  8. The only difference between the grades is the reporting time, as far as I can tell. The encryption, the protocol, the lack of firmware updates etc. are the same regardless of grade.
  9. As many of you know, I spent some time researching the CSL CS2300-R SPTs last year. I found a series of issues that I think are serious problems. CSL have had 17 months to deal with these issues, and after them dawdling, I opted for co-ordinated disclosure of the issues via CERT/CC. CSL have had 45 days to respond to CERT/CC, and only did so on Friday with a statement that is largely spin and distraction. In summary, the issues found: CSL have developed incredibly bad encryption, on a par with techniques state-of-the-art in the time before computers. CSL have not protected against substitution very well CSL can’t fix issues when they are found because they can’t update the firmware There seems to be a big gap between the observed behaviour of the CS2300-R boards and the standards It’s likely that the test house didn’t actually test the encryption or electronic security Even if a device adheres to the standard, it could still be full of holes CSL either lack the skill or drive to develop secure systems, making mistake after mistake I have written a blog post detailing these issues, which also links to the full PDF report. Until CSL can demonstrate that their products are standards compliant and secure, I would advise not using them, especially for higher grades.
  10. They bricked the Xanview Timebox I had because they thought I was hacking it.
  11. The alarms I have don't allow it to be silenced, though some allow it to be turned down. The first thing I do to most alarms that I am testing is rip the sounder off. Normally a small screwdriver under the plastic casing will do, then remove the piezo disc.
  12. Most of the systems use 2-FSK, so pick a signal that approximately matched the bit-rate of that and toggle between the two. So you end up with: FSK signal modulated at 9600Hz or something - this interferes with the signal itself Switch that on and off at 0.05s (i.e. 20Hz) - this stops the jamming detection being triggered, but is often enough to interfere. Might have to up the frequency a bit here for some systems. The problem is that with the 2-way RF gear, they have two types of jamming detection: 1. Signal strength or RSSI based - this is what the standard describes and is all that 1-way can do. 2. Pings - send a message to detector, if it doesn't come back, get worried. The Enforcer will almost certainly do both. There's loads of interesting stuff you can do with jamming, but probably not for discussion in public.
  13. The spec is any 31s out of 60s. Drive a jammer with a 50% duty cycle, period of about 0.05s, and the jamming detection won't go off, but nothing will get through.
  14. The one I've seen a few times is cheap baby monitors that transmit a continuous signal in 868MHz, they are quite obvious. But lots of other stuff is much harder to track down. The standard says that for grade 1 and 2, it's 31s out of 60s to signal jamming, 3 and 4, 11s out of 20s. Many of them also detect if messages are dropped, but only if they have 2-way RF.
  15. I think so. It's just setting a frequency range, and it does the rest of it pretty much automatically. Problem is, once you've found there is another signal, what do you do?
  16. A thing you plug into your computer, it receives a wide-ish bit of the spectrum (5MHz-100Mhz, typically), and you can show it on your screen as a spectrum or waterfall: http://nansupport.com/images/rfexplorer/heatmap-800x349.png Difference between the RF Explorer and SDR is that the RF Explorer sweeps - starts at 858MHz and slowly goes up to 878MHz, whereas an SDR can receive the whole 20MHz instantly. Just means you can miss things.
  17. https://www.coolcomponents.co.uk/rf-explorer-3g-combo.html They are good for the money. Fragile though - power switch and USB has broken on mine and it's always been taken care of. It will pick up most accidental sources of jamming, but miss intentional because of the slow sweep speed. A SDR is better to pick up intentional jamming.
  18. Yes - I have two of the recent SPTs. The testing was basic, but nothing raised red-flags. I couldn't just download the firmware and tear it apart, and none of the common failings were made.
  19. Well, I personally wouldn't touch Videofied gear with a bargepole. That's being released 30/11 - they need to get a fix out.
  20. Well, his own email rather than a generic one is on the list.
  21. There are sole traders on there, who might not want their addresses out there. A lot of mobile numbers. Usernames - they should not be leaking. It's also strongly indicative that they have done no security testing at all. This was found in under a minute of browsing their site. What else is there? Also, it's a great tool for social engineering. And a great list of contacts for a competitor.
  22. Yes, Frank. The point is that most people don't realise this, and it took quite a lot of work to arrange a meeting with the test house before I found this out. So you have a cert and people think it means all of it was third-party tested.
  23. I think that is part of the problem, but to sell signalling devices in some places (Spain, at least), you need third-party testing. The CS2300 has been tested: https://twitter.com/CSLDualCom/status/486496083322093568 But, after speaking to the testing house, it is highly likely that the entire encryption and substitution protection bit is self-declared, even when third-party tested. Personally, I don't think that's made clear.
  24. Well, we'll see what CSL say when the report and vulns are released. I'll be blunt - I've met with the standards bodies and they are not competent to test the encryption standards. It might be EN50136-1 certified, but the whole bit on encryption is very likely to be self-declared by the signalling provider. Not sure if this wants splitting out?
  25. So here is a big part of the problem. I have 13 boards marked CS2300, made between 2009 and 2013. Firmware version varies. They all suffer from the same issues. CSL still sell the CS2300 boards marked GradeShift. They say the ones I am testing are not used in the field. I can't see anyway you tell the difference.
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.