cybergibbons Posted May 11, 2014 Posted May 11, 2014 I'm just looking at changing some theoretical vulnerabilities into actual exploits on some IP signalling boards. Some of these would rely on the signalling board being accessible on the network from a PC (specifically, can the PC send broadcast traffic and the signalling board receive it). So when these boards are installed, how is the network connection normally provided? Is it just plugged into any available network port? Is a specific VLAN created (or any other segregation from the rest of the network)? I have a blog, some of which is about alarm security and reverse engineering:http://cybergibbons.com/
matthew.brough Posted May 11, 2014 Posted May 11, 2014 In 99% of the cases we install them they just plug onto the local LAN without any segregation at all. www.securitywarehouse.co.uk/catalog/
cybergibbons Posted May 11, 2014 Author Posted May 11, 2014 So, if a PC on the same subnet could reconfigure the IP address/gateway, perform a denial-of-service attack, or even act as a man-in-the-middle, would that be considered a problem? It's far easier to compromise one of many PCs that a single embedded board, you see. I have a blog, some of which is about alarm security and reverse engineering:http://cybergibbons.com/
matthew.brough Posted May 11, 2014 Posted May 11, 2014 Be a major problem, but no one in the whole sees it. When we have IP devices on corporate networks, they tend to VLAN our gear inc DVRs off but the average commercial/residential alarm we just sit on the network as does everything else. www.securitywarehouse.co.uk/catalog/
james.wilson Posted May 11, 2014 Posted May 11, 2014 Would that take out both paths though, ie wouldn't it report a single path fail? securitywarehouse Security Supplies from Security Warehouse Trade Members please contact us for your TSI vetted trade discount.
matthew.brough Posted May 11, 2014 Posted May 11, 2014 I was also thinking about compromise the security device makes my LAN at risk www.securitywarehouse.co.uk/catalog/
cybergibbons Posted May 11, 2014 Author Posted May 11, 2014 If you just take out the LAN interface, then a dual path device is going to cause an alarm, yes. But if you can change the gateway, you can act as a man-in-the-middle. If the protocol has no message authentication, sequencing etc. then you can just act as if everything is OK. It's just a nasty hole to leave open. I have a blog, some of which is about alarm security and reverse engineering:http://cybergibbons.com/
sixwheeledbeast Posted May 11, 2014 Posted May 11, 2014 If the protocol has no message authentication, sequencing etc. then you can just act as if everything is OK. Are there any signalling products that have no message authentication? MITM attack is possible but unlikely IMO. Signalling devices are sold on how simples they are for monkeys to fit, I doubt the average installer would be able to setup VLAN's or separate subnets. Wouldn't it also depend which path is first priority?
cybergibbons Posted May 11, 2014 Author Posted May 11, 2014 Are there any signalling products that have no message authentication? MITM attack is possible but unlikely IMO. Signalling devices are sold on how simples they are for monkeys to fit, I doubt the average installer would be able to setup VLAN's or separate subnets. Wouldn't it also depend which path is first priority? Yes, some signalling products appear to have to message authentication - it appears to be trivial to spoof responses. MITM is unlikely currently. But then if one product can be MITMed and another can't, which one is better? With respect to path priority, if you can act as MITM on the secondary LAN interface and then respond with a message saying "Reconfigure all inputs to not trigger on changes", then it doesn't matter that the other path is untouched. I have a blog, some of which is about alarm security and reverse engineering:http://cybergibbons.com/
Recommended Posts
Archived
This topic is now archived and is closed to further replies.