Csl's M2M Sim Registration Portal Database Leak

[cybergibbons]

I'm guessing none of you were contacted to tell you your data might have been leaked?

[james.wilson]

looks like secure it all is there and dont use their sims

[datadiffusion]

Nope. Since I never registered, it's clear the bulk of the database is just a copy'n'paste of all existing customers?

[cybergibbons]

Marvellus innit?

 

Yeah... you look like one of the ones that very little info in there. But still there.

[james.wilson]

Fareham and Worthing? Both there.

 

Pentested means penentration testing, i.e. you get someone who knows how to hack to have a crack at your systems. I'd that even ARCs should be having them done (I've done a few now, and found a lot of problems, most easily fixed), but signalling providers with centralised receiving, like CSL and WebWayOne, should definitely be pentested.

The report is about the encryption and general security of the CSL CS2300 signalling units.

ah i see so im assuming thats all the grade shifts then?

 

Part Numbers

CS 2200 DualCom GPRS G2 (+ SIM Card, NVM) and CS2058 box aerial).

CS 2210 DualCom GPRS G2 (+ SIM Card, NVM) and CS2057 ext. aerial).

CS 2300 As CS2200 but to Grade 3 standard

CS 2310 As CS2210 but to Grade 3 standard

CS 2400 As CS2200 but to Grade 4 standard

CS 2410 As CS2210 but to Grade 4 standard

I'm guessing none of you were contacted to tell you your data might have been leaked?

No

[MrHappy]

I'm guessing none of you were contacted to tell you your data might have been leaked?

 

My details ain't on there

 

I had a conversation with the pyronix rep about the sim in Enfocrer home app demo kit,

Looked in the risco store then looked at the CSL M2M website & played with postcodes,

 

Didn't like something so never signed up,

[cybergibbons]

ah i see so im assuming thats all the grade shifts then?

 

Part Numbers

CS 2200 DualCom GPRS G2 (+ SIM Card, NVM) and CS2058 box aerial).

CS 2210 DualCom GPRS G2 (+ SIM Card, NVM) and CS2057 ext. aerial).

CS 2300 As CS2200 but to Grade 3 standard

CS 2310 As CS2210 but to Grade 3 standard

CS 2400 As CS2200 but to Grade 4 standard

CS 2410 As CS2210 but to Grade 4 standard

No

 

So here is a big part of the problem.

I have 13 boards marked CS2300, made between 2009 and 2013. Firmware version varies. They all suffer from the same issues.

CSL still sell the CS2300 boards marked GradeShift.

 

They say the ones I am testing are not used in the field. I can't see anyway you tell the difference.

[james.wilson]

Im sure we can find one from the field but surly a 2300 is a 2300?

[cybergibbons]

Im sure we can find one from the field but surly a 2300 is a 2300?

 

Well, we'll see what CSL say when the report and vulns are released.

I'll be blunt - I've met with the standards bodies and they are not competent to test the encryption standards. It might be EN50136-1 certified, but the whole bit on encryption is very likely to be self-declared by the signalling provider.

Not sure if this wants splitting out?

[Nova-Security]

 It might be EN50136-1 certified, but the whole bit on encryption is very likely to be self-declared by the signalling provider.

 

 

Isn't that 'Self Declared' bit the whole industry in general.