Jump to content
Security Installer Community

Recommended Posts

Posted

Isn't that 'Self Declared' bit the whole industry in general.

 

I think that is part of the problem, but to sell signalling devices in some places (Spain, at least), you need third-party testing.

The CS2300 has been tested:

https://twitter.com/CSLDualCom/status/486496083322093568

 

But, after speaking to the testing house, it is highly likely that the entire encryption and substitution protection bit is self-declared, even when third-party tested. Personally, I don't think that's made clear.

I have a blog, some of which is about alarm security and reverse engineering:
http://cybergibbons.com/

 

 

 

Posted

On 1st May this year, I found it was possible to dump the names, addresses, emails, usernames, and phone numbers of every single user of every single company who had registered on the CSL M2M SIM page. I did not push the investigation any further, but worse may have been visible.

 

http://cybergibbons.com/alarms-2/customer-database-leak-on-csl-dualcoms-sim-registration-portal/

 

If you would like to know if your company was one of the listed ones, I can check for you.

 

Can you check if I'm on there Mercury Security Management?

Posted

If you're a CSL customer or have ever called them about *any* product I'd say it looks like you will be.

So, I've decided to take my work back underground.... to stop it falling into the wrong hands

 

Posted

If it's general info

Ie phone number email address being registered company anyway

What's the big deal it's all available anyway ?

Posted

What's the big deal it's all available anyway ?

Well lets say Kev Hall appears on the list under his co's name,

At one time the site would have given out his email & password to those in the know.

If the same credentials are used else where, that presents quite a risk ?

Mr th2.jpg Veritas God

Posted

We just go into housing and building like you , get bigger cone cutters and your done

Is csl overall cheapest?

Posted

Can you check if I'm on there Mercury Security Management?

 

Yes, Frank.

If self certing is part of it what's the point of 3rd party certification?

 

The point is that most people don't realise this, and it took quite a lot of work to arrange a meeting with the test house before I found this out.

So you have a cert and people think it means all of it was third-party tested.

I have a blog, some of which is about alarm security and reverse engineering:
http://cybergibbons.com/

 

 

 

Posted (edited)

If it's general info

Ie phone number email address being registered company anyway

What's the big deal it's all available anyway ?

 

There are sole traders on there, who might not want their addresses out there. A lot of mobile numbers. Usernames - they should not be leaking.

It's also strongly indicative that they have done no security testing at all. This was found in under a minute of browsing their site. What else is there?

 

Also, it's a great tool for social engineering. And a great list of contacts for a competitor.

Edited by cybergibbons

I have a blog, some of which is about alarm security and reverse engineering:
http://cybergibbons.com/

 

 

 

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.



×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.