Jump to content
Security Installer Community

Csl Dualcom Cs2300-R Vulnerabilities

cybergibbons

By cybergibbons
in Members Lounge (Public)

 Share

Recommended Posts

jimcarter Newbie

jimcarter

Posted
Posted

I don't know if WebWayOne want to pass comment on the self declared aspects of standards testing?

Difficult topic for me to be involved in tbh.

 

The levels of testing that can be done in respect of substitution and encryption are complex and I do believe that when we carried out certification to EN50136 this aspect was largely self declaration. Not ideal I would agree.

 

As a company our core specialty is (and always has been) secure communications. Ever since we entered the market with the first IP based ATS back in 2005 we have been under the microscope from all aspects of the industry. So 128AES, key exchange, substitution protection etc etc are what we eat sleep and breathe. 

 

In a separate topic I mentioned that we have had the ATS independently pen tested on multiple occasions, we would not have been successful in internet signalling within the financial sector & corporate space without. This level of testing was (as it should be) intense and incredibly thorough, carried out under NDA as well because we were almost at the level where we were talking about the core of the encryption and substitution techniques we developed.

Jim Carter

WebWayOne Ltd

www.webwayone.co.uk

cybergibbons Newbie

cybergibbons

Posted
  • Author
Posted

 

Thanks. That's interesting. I don't understand why it would take more than 10 minutes regardless of grade. I think the standard is a joke in this respect.

I spoke to my CSL rep yesterday who denied there site was hacked and also claimed any units tested were more than six years old and there units are completely secure.

 

As in, they denied this?

 

http://cybergibbons.com/alarms-2/customer-database-leak-on-csl-dualcoms-sim-registration-portal/

 

I have the emails from Santosh Chandorkar where we discussed it.

 

The units were old, but there is no evidence that the newer units don't suffer from the same issues.

the vpn bit from what i read is very last mile. Its not end to end.

 

Plus i believe alarm delivery and polling are different routes so polling imo does not prove path availability for alarm transmission.

ie some use the same path end to end to poll and deliver alarms.

 

As far as I can work out, the VPN is from the ARC to CSL. Certainly on the firmware I looked at there is no VPN functionality. The processors they use - the NEC 78K0R - are very small. They'd have to write the VPN software from the ground-up themselves. The way the latest firmware I have works, it just doesn't have room to do this.

 

The primary reason behind this is that the CS2300-R has been coded to deal with 4 different GRPS modems. The way this is done, it makes the code 4 times bigger in a lot of places. I'd estimate about 40% of the flash memory is taken up with this - there just is not room for a VPN client.

 

Possibly on later units, they have trimmed this out, allowing them to add functionality.

Difficult topic for me to be involved in tbh.

 

The levels of testing that can be done in respect of substitution and encryption are complex and I do believe that when we carried out certification to EN50136 this aspect was largely self declaration. Not ideal I would agree.

 

As a company our core specialty is (and always has been) secure communications. Ever since we entered the market with the first IP based ATS back in 2005 we have been under the microscope from all aspects of the industry. So 128AES, key exchange, substitution protection etc etc are what we eat sleep and breathe. 

 

In a separate topic I mentioned that we have had the ATS independently pen tested on multiple occasions, we would not have been successful in internet signalling within the financial sector & corporate space without. This level of testing was (as it should be) intense and incredibly thorough, carried out under NDA as well because we were almost at the level where we were talking about the core of the encryption and substitution techniques we developed.

 

That's the thing then - where the standards are weak, you and your customers have demanded that pen testing takes up the slack.

I have a blog, some of which is about alarm security and reverse engineering:
http://cybergibbons.com/

 

 

 

al-yeti Mentor

al-yeti

Posted
Posted

But surely there would be a record of failures where perhaps a bulgary or fire took place and perhaps no signalling was sent ,regardless of csl it would show up with the Maintainer no?

jimcarter Newbie

jimcarter

Posted
Posted

But surely there would be a record of failures where perhaps a bulgary or fire took place and perhaps no signalling was sent ,regardless of csl it would show up with the Maintainer no?

That's irrelevant.

 

The whole point of data security (or Security for that matter) is not simply what has occurred in the past, it's what can happen today or in the future.

 

It's like insurance - if you didn't have it and you had an accident you'd soon get some...

 

If you want to risk not having any and just hope it never happens...that's your lookout.

 

We do happen to be in the Security Industry, don't we?

Jim Carter

WebWayOne Ltd

www.webwayone.co.uk

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.


×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.

  I accept