norman Posted November 29, 2015 Posted November 29, 2015 I don't think any historic failures are irrelevant, a lot can be learned from them surely? Quote Nothing is foolproof to a sufficiently talented fool.
jimcarter Posted November 29, 2015 Posted November 29, 2015 I don't think any historic failures are irrelevant, a lot can be learned from them surely? In the context of this thread, yes, pretty irrelevant. But if you didn't know there was an issue with your security, then yes, it would be useful but a pretty painful experience and the repercussions would be acute. Quote Jim Carter WebWayOne Ltd www.webwayone.co.uk
cybergibbons Posted November 29, 2015 Author Posted November 29, 2015 But surely there would be a record of failures where perhaps a bulgary or fire took place and perhaps no signalling was sent ,regardless of csl it would show up with the Maintainer no? A fair number of installers have reported them not working though. http://www.diynot.com/diy/threads/csl-dualcom-cs2300-r-vulnerabilities.447125/#post-3514570 That's not the first person who has said this. Looking at their protocol, maybe I missed something more obvious - if the unit sends an alarm, and then goes back to normal, all you need to do is stop that signal getting through. There is no sequence number at all, no end-to-end acknowledgement. I don't think any historic failures are irrelevant, a lot can be learned from them surely? Rob Evans, when he called me to ask me to take down the initial reverse engineering posts, specifically mentioned a case where a Dualcom unit had failed to send a panic alarm, and the shop owner had been injured. I wouldn't want that to happen if I released my research? I think CSL may not be letting on how many failures they have. Quote I have a blog, some of which is about alarm security and reverse engineering:http://cybergibbons.com/
al-yeti Posted November 29, 2015 Posted November 29, 2015 That probably goes for many manufacturers, they can't really prove failures when "hacked" if that's the right word to use Historical is relevant in the sense of see what has occurred and was not reported , Although it seems programming can cause those issues by the house basher , and then you don't get the correct alarms sent through anyway! Quote
james.wilson Posted November 29, 2015 Posted November 29, 2015 Al this is imo far more serious than anyone getting the pins wrong. Anyone has the right to assume what they fit will do the job and won't be compromised. Grade 2 who cares its low risk. G3 and above is different. I'm interested in nova's comment that the loss would be down to the arc, I don't see that as the arc didn't certify compliance the installer does. We assume the chain complies when the cert is issued. I'm seriously concerned about this and like the vw thing doubt its just one. Quote securitywarehouse Security Supplies from Security Warehouse Trade Members please contact us for your TSI vetted trade discount.
al-yeti Posted November 29, 2015 Posted November 29, 2015 (edited) No doubt it's serious But nothing is being proven that it will fall over or could be compromised except on particular units I'd say they staying quiet while they perform there own tests and find a way to patch it if it's at all true But nothing will be fool proof , all software and ip connections will have weaknesses Come on back to pstn ? CG this is right up your street should have given them heads up! http://www.bbc.co.uk/news/technology-34944140 Edited November 29, 2015 by al-yeti Quote
james.wilson Posted November 29, 2015 Posted November 29, 2015 Al the units tested are gprs pstn. If you think pstn is secure then id suggest you look at the dtmf protocol. Question. Would you fit gear with a security question mark over it? Quote securitywarehouse Security Supplies from Security Warehouse Trade Members please contact us for your TSI vetted trade discount.
norman Posted November 30, 2015 Posted November 30, 2015 The loss would only be down to the ARC if they failed to action, not receiving, or receiving false data in the first place exonerates them imo Quote Nothing is foolproof to a sufficiently talented fool.
jimcarter Posted November 30, 2015 Posted November 30, 2015 No doubt it's serious But nothing is being proven that it will fall over or could be compromised except on particular units But nothing will be fool proof , all software and ip connections will have weaknesses Come on back to pstn ? Any time you begin to communicate and you have sensitive data to transmit there is a requirement for encryption. It does not matter whether its the written word, the wireless radio (the Enigma machines from WW2), encrypted telephone links between governments or your bank transactions, and yes, Alarm Transmission. You may "well they broke the Enigma code" but you have to remember the hours, weeks, years that went into that and part of the key to cracking this was the fact that the Germans were transmitting a set pattern of data with every transmission (the weather reports). In basic terms, they gave away the key to their encryption through predictable messaging. What is equally if not more important, was keeping the fact that the code was broken from them, so that they could be fed miss-information. So no, PSTN, (or back to Pigeons if you like!), is not the answer. Getting the encryption technique right is, and its a basic requirement. If communications security is compromised, then everything that is current or went before is at risk until a new form of encryption is deployed, and in modern communications that means a software update. Quote Jim Carter WebWayOne Ltd www.webwayone.co.uk
al-yeti Posted November 30, 2015 Posted November 30, 2015 Al the units tested are gprs pstn. If you think pstn is secure then id suggest you look at the dtmf protocol. Question. Would you fit gear with a security question mark over it? Of course , remember the old dtmf trick ? Little keypad etc for accessing services Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.