Jump to content
Security Installer Community

Csl Dualcom Cs2300-R Vulnerabilities

cybergibbons

By cybergibbons
in Members Lounge (Public)

 Share

Recommended Posts

BUSTER Newbie

BUSTER

Posted
Posted

I am not in a position to verify if the above is right or wrong, I presume NSI will let us know in due course, does this apply to the latest units/firmware

Any comments / opinions posted are my opinion only and do not represent those of my employer or Company

Dick Newbie

Dick

Posted
Posted

The problem in that respect is, where does the liability fall

It has to be the manufacturer for allowing such inferior equipment to be released. Everyone else down the line has worked on trust.

  • Upvote 1
  • Downvote 1
al-yeti Mentor

al-yeti

Posted
Posted

Can't you loop the device somehow and prove it can be defeated , or are they fixed to point to a certain ip, why can't you mimic the ip and then try and defeat it, or you need the device to complete its data connection

Matrix stuff eh

james.wilson Mentor

james.wilson

Posted
Posted

It has to be the manufacturer for allowing such inferior equipment to be released. Everyone else down the line has worked on trust.

technically its down to installer as thats the final cert issued

Can't you loop the device somehow and prove it can be defeated , or are they fixed to point to a certain ip, why can't you mimic the ip and then try and defeat it, or you need the device to complete its data connection

Matrix stuff eh

if you 'test' systems like that then its a criminal offence, ie testing your system without permission.

But would you like to know you have an issue or just assume you dont cos it hasnt happened to you yet?

securitywarehouse Security Supplies from Security Warehouse

Trade Members please contact us for your TSI vetted trade discount.

cybergibbons Newbie

cybergibbons

Posted
  • Author
Posted

I am not in a position to verify if the above is right or wrong, I presume NSI will let us know in due course, does this apply to the latest units/firmware

Why not start asking CSL questions then? For whatever unit you use...

1. What encryption methods do your devices use?

2. How often do the keys get changed?

3. If there was a critical vulnerability and the firmware had to be updated, who pays the cost?

4. Have your systems been subject to a third-party pen-test?

I have a blog, some of which is about alarm security and reverse engineering:
http://cybergibbons.com/

 

 

 

al-yeti Mentor

al-yeti

Posted
Posted

Sorry I don't get it , CG has a card second hand , he can do what he wants as long as he doesn't connect to csl servers ?

cybergibbons Newbie

cybergibbons

Posted
  • Author
Posted

Can't you loop the device somehow and prove it can be defeated , or are they fixed to point to a certain ip, why can't you mimic the ip and then try and defeat it, or you need the device to complete its data connection

Matrix stuff eh

I've done the following:

* Built a simulator of the Dualcom DC4 IP server. This means I can make a board believe that it is communicating with the real server when it isn't really.

* Built a GPRS modem simulator to show the same thing can happen on the GPRS side.

Unfortunately, it seems that Dualcom (and others, like Saxondale and Cubit), seem to think that GPRS is secure. It isn't.

im assuming they have moved on from the units you tested.

Why don't people ask them if they have moved on?

The hardware looks the same. The people are the same. CSL themselves have admitted that they can't update the firmware on any units at all.

The formula has worked for them. Why spend money on security when no one is looking?

Sorry I don't get it , CG has a card second hand , he can do what he wants as long as he doesn't connect to csl servers ?

I can do what I want to the SPT, but to prove there are real issues, you need to show that you can either create fake alarms or spoof normal polling. Not possible without connecting to their servers.

I have a blog, some of which is about alarm security and reverse engineering:
http://cybergibbons.com/

 

 

 

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.


×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.

  I accept