Jump to content
Security Installer Community

Csl Dualcom Cs2300-R Vulnerabilities


Recommended Posts

I think that's too much of a sweeping statement.

An opinion you're entitled to.

 

If your line of expertise is not important then your view may be taken as much the same, without some form of clarification to the guys who post on this forum would you not think?

Indeed it may, Jim, but It doesn't alter the findings or my opinions on the very same.

Just curious, you seem quite angry and defensive probably work related I guess?

Not angry or defensive in the slightest. Why on earth you'd come to that conclusion is beyond me. I'm merely saying it as I see it because I don't have to pretend all is well in the world of security like some of you guys obviously are.

  • Downvote 1
Link to comment
Share on other sites

Yes we're so convinced everything is alright, the hate is just palpable through the screen towards Cybergibbons, we definately don't want him here and certainly don't encourage him to post his findings on here...

So, I've decided to take my work back underground.... to stop it falling into the wrong hands

 

Link to comment
Share on other sites

Angry.

I suppose if you can't manage a decent post on CG's findings something is better than nothing. His findings have no bearing on me whatsoever but I note them with interest, nothing more. When it comes to security I'm an end user so evaluating the information is important should I go a particular route. However, the results haven't come as a total surprise, the level of incompetence on the other hand has though.
  • Downvote 1
Link to comment
Share on other sites

 I don't have to pretend all is well in the world of security like some of you guys obviously are.

None of us are pretending anything, there has been and all ways will be ways around security systems, so long as the kit is one step ahead of the type of burglar expected then whats to worry about?  I understand that there are vulnerabilities with some of the signalling options available, but I also understand the risk and anyone with any real intelligence are unlikely to want to risk their freedom for low value. On the other hand if something is worth protecting then its worth protecting properly that means understanding the risk. I have been in this industry for over 25 years now and I cant think of a burglary where any real technical intelligence has been used. Though I have seen many clever burglaries in my time

  • Upvote 3
Link to comment
Share on other sites

None of us are pretending anything, there has been and all ways will be ways around security systems, so long as the kit is one step ahead of the type of burglar expected then whats to worry about?  I understand that there are vulnerabilities with some of the signalling options available, but I also understand the risk and anyone with any real intelligence are unlikely to want to risk their freedom for low value. On the other hand if something is worth protecting then its worth protecting properly that means understanding the risk. I have been in this industry for over 25 years now and I cant think of a burglary where any real technical intelligence has been used. Though I have seen many clever burglaries in my time

Peter, the lack of any real input from installers on here has been noted and not just by myself. One point of CG's findings is that serious vulnerabilities can't be patched in some cases so keeping one step ahead of threats isn't going to happen. You may well have been in the industry since Noah but we are in 2015 now and facing a different kind of threat from, in some cases, kids younger than your favourite pair of socks who have more technical knowledge than most, if not all, any old school installer on how these things tick. You talk like a bigger cost option is definitely more secure than a cheaper device but maybe CG has more to come to dispel that belief.

Grade 3 security aside who wants their automation equipment being messed with as is happening now with things like central heating being turned up at daft hours by a hacker? Expecting proper secure coding isn't much to ask is it?

  • Downvote 1
Link to comment
Share on other sites

Peter, the lack of any real input from installers on here has been noted and not just by myself. One point of CG's findings is that serious vulnerabilities can't be patched in some cases so keeping one step ahead of threats isn't going to happen. You may well have been in the industry since Noah but we are in 2015 now and facing a different kind of threat from, in some cases, kids younger than your favourite pair of socks who have more technical knowledge than most, if not all, any old school installer on how these things tick. You talk like a bigger cost option is definitely more secure than a cheaper device but maybe CG has more to come to dispel that belief.

Grade 3 security aside who wants their automation equipment being messed with as is happening now with things like central heating being turned up at daft hours by a hacker? Expecting proper secure coding isn't much to ask is it?

Why not just tell em your a house basher who dabbles with diallers, but to be a pro house basher like me you got to realise customers will rarley use outputs on them

So although I am a hard core house basher, monitoring is not my business model , house bashing is just wack a dialled in with the odd one paying for a gsm as well

Off topic hkc needs a free basic app lol

Edited by al-yeti
Link to comment
Share on other sites

Why not just tell em your a house basher who dabbles with diallers, but to be a pro house basher like me you got to realise customers will rarley use outputs on them

So although I am a hard core house basher, monitoring is not my business model , house bashing is just wack a dialled in with the odd one paying for a gsm as well

Off topic hkc needs a free basic app lol

Just like every village has one, a forum does too and it is never that long before they appear.
  • Downvote 1
Link to comment
Share on other sites

Seriously, shouldn't you guys be asking about CG's findings rather than trying to play Give us a Clue with me?

I think you are right and the focus should be back on the topic, unfortunately I have to remain rather cautious as the subject is a competitive service. 

 

CGs work is very good and has been endorsed not only by me but Texecom in a separate thread.

 

This is an extremely important topic and one that we (WebWayOne) take incredibly seriously, indeed we have argued at the standards committees that all communications should be at the highest level, no matter what the risk. It makes absolutely no sense to say "well its only low risk so we don't need to bother about security, its never happened before and probably never will".

 

That is insane. Because as Dick says, it may not be a security product that is hacked, it may be something simple to disrupt companies or peoples lives. 

 

We advocate (and deploy) AES encryption techniques at every level, it should be a standard requirement. Period.

 

The implications of a security breach or published weakness cannot be underestimated and if you cannot update your software remotely then the impact on the end user, installer etc are immense. Just look at the security updates you get for your PC, MAC or firewalls as an example. Imagine if Microsoft could not remotely update their software, there would be queues for miles outside PC world etc for updates. Hence we have always deployed flash upgradeable equipment.

Jim Carter

WebWayOne Ltd

www.webwayone.co.uk

Link to comment
Share on other sites

There's plenty of input in the trade part of the forum.

Ah, OK. That's a pity those with an interest aren't allowed in but I get why not for the most part.

I think you are right and the focus should be back on the topic, unfortunately I have to remain rather cautious as the subject is a competitive service. 

 

CGs work is very good and has been endorsed not only by me but Texecom in a separate thread.

 

This is an extremely important topic and one that we (WebWayOne) take incredibly seriously, indeed we have argued at the standards committees that all communications should be at the highest level, no matter what the risk. It makes absolutely no sense to say "well its only low risk so we don't need to bother about security, its never happened before and probably never will".

 

That is insane. Because as Dick says, it may not be a security product that is hacked, it may be something simple to disrupt companies or peoples lives. 

 

We advocate (and deploy) AES encryption techniques at every level, it should be a standard requirement. Period.

 

The implications of a security breach or published weakness cannot be underestimated and if you cannot update your software remotely then the impact on the end user, installer etc are immense. Just look at the security updates you get for your PC, MAC or firewalls as an example. Imagine if Microsoft could not remotely update their software, there would be queues for miles outside PC world etc for updates. Hence we have always deployed flash upgradeable equipment.

Superb post, Jim, and one that should be replicated by other companies but sadly doesn't appear to be the case.

No, it really is just yourself.

Righto.

Link to comment
Share on other sites

Peter, the lack of any real input from installers on here has been noted and not just by myself. One point of CG's findings is that serious vulnerabilities can't be patched in some cases so keeping one step ahead of threats isn't going to happen. You may well have been in the industry since Noah but we are in 2015 now and facing a different kind of threat from, in some cases, kids younger than your favourite pair of socks who have more technical knowledge than most, if not all, any old school installer on how these things tick. You talk like a bigger cost option is definitely more secure than a cheaper device but maybe CG has more to come to dispel that belief.

Grade 3 security aside who wants their automation equipment being messed with as is happening now with things like central heating being turned up at daft hours by a hacker? Expecting proper secure coding isn't much to ask is it?

With regards to home automation hacking that would really be down to a suitable firewall

 

I think you have to see it from the everyone's point of view, I would like to think that most installers would use a decent bit of signalling kit to protect high risk property with value, and a signalling kit proportionate to the risk in all other cases. This is why we do a risk assessment, the value of the contents dictates the likeliness of the system being compromised. You have to also take into account that some inside information is needed before any attempt can be made, you have to know that the system you have hacked is the same property you are trying to break into, you also have to know there is not another form of signalling medium protecting the property. As yet I havent seen anyone compromise a system this way, just because it can be done does not necessarily mean that it will happen, in theory I could survive a bungy jump it doesn't mean I am going to do it (And yes I know millions do but there have been many killed despite safety checks)

Link to comment
Share on other sites

It would be good if we could keep this on-topic if possible.

 

My personal feeling is that the risk here is not to individual properties unless they are very high value. I don't know what does the signalling when you get up to the highest values - most of the really at risk places have 24/7 guarding. Possibly some CNI stuff - certainly big substations are unmanned, but then they already have SCADA links in place and I would imagine alarm stuff goes over the same channels.

 

That said, I think we need to start thinking about attackers that aren't Billy Burglar. As PeterJames said, technical attacks on alarms by burglars are not yet happening.

 

I can think of other attacks though:

  • Sending huge numbers of spoofed alarms, causing ARCs to be inundated and guarding services and police to be unable to respond. A great distraction whilst you do something like the Hatton Garden job.
  • Bricking hundreds of alarms using UDL (because the UDL protocols behind signalling devices have poor security as well)
  • Using a signalling device in a botnet to perform DDoS attacks or send email
  • Using a signalling device as a pivot to attack a network

The last one is the one that really interests me. I've used DVRs to pivot into networks on pen-tests several times now. They are generally not secure and once I am on them, I can use them to attack the rest of the network. No one suspects these little devices of being malicious. Installers don't know networks so can't firewall or partition them. IT won't touch them because they are installer by a third party.

 

The current Dualcom boards can't be used as a pivot because they are physically incapable of it. I guess that is a saving grace.

 

I think we also need to look at the standards in more depth. The Dualcom boards I looked at are certified to be compliant, but there is no way that a competent third-party would certify them. What did CSL tell Intertek? Who messed up here?

 

The standard demands the encryption - it's planned for a technical attack.


Just to add - the installers here have generally been welcoming and positive about the work. But an installer who spends their time on a forum is probably one of the more involved and knowledgeable - it's the rest of them that need convincing!

I have a blog, some of which is about alarm security and reverse engineering:
http://cybergibbons.com/

 

 

 

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.