Csl Dualcom Cs2300-R Vulnerabilities

[Dick]

There's plenty of input in the trade part of the forum.

Ah, OK. That's a pity those with an interest aren't allowed in but I get why not for the most part.

I think you are right and the focus should be back on the topic, unfortunately I have to remain rather cautious as the subject is a competitive service. 

 

CGs work is very good and has been endorsed not only by me but Texecom in a separate thread.

 

This is an extremely important topic and one that we (WebWayOne) take incredibly seriously, indeed we have argued at the standards committees that all communications should be at the highest level, no matter what the risk. It makes absolutely no sense to say "well its only low risk so we don't need to bother about security, its never happened before and probably never will".

 

That is insane. Because as Dick says, it may not be a security product that is hacked, it may be something simple to disrupt companies or peoples lives. 

 

We advocate (and deploy) AES encryption techniques at every level, it should be a standard requirement. Period.

 

The implications of a security breach or published weakness cannot be underestimated and if you cannot update your software remotely then the impact on the end user, installer etc are immense. Just look at the security updates you get for your PC, MAC or firewalls as an example. Imagine if Microsoft could not remotely update their software, there would be queues for miles outside PC world etc for updates. Hence we have always deployed flash upgradeable equipment.

Superb post, Jim, and one that should be replicated by other companies but sadly doesn't appear to be the case.

No, it really is just yourself.

Righto.

[al-yeti]

Head

[PeterJames]

Peter, the lack of any real input from installers on here has been noted and not just by myself. One point of CG's findings is that serious vulnerabilities can't be patched in some cases so keeping one step ahead of threats isn't going to happen. You may well have been in the industry since Noah but we are in 2015 now and facing a different kind of threat from, in some cases, kids younger than your favourite pair of socks who have more technical knowledge than most, if not all, any old school installer on how these things tick. You talk like a bigger cost option is definitely more secure than a cheaper device but maybe CG has more to come to dispel that belief.

Grade 3 security aside who wants their automation equipment being messed with as is happening now with things like central heating being turned up at daft hours by a hacker? Expecting proper secure coding isn't much to ask is it?

With regards to home automation hacking that would really be down to a suitable firewall

 

I think you have to see it from the everyone's point of view, I would like to think that most installers would use a decent bit of signalling kit to protect high risk property with value, and a signalling kit proportionate to the risk in all other cases. This is why we do a risk assessment, the value of the contents dictates the likeliness of the system being compromised. You have to also take into account that some inside information is needed before any attempt can be made, you have to know that the system you have hacked is the same property you are trying to break into, you also have to know there is not another form of signalling medium protecting the property. As yet I havent seen anyone compromise a system this way, just because it can be done does not necessarily mean that it will happen, in theory I could survive a bungy jump it doesn't mean I am going to do it (And yes I know millions do but there have been many killed despite safety checks)

[al-yeti]

These days it's hard for them to know if any signalling exists anyway , they will try it on if they really want your stuff

[cybergibbons]

It would be good if we could keep this on-topic if possible.

 

My personal feeling is that the risk here is not to individual properties unless they are very high value. I don't know what does the signalling when you get up to the highest values - most of the really at risk places have 24/7 guarding. Possibly some CNI stuff - certainly big substations are unmanned, but then they already have SCADA links in place and I would imagine alarm stuff goes over the same channels.

 

That said, I think we need to start thinking about attackers that aren't Billy Burglar. As PeterJames said, technical attacks on alarms by burglars are not yet happening.

 

I can think of other attacks though:

• Sending huge numbers of spoofed alarms, causing ARCs to be inundated and guarding services and police to be unable to respond. A great distraction whilst you do something like the Hatton Garden job.
• Bricking hundreds of alarms using UDL (because the UDL protocols behind signalling devices have poor security as well)
• Using a signalling device in a botnet to perform DDoS attacks or send email
• Using a signalling device as a pivot to attack a network

The last one is the one that really interests me. I've used DVRs to pivot into networks on pen-tests several times now. They are generally not secure and once I am on them, I can use them to attack the rest of the network. No one suspects these little devices of being malicious. Installers don't know networks so can't firewall or partition them. IT won't touch them because they are installer by a third party.

 

The current Dualcom boards can't be used as a pivot because they are physically incapable of it. I guess that is a saving grace.

 

I think we also need to look at the standards in more depth. The Dualcom boards I looked at are certified to be compliant, but there is no way that a competent third-party would certify them. What did CSL tell Intertek? Who messed up here?

 

The standard demands the encryption - it's planned for a technical attack.

Just to add - the installers here have generally been welcoming and positive about the work. But an installer who spends their time on a forum is probably one of the more involved and knowledgeable - it's the rest of them that need convincing!