cybergibbons
-
Posts
498 -
Joined
-
Last visited
-
Days Won
7
Content Type
Profiles
Forums
Events
Downloads
Gallery
Blogs
Posts posted by cybergibbons
-
-
The ball is in CSL's court with that. They could let any pentesting company take a look at their systems and publish the report.
-
the law?
I can't actually do anything except passive observation. If I connect to CSL's servers, or actually interfere with the operation of another device, I have broken the law. Computer Misuse Act.
-
Who did they try to get your address from? I hear if you boil the horses head it makes quite a pleasant soup.
Me. For "formal communications". Seems odd, as I am a business.
why cant you test it further?
The law.
-
cg what responses have you had from csl regarding this?
They haven't communicated with me at all since they tried getting my home address 6 weeks ago.
its a bit over my head but can the unit be defeated in the field without access to the unit itself?
I believe it can, yes. Certainly the ones that use the IP path can be sniffed and spoofed with little trouble. The problem is that I can't push the boundaries any further to prove it.
The real point is that their systems have been designed and operated by people who very clearly are incompetent. If anyone has looked at their security, CSL have totally ignored any findings. God knows what else is there. If you aren't regulated by the law, it could be awful.
-
wonder if the BSIA will get involved to assist on of their biggest members
That's really no way to refer to Simon Banks.
-
The vulnerability note from CERT has now gone live:
-
Is the 2300 the board in grade 3 mode?
The only difference between the grades is the reporting time, as far as I can tell.
The encryption, the protocol, the lack of firmware updates etc. are the same regardless of grade.
-
As many of you know, I spent some time researching the CSL CS2300-R SPTs last year. I found a series of issues that I think are serious problems. CSL have had 17 months to deal with these issues, and after them dawdling, I opted for co-ordinated disclosure of the issues via CERT/CC.
CSL have had 45 days to respond to CERT/CC, and only did so on Friday with a statement that is largely spin and distraction.
In summary, the issues found:
- CSL have developed incredibly bad encryption, on a par with techniques state-of-the-art in the time before computers.
- CSL have not protected against substitution very well
- CSL can’t fix issues when they are found because they can’t update the firmware
- There seems to be a big gap between the observed behaviour of the CS2300-R boards and the standards
- It’s likely that the test house didn’t actually test the encryption or electronic security
- Even if a device adheres to the standard, it could still be full of holes
- CSL either lack the skill or drive to develop secure systems, making mistake after mistake
Until CSL can demonstrate that their products are standards compliant and secure, I would advise not using them, especially for higher grades.
-
it really depends on what they're looking to do with it. For the simplest user case, I've used basic cloud cams. But you have to be very careful with these because of security issues, and also they don't record 24/7. But they're good for users with very simple needs. For more advanced, I've used Samsung a few times, but clients complained about the interface. Over the last year, I switched to Xanview which is super easy to use and reasonably priced for all of their features .
They bricked the Xanview Timebox I had because they thought I was hacking it.
-
The alarms I have don't allow it to be silenced, though some allow it to be turned down.
The first thing I do to most alarms that I am testing is rip the sounder off. Normally a small screwdriver under the plastic casing will do, then remove the piezo disc.
-
Most of the systems use 2-FSK, so pick a signal that approximately matched the bit-rate of that and toggle between the two.
So you end up with:
- FSK signal modulated at 9600Hz or something - this interferes with the signal itself
- Switch that on and off at 0.05s (i.e. 20Hz) - this stops the jamming detection being triggered, but is often enough to interfere. Might have to up the frequency a bit here for some systems.
The problem is that with the 2-way RF gear, they have two types of jamming detection:
1. Signal strength or RSSI based - this is what the standard describes and is all that 1-way can do.
2. Pings - send a message to detector, if it doesn't come back, get worried.
The Enforcer will almost certainly do both.
There's loads of interesting stuff you can do with jamming, but probably not for discussion in public.
-
The spec is any 31s out of 60s.
Drive a jammer with a 50% duty cycle, period of about 0.05s, and the jamming detection won't go off, but nothing will get through.
-
The one I've seen a few times is cheap baby monitors that transmit a continuous signal in 868MHz, they are quite obvious. But lots of other stuff is much harder to track down.
The standard says that for grade 1 and 2, it's 31s out of 60s to signal jamming, 3 and 4, 11s out of 20s. Many of them also detect if messages are dropped, but only if they have 2-way RF.
-
so best we have this bit of test gear generally. Is it something i could use and understand?
I think so. It's just setting a frequency range, and it does the rest of it pretty much automatically.
Problem is, once you've found there is another signal, what do you do?
-
A thing you plug into your computer, it receives a wide-ish bit of the spectrum (5MHz-100Mhz, typically), and you can show it on your screen as a spectrum or waterfall:
http://nansupport.com/images/rfexplorer/heatmap-800x349.png
Difference between the RF Explorer and SDR is that the RF Explorer sweeps - starts at 858MHz and slowly goes up to 878MHz, whereas an SDR can receive the whole 20MHz instantly. Just means you can miss things.
-
https://www.coolcomponents.co.uk/rf-explorer-3g-combo.html
They are good for the money. Fragile though - power switch and USB has broken on mine and it's always been taken care of.
It will pick up most accidental sources of jamming, but miss intentional because of the slow sweep speed. A SDR is better to pick up intentional jamming.
-
Yes - I have two of the recent SPTs.
The testing was basic, but nothing raised red-flags. I couldn't just download the firmware and tear it apart, and none of the common failings were made.
-
Well, I personally wouldn't touch Videofied gear with a bargepole. That's being released 30/11 - they need to get a fix out.
-
That would be our CEO
Well, his own email rather than a generic one is on the list.
-
If it's general info
Ie phone number email address being registered company anyway
What's the big deal it's all available anyway ?
There are sole traders on there, who might not want their addresses out there. A lot of mobile numbers. Usernames - they should not be leaking.
It's also strongly indicative that they have done no security testing at all. This was found in under a minute of browsing their site. What else is there?
Also, it's a great tool for social engineering. And a great list of contacts for a competitor.
-
Can you check if I'm on there Mercury Security Management?
Yes, Frank.
If self certing is part of it what's the point of 3rd party certification?
The point is that most people don't realise this, and it took quite a lot of work to arrange a meeting with the test house before I found this out.
So you have a cert and people think it means all of it was third-party tested.
-
Isn't that 'Self Declared' bit the whole industry in general.
I think that is part of the problem, but to sell signalling devices in some places (Spain, at least), you need third-party testing.
The CS2300 has been tested:
https://twitter.com/CSLDualCom/status/486496083322093568
But, after speaking to the testing house, it is highly likely that the entire encryption and substitution protection bit is self-declared, even when third-party tested. Personally, I don't think that's made clear.
-
Im sure we can find one from the field but surly a 2300 is a 2300?
Well, we'll see what CSL say when the report and vulns are released.
I'll be blunt - I've met with the standards bodies and they are not competent to test the encryption standards. It might be EN50136-1 certified, but the whole bit on encryption is very likely to be self-declared by the signalling provider.
Not sure if this wants splitting out?
-
ah i see so im assuming thats all the grade shifts then?
Part NumbersCS 2200 DualCom GPRS G2 (+ SIM Card, NVM) and CS2058 box aerial).CS 2210 DualCom GPRS G2 (+ SIM Card, NVM) and CS2057 ext. aerial).CS 2300 As CS2200 but to Grade 3 standardCS 2310 As CS2210 but to Grade 3 standardCS 2400 As CS2200 but to Grade 4 standardCS 2410 As CS2210 but to Grade 4 standardNo
So here is a big part of the problem.
I have 13 boards marked CS2300, made between 2009 and 2013. Firmware version varies. They all suffer from the same issues.
CSL still sell the CS2300 boards marked GradeShift.
They say the ones I am testing are not used in the field. I can't see anyway you tell the difference.
Csl Dualcom Cs2300-R Vulnerabilities
in Members Lounge (Public)
Posted
Really depends on what they want to do. They can keep on with the smoke and mirrors, pitching themselves as "IoT poster boys", or they could actually start developing secure products.