matthew.brough Posted May 1, 2013 Share Posted May 1, 2013 Yeah. I got told to walk off a short plank with the chains of a big lawsuit around my ankles. I'll take up the offer of signalling equipment once my plate is clear, I have a lot on at the moment. Customer service at it's best I'm not Honeywell fan. Their kit malfunctioning and their subsiquent lack of response to address it has cost us dearly in 2 big customers and a lawsuit that followed. I thought you could publish this info as long as it was in journalistic interest www.securitywarehouse.co.uk/catalog/ Link to comment Share on other sites More sharing options...
cybergibbons Posted May 1, 2013 Author Share Posted May 1, 2013 I'm not sure I want to test it unfortunately. I do have someone willing to help with publishing stuff, I just need to make sure anything that is fact is presented as fact, and anything opinion is opinion.... I have a blog, some of which is about alarm security and reverse engineering:http://cybergibbons.com/ Link to comment Share on other sites More sharing options...
matthew.brough Posted May 1, 2013 Share Posted May 1, 2013 I'm not sure I want to test it unfortunately. I do have someone willing to help with publishing stuff, I just need to make sure anything that is fact is presented as fact, and anything opinion is opinion.... I can understand that, especially with the deep pockets some of these companies have (which is what I think they rely on to mask some of their 'issues'. If it was me personally I'd do it but can understand why many wouldn't. www.securitywarehouse.co.uk/catalog/ Link to comment Share on other sites More sharing options...
Joe Harris Posted May 1, 2013 Share Posted May 1, 2013 Honeywell are entirely unwelcoming to reports of vulnerabilities. What has been their take on issues with their protocol? Their take is that they are right and everyone else is wrong. At least initially it is - they only change their mind when they realise that nobody is buying product. Link to comment Share on other sites More sharing options...
Joe Harris Posted May 1, 2013 Share Posted May 1, 2013 You would have thought by now that Honeywell were used to handling vulnerabilities To date they have been lucky as vulnerabilities have been disclosed ethically to them. Though in some cases they had over 3 months from disclosure to publishing and yet still haven't fixed the issue over 6 months later. Link to comment Share on other sites More sharing options...
matthew.brough Posted May 1, 2013 Share Posted May 1, 2013 You would have thought by now that Honeywell were used to handling vulnerabilities To date they have been lucky as vulnerabilities have been disclosed ethically to them. Though in some cases they had over 3 months from disclosure to publishing and yet still haven't fixed the issue over 6 months later. You think they will ever bother? My issue list didn't get resolved in 2 years, not even the critical ones. www.securitywarehouse.co.uk/catalog/ Link to comment Share on other sites More sharing options...
Joe Harris Posted May 1, 2013 Share Posted May 1, 2013 We were given a workaround followed by more unsuitable workarounds. It is only fair for me to point out that they did finally realise and fixed an issue we flagged properly within the firmware rather than through a workaround. Link to comment Share on other sites More sharing options...
matthew.brough Posted May 1, 2013 Share Posted May 1, 2013 We were given a workaround followed by more unsuitable workarounds. It is only fair for me to point out that they did finally realise and fixed an issue we flagged properly within the firmware rather than through a workaround. Lucky you . . . www.securitywarehouse.co.uk/catalog/ Link to comment Share on other sites More sharing options...
jimcarter Posted May 1, 2013 Share Posted May 1, 2013 We are happy to discuss our encryption and substitution protection with interested parties and have been independently tested not only by the BRE/LPCB, but also customers own IT and external penetration test houses. This has enabled us to sell our systems into banks and retailers. As encryption is part of our software protocol we see no reason not to offer this level of protection to any connection. Just picking up on what Chris has said here. The 3rd party penetration testing we carried out has been under non-disclosure and included sensitive information on how the system operates. They attempted attacks on both the SPT and the MCT, all unsuccessful. To truly meet Grade 4 levels of alarm transmission both substitution and encryption protection is mandatory on ALL communication paths. You cannot claim to meet Grade 4 if you do not adhere to these requirements and these are questions that should be asked of the the ATS provider. As Chris mentions, once these techniques are in place they may as well be deployed across all grades if system, it makes no sense not to. Jim Carter WebWayOne Ltd www.webwayone.co.uk Link to comment Share on other sites More sharing options...
cybergibbons Posted May 1, 2013 Author Share Posted May 1, 2013 Jim, Two things I pick up from that: 1. "sensitive information on how the system operates" is under NDA. If that information was disclosed, would it have material impact on the security of the system? I've seen NDAs breached before, and you've always got to think about what happens if you piss off an employee. 2. "once these techniques are in place they may as well be deployed across all grades if system, it makes no sense not to" - this is a brilliant attitude to have. I really don't think product differentiation should be the reasoning behind a grade 2 product being worse than a grade 4. I have a blog, some of which is about alarm security and reverse engineering:http://cybergibbons.com/ Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.