Skip to content
View in the app

A better way to browse. Learn more.
Security Installer Community

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Csl's M2M Sim Registration Portal Database Leak

cybergibbons
in Members Lounge (Public)

Featured Replies

On 1st May this year, I found it was possible to dump the names, addresses, emails, usernames, and phone numbers of every single user of every single company who had registered on the CSL M2M SIM page. I did not push the investigation any further, but worse may have been visible.

 

http://cybergibbons.com/alarms-2/customer-database-leak-on-csl-dualcoms-sim-registration-portal/

 

If you would like to know if your company was one of the listed ones, I can check for you.

I have a blog, some of which is about alarm security and reverse engineering:
http://cybergibbons.com/

 

 

 
  • Replies 39
  • Views 30.1k
  • Created
  • Last Reply

I have been sent a free sample sim - I didn't register though, so I wonder if the same database is used for internal purposes (unlikely, but possible)

 

Have a look for 'Casa Security'...

So, I've decided to take my work back underground.... to stop it falling into the wrong hands

 

  • Author

I have been sent a free sample sim - I didn't register though, so I wonder if the same database is used for internal purposes (unlikely, but possible)

 

Have a look for 'Casa Security'...

 

Number 25, Bristol area?

I have a blog, some of which is about alarm security and reverse engineering:
http://cybergibbons.com/

 

 

 

Should you wish to register...

 

IIRC it asks you if your co is already registered, 

I clicked yes & select postcode of a local co.

& it shows you who at that co, is already signed up

Mr th2.jpg Veritas God

  • Author

Should you wish to register...

 

IIRC it asks you if your co is already registered, 

I clicked yes & select postcode of a local co.

& it shows you who at that co, is already signed up

 

Yes - IMO it still leaks data that it shouldn't. The problem was before it used to send the client all of the data in the background. You couldn't see it in the plain, but it was sent.

There's only a few options here:

1. They haven't been pentested. You'd kind of think the biggest signalling provider in the UK would do it.

2. They have been pentested by someone incompetent. If they gave money to the people who developed apprentices4fs.com, this is plausible.

3. They have been pentested and ignored all of the findings.

Who knows?

FYI, on the 23rd November, the CSL Dualcom CS2300 report is being published.

I have a blog, some of which is about alarm security and reverse engineering:
http://cybergibbons.com/

 

 

 

How about Alarming Company or Wakefield Security?

CG

what is pentested?

and whats the report on?

securitywarehouse Security Supplies from Security Warehouse

Trade Members please contact us for your TSI vetted trade discount.

He taps it with his pen to see what happens. It uses science and lasers and stuff.

Edited by petrolhead

  • Author

How about Alarming Company or Wakefield Security?

 

Fareham and Worthing? Both there.

CG

what is pentested?

and whats the report on?

 

Pentested means penentration testing, i.e. you get someone who knows how to hack to have a crack at your systems. I'd argue that even ARCs should be having them done (I've done a few now, and found a lot of problems, most easily fixed), but signalling providers with centralised receiving, like CSL and WebWayOne, should definitely be pentested.

The report is about the encryption and general security of the CSL CS2300 signalling units.

I have a blog, some of which is about alarm security and reverse engineering:
http://cybergibbons.com/

 

 

 

Number 25, Bristol area?

 

Marvellus innit?

So, I've decided to take my work back underground.... to stop it falling into the wrong hands

 

Archived

This topic is now archived and is closed to further replies.

Go to topic listing

Recently Browsing 0

  • No registered users viewing this page.

Important Information

By using this site, you agree to our Terms of Use.

I accept

Account

Navigation

Search

Search

Configure browser push notifications
Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.