Jump to content
Security Installer Community

Csl's M2M Sim Registration Portal Database Leak

cybergibbons

By cybergibbons
in Members Lounge (Public)

 Share

Recommended Posts

cybergibbons Newbie

cybergibbons

Posted
  • Author
Posted

Isn't that 'Self Declared' bit the whole industry in general.

 

I think that is part of the problem, but to sell signalling devices in some places (Spain, at least), you need third-party testing.

The CS2300 has been tested:

https://twitter.com/CSLDualCom/status/486496083322093568

 

But, after speaking to the testing house, it is highly likely that the entire encryption and substitution protection bit is self-declared, even when third-party tested. Personally, I don't think that's made clear.

I have a blog, some of which is about alarm security and reverse engineering:
http://cybergibbons.com/

 

 

 

james.wilson Mentor

james.wilson

Posted
Posted

If self certing is part of it what's the point of 3rd party certification?

securitywarehouse Security Supplies from Security Warehouse

Trade Members please contact us for your TSI vetted trade discount.

Belfastengineer Newbie

Belfastengineer

Posted
Posted

On 1st May this year, I found it was possible to dump the names, addresses, emails, usernames, and phone numbers of every single user of every single company who had registered on the CSL M2M SIM page. I did not push the investigation any further, but worse may have been visible.

 

http://cybergibbons.com/alarms-2/customer-database-leak-on-csl-dualcoms-sim-registration-portal/

 

If you would like to know if your company was one of the listed ones, I can check for you.

 

Can you check if I'm on there Mercury Security Management?

datadiffusion Newbie

datadiffusion

Posted
Posted

If you're a CSL customer or have ever called them about *any* product I'd say it looks like you will be.

So, I've decided to take my work back underground.... to stop it falling into the wrong hands

 

MrHappy Grand Master

MrHappy

Posted
Posted

What's the big deal it's all available anyway ?

Well lets say Kev Hall appears on the list under his co's name,

At one time the site would have given out his email & password to those in the know.

If the same credentials are used else where, that presents quite a risk ?

Mr th2.jpg Veritas God

cybergibbons Newbie

cybergibbons

Posted
  • Author
Posted

Can you check if I'm on there Mercury Security Management?

 

Yes, Frank.

If self certing is part of it what's the point of 3rd party certification?

 

The point is that most people don't realise this, and it took quite a lot of work to arrange a meeting with the test house before I found this out.

So you have a cert and people think it means all of it was third-party tested.

I have a blog, some of which is about alarm security and reverse engineering:
http://cybergibbons.com/

 

 

 

cybergibbons Newbie

cybergibbons

Posted
  • Author
Posted (edited)

If it's general info

Ie phone number email address being registered company anyway

What's the big deal it's all available anyway ?

 

There are sole traders on there, who might not want their addresses out there. A lot of mobile numbers. Usernames - they should not be leaking.

It's also strongly indicative that they have done no security testing at all. This was found in under a minute of browsing their site. What else is there?

 

Also, it's a great tool for social engineering. And a great list of contacts for a competitor.

Edited by cybergibbons

I have a blog, some of which is about alarm security and reverse engineering:
http://cybergibbons.com/

 

 

 

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.


×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.

  I accept