Jump to content
Security Installer Community

Csl's M2M Sim Registration Portal Database Leak

cybergibbons

By cybergibbons
in Members Lounge (Public)

 Share

Recommended Posts

cybergibbons Newbie

cybergibbons

Posted
Posted

On 1st May this year, I found it was possible to dump the names, addresses, emails, usernames, and phone numbers of every single user of every single company who had registered on the CSL M2M SIM page. I did not push the investigation any further, but worse may have been visible.

 

http://cybergibbons.com/alarms-2/customer-database-leak-on-csl-dualcoms-sim-registration-portal/

 

If you would like to know if your company was one of the listed ones, I can check for you.

I have a blog, some of which is about alarm security and reverse engineering:
http://cybergibbons.com/

 

 

 

Link to comment
Share on other sites
cybergibbons Newbie

cybergibbons

Posted
  • Author
Posted

I have been sent a free sample sim - I didn't register though, so I wonder if the same database is used for internal purposes (unlikely, but possible)

 

Have a look for 'Casa Security'...

 

Number 25, Bristol area?

I have a blog, some of which is about alarm security and reverse engineering:
http://cybergibbons.com/

 

 

 

Link to comment
Share on other sites
cybergibbons Newbie

cybergibbons

Posted
  • Author
Posted

Should you wish to register...

 

IIRC it asks you if your co is already registered, 

I clicked yes & select postcode of a local co.

& it shows you who at that co, is already signed up

 

Yes - IMO it still leaks data that it shouldn't. The problem was before it used to send the client all of the data in the background. You couldn't see it in the plain, but it was sent.

There's only a few options here:

1. They haven't been pentested. You'd kind of think the biggest signalling provider in the UK would do it.

2. They have been pentested by someone incompetent. If they gave money to the people who developed apprentices4fs.com, this is plausible.

3. They have been pentested and ignored all of the findings.

Who knows?

FYI, on the 23rd November, the CSL Dualcom CS2300 report is being published.

I have a blog, some of which is about alarm security and reverse engineering:
http://cybergibbons.com/

 

 

 

Link to comment
Share on other sites
cybergibbons Newbie

cybergibbons

Posted
  • Author
Posted

How about Alarming Company or Wakefield Security?

 

Fareham and Worthing? Both there.

CG

what is pentested?

and whats the report on?

 

Pentested means penentration testing, i.e. you get someone who knows how to hack to have a crack at your systems. I'd argue that even ARCs should be having them done (I've done a few now, and found a lot of problems, most easily fixed), but signalling providers with centralised receiving, like CSL and WebWayOne, should definitely be pentested.

The report is about the encryption and general security of the CSL CS2300 signalling units.

I have a blog, some of which is about alarm security and reverse engineering:
http://cybergibbons.com/

 

 

 

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.

  I accept