cybergibbons Posted November 8, 2015 Share Posted November 8, 2015 On 1st May this year, I found it was possible to dump the names, addresses, emails, usernames, and phone numbers of every single user of every single company who had registered on the CSL M2M SIM page. I did not push the investigation any further, but worse may have been visible. http://cybergibbons.com/alarms-2/customer-database-leak-on-csl-dualcoms-sim-registration-portal/ If you would like to know if your company was one of the listed ones, I can check for you. Quote I have a blog, some of which is about alarm security and reverse engineering:http://cybergibbons.com/ Link to comment Share on other sites More sharing options...
datadiffusion Posted November 8, 2015 Share Posted November 8, 2015 I have been sent a free sample sim - I didn't register though, so I wonder if the same database is used for internal purposes (unlikely, but possible) Have a look for 'Casa Security'... Quote So, I've decided to take my work back underground.... to stop it falling into the wrong hands Link to comment Share on other sites More sharing options...
cybergibbons Posted November 8, 2015 Author Share Posted November 8, 2015 I have been sent a free sample sim - I didn't register though, so I wonder if the same database is used for internal purposes (unlikely, but possible) Have a look for 'Casa Security'... Number 25, Bristol area? Quote I have a blog, some of which is about alarm security and reverse engineering:http://cybergibbons.com/ Link to comment Share on other sites More sharing options...
MrHappy Posted November 8, 2015 Share Posted November 8, 2015 Should you wish to register... IIRC it asks you if your co is already registered, I clicked yes & select postcode of a local co. & it shows you who at that co, is already signed up Quote Mr Veritas God Link to comment Share on other sites More sharing options...
cybergibbons Posted November 8, 2015 Author Share Posted November 8, 2015 Should you wish to register... IIRC it asks you if your co is already registered, I clicked yes & select postcode of a local co. & it shows you who at that co, is already signed up Yes - IMO it still leaks data that it shouldn't. The problem was before it used to send the client all of the data in the background. You couldn't see it in the plain, but it was sent. There's only a few options here: 1. They haven't been pentested. You'd kind of think the biggest signalling provider in the UK would do it. 2. They have been pentested by someone incompetent. If they gave money to the people who developed apprentices4fs.com, this is plausible. 3. They have been pentested and ignored all of the findings. Who knows? FYI, on the 23rd November, the CSL Dualcom CS2300 report is being published. Quote I have a blog, some of which is about alarm security and reverse engineering:http://cybergibbons.com/ Link to comment Share on other sites More sharing options...
PeterJames Posted November 8, 2015 Share Posted November 8, 2015 How about Alarming Company or Wakefield Security? Quote Link to comment Share on other sites More sharing options...
james.wilson Posted November 8, 2015 Share Posted November 8, 2015 CG what is pentested? and whats the report on? Quote securitywarehouse Security Supplies from Security Warehouse Trade Members please contact us for your TSI vetted trade discount. Link to comment Share on other sites More sharing options...
petrolhead Posted November 8, 2015 Share Posted November 8, 2015 (edited) He taps it with his pen to see what happens. It uses science and lasers and stuff. Edited November 8, 2015 by petrolhead Quote Link to comment Share on other sites More sharing options...
cybergibbons Posted November 8, 2015 Author Share Posted November 8, 2015 How about Alarming Company or Wakefield Security? Fareham and Worthing? Both there. CG what is pentested? and whats the report on? Pentested means penentration testing, i.e. you get someone who knows how to hack to have a crack at your systems. I'd that even ARCs should be having them done (I've done a few now, and found a lot of problems, most easily fixed), but signalling providers with centralised receiving, like CSL and WebWayOne, should definitely be pentested. The report is about the encryption and general security of the CSL CS2300 signalling units. Quote I have a blog, some of which is about alarm security and reverse engineering:http://cybergibbons.com/ Link to comment Share on other sites More sharing options...
datadiffusion Posted November 8, 2015 Share Posted November 8, 2015 Number 25, Bristol area? Marvellus innit? Quote So, I've decided to take my work back underground.... to stop it falling into the wrong hands Link to comment Share on other sites More sharing options...
cybergibbons Posted November 8, 2015 Author Share Posted November 8, 2015 I'm guessing none of you were contacted to tell you your data might have been leaked? Quote I have a blog, some of which is about alarm security and reverse engineering:http://cybergibbons.com/ Link to comment Share on other sites More sharing options...
james.wilson Posted November 8, 2015 Share Posted November 8, 2015 looks like secure it all is there and dont use their sims Quote securitywarehouse Security Supplies from Security Warehouse Trade Members please contact us for your TSI vetted trade discount. Link to comment Share on other sites More sharing options...
datadiffusion Posted November 8, 2015 Share Posted November 8, 2015 Nope. Since I never registered, it's clear the bulk of the database is just a copy'n'paste of all existing customers? Quote So, I've decided to take my work back underground.... to stop it falling into the wrong hands Link to comment Share on other sites More sharing options...
cybergibbons Posted November 8, 2015 Author Share Posted November 8, 2015 Marvellus innit? Yeah... you look like one of the ones that very little info in there. But still there. Quote I have a blog, some of which is about alarm security and reverse engineering:http://cybergibbons.com/ Link to comment Share on other sites More sharing options...
james.wilson Posted November 8, 2015 Share Posted November 8, 2015 Fareham and Worthing? Both there. Pentested means penentration testing, i.e. you get someone who knows how to hack to have a crack at your systems. I'd that even ARCs should be having them done (I've done a few now, and found a lot of problems, most easily fixed), but signalling providers with centralised receiving, like CSL and WebWayOne, should definitely be pentested. The report is about the encryption and general security of the CSL CS2300 signalling units. ah i see so im assuming thats all the grade shifts then? Part Numbers CS 2200 DualCom GPRS G2 (+ SIM Card, NVM) and CS2058 box aerial). CS 2210 DualCom GPRS G2 (+ SIM Card, NVM) and CS2057 ext. aerial). CS 2300 As CS2200 but to Grade 3 standard CS 2310 As CS2210 but to Grade 3 standard CS 2400 As CS2200 but to Grade 4 standard CS 2410 As CS2210 but to Grade 4 standard I'm guessing none of you were contacted to tell you your data might have been leaked? No Quote securitywarehouse Security Supplies from Security Warehouse Trade Members please contact us for your TSI vetted trade discount. Link to comment Share on other sites More sharing options...
MrHappy Posted November 8, 2015 Share Posted November 8, 2015 I'm guessing none of you were contacted to tell you your data might have been leaked? My details ain't on there I had a conversation with the pyronix rep about the sim in Enfocrer home app demo kit, Looked in the risco store then looked at the CSL M2M website & played with postcodes, Didn't like something so never signed up, Quote Mr Veritas God Link to comment Share on other sites More sharing options...
cybergibbons Posted November 8, 2015 Author Share Posted November 8, 2015 ah i see so im assuming thats all the grade shifts then? Part Numbers CS 2200 DualCom GPRS G2 (+ SIM Card, NVM) and CS2058 box aerial). CS 2210 DualCom GPRS G2 (+ SIM Card, NVM) and CS2057 ext. aerial). CS 2300 As CS2200 but to Grade 3 standard CS 2310 As CS2210 but to Grade 3 standard CS 2400 As CS2200 but to Grade 4 standard CS 2410 As CS2210 but to Grade 4 standard No So here is a big part of the problem. I have 13 boards marked CS2300, made between 2009 and 2013. Firmware version varies. They all suffer from the same issues. CSL still sell the CS2300 boards marked GradeShift. They say the ones I am testing are not used in the field. I can't see anyway you tell the difference. Quote I have a blog, some of which is about alarm security and reverse engineering:http://cybergibbons.com/ Link to comment Share on other sites More sharing options...
james.wilson Posted November 8, 2015 Share Posted November 8, 2015 Im sure we can find one from the field but surly a 2300 is a 2300? Quote securitywarehouse Security Supplies from Security Warehouse Trade Members please contact us for your TSI vetted trade discount. Link to comment Share on other sites More sharing options...
cybergibbons Posted November 8, 2015 Author Share Posted November 8, 2015 Im sure we can find one from the field but surly a 2300 is a 2300? Well, we'll see what CSL say when the report and vulns are released. I'll be blunt - I've met with the standards bodies and they are not competent to test the encryption standards. It might be EN50136-1 certified, but the whole bit on encryption is very likely to be self-declared by the signalling provider. Not sure if this wants splitting out? Quote I have a blog, some of which is about alarm security and reverse engineering:http://cybergibbons.com/ Link to comment Share on other sites More sharing options...
Nova-Security Posted November 8, 2015 Share Posted November 8, 2015 It might be EN50136-1 certified, but the whole bit on encryption is very likely to be self-declared by the signalling provider. Isn't that 'Self Declared' bit the whole industry in general. Quote www.nova-security.co.uk www.nsiapproved.co.uk No PMs please unless i know you or you are using this board with your proper name. Link to comment Share on other sites More sharing options...
cybergibbons Posted November 8, 2015 Author Share Posted November 8, 2015 Isn't that 'Self Declared' bit the whole industry in general. I think that is part of the problem, but to sell signalling devices in some places (Spain, at least), you need third-party testing. The CS2300 has been tested: https://twitter.com/CSLDualCom/status/486496083322093568 But, after speaking to the testing house, it is highly likely that the entire encryption and substitution protection bit is self-declared, even when third-party tested. Personally, I don't think that's made clear. Quote I have a blog, some of which is about alarm security and reverse engineering:http://cybergibbons.com/ Link to comment Share on other sites More sharing options...
james.wilson Posted November 8, 2015 Share Posted November 8, 2015 If self certing is part of it what's the point of 3rd party certification? Quote securitywarehouse Security Supplies from Security Warehouse Trade Members please contact us for your TSI vetted trade discount. Link to comment Share on other sites More sharing options...
Belfastengineer Posted November 8, 2015 Share Posted November 8, 2015 On 1st May this year, I found it was possible to dump the names, addresses, emails, usernames, and phone numbers of every single user of every single company who had registered on the CSL M2M SIM page. I did not push the investigation any further, but worse may have been visible. http://cybergibbons.com/alarms-2/customer-database-leak-on-csl-dualcoms-sim-registration-portal/ If you would like to know if your company was one of the listed ones, I can check for you. Can you check if I'm on there Mercury Security Management? Quote Link to comment Share on other sites More sharing options...
datadiffusion Posted November 8, 2015 Share Posted November 8, 2015 If you're a CSL customer or have ever called them about *any* product I'd say it looks like you will be. Quote So, I've decided to take my work back underground.... to stop it falling into the wrong hands Link to comment Share on other sites More sharing options...
al-yeti Posted November 8, 2015 Share Posted November 8, 2015 If it's general info Ie phone number email address being registered company anyway What's the big deal it's all available anyway ? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.