Jump to content
Security Installer Community

Csl's M2M Sim Registration Portal Database Leak

cybergibbons

By cybergibbons
in Members Lounge (Public)

 Share

Recommended Posts

cybergibbons Newbie

cybergibbons

Posted
  • Author
Posted

Isn't that 'Self Declared' bit the whole industry in general.

 

I think that is part of the problem, but to sell signalling devices in some places (Spain, at least), you need third-party testing.

The CS2300 has been tested:

https://twitter.com/CSLDualCom/status/486496083322093568

 

But, after speaking to the testing house, it is highly likely that the entire encryption and substitution protection bit is self-declared, even when third-party tested. Personally, I don't think that's made clear.

I have a blog, some of which is about alarm security and reverse engineering:
http://cybergibbons.com/

 

 

 

Link to comment
Share on other sites
Belfastengineer Newbie

Belfastengineer

Posted
Posted

On 1st May this year, I found it was possible to dump the names, addresses, emails, usernames, and phone numbers of every single user of every single company who had registered on the CSL M2M SIM page. I did not push the investigation any further, but worse may have been visible.

 

http://cybergibbons.com/alarms-2/customer-database-leak-on-csl-dualcoms-sim-registration-portal/

 

If you would like to know if your company was one of the listed ones, I can check for you.

 

Can you check if I'm on there Mercury Security Management?

Link to comment
Share on other sites
MrHappy Veteran

MrHappy

Posted
Posted

What's the big deal it's all available anyway ?

Well lets say Kev Hall appears on the list under his co's name,

At one time the site would have given out his email & password to those in the know.

If the same credentials are used else where, that presents quite a risk ?

Mr th2.jpg Veritas God

Link to comment
Share on other sites
cybergibbons Newbie

cybergibbons

Posted
  • Author
Posted

Can you check if I'm on there Mercury Security Management?

 

Yes, Frank.

If self certing is part of it what's the point of 3rd party certification?

 

The point is that most people don't realise this, and it took quite a lot of work to arrange a meeting with the test house before I found this out.

So you have a cert and people think it means all of it was third-party tested.

I have a blog, some of which is about alarm security and reverse engineering:
http://cybergibbons.com/

 

 

 

Link to comment
Share on other sites
cybergibbons Newbie

cybergibbons

Posted
  • Author
Posted (edited)

If it's general info

Ie phone number email address being registered company anyway

What's the big deal it's all available anyway ?

 

There are sole traders on there, who might not want their addresses out there. A lot of mobile numbers. Usernames - they should not be leaking.

It's also strongly indicative that they have done no security testing at all. This was found in under a minute of browsing their site. What else is there?

 

Also, it's a great tool for social engineering. And a great list of contacts for a competitor.

Edited by cybergibbons

I have a blog, some of which is about alarm security and reverse engineering:
http://cybergibbons.com/

 

 

 

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.

  I accept