Skip to content
View in the app

A better way to browse. Learn more.
Security Installer Community

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Csl's M2M Sim Registration Portal Database Leak

cybergibbons
in Members Lounge (Public)

Featured Replies

  • Author

Isn't that 'Self Declared' bit the whole industry in general.

 

I think that is part of the problem, but to sell signalling devices in some places (Spain, at least), you need third-party testing.

The CS2300 has been tested:

https://twitter.com/CSLDualCom/status/486496083322093568

 

But, after speaking to the testing house, it is highly likely that the entire encryption and substitution protection bit is self-declared, even when third-party tested. Personally, I don't think that's made clear.

I have a blog, some of which is about alarm security and reverse engineering:
http://cybergibbons.com/

 

 

 
  • Replies 39
  • Views 30.1k
  • Created
  • Last Reply

If self certing is part of it what's the point of 3rd party certification?

securitywarehouse Security Supplies from Security Warehouse

Trade Members please contact us for your TSI vetted trade discount.

On 1st May this year, I found it was possible to dump the names, addresses, emails, usernames, and phone numbers of every single user of every single company who had registered on the CSL M2M SIM page. I did not push the investigation any further, but worse may have been visible.

 

http://cybergibbons.com/alarms-2/customer-database-leak-on-csl-dualcoms-sim-registration-portal/

 

If you would like to know if your company was one of the listed ones, I can check for you.

 

Can you check if I'm on there Mercury Security Management?

If you're a CSL customer or have ever called them about *any* product I'd say it looks like you will be.

So, I've decided to take my work back underground.... to stop it falling into the wrong hands

 

If it's general info

Ie phone number email address being registered company anyway

What's the big deal it's all available anyway ?

What's the big deal it's all available anyway ?

Well lets say Kev Hall appears on the list under his co's name,

At one time the site would have given out his email & password to those in the know.

If the same credentials are used else where, that presents quite a risk ?

Mr th2.jpg Veritas God

We just go into housing and building like you , get bigger cone cutters and your done

Is csl overall cheapest?
  • Author

Can you check if I'm on there Mercury Security Management?

 

Yes, Frank.

If self certing is part of it what's the point of 3rd party certification?

 

The point is that most people don't realise this, and it took quite a lot of work to arrange a meeting with the test house before I found this out.

So you have a cert and people think it means all of it was third-party tested.

I have a blog, some of which is about alarm security and reverse engineering:
http://cybergibbons.com/

 

 

 

Yes, Frank.

 

That would be our CEO
  • Author

If it's general info

Ie phone number email address being registered company anyway

What's the big deal it's all available anyway ?

 

There are sole traders on there, who might not want their addresses out there. A lot of mobile numbers. Usernames - they should not be leaking.

It's also strongly indicative that they have done no security testing at all. This was found in under a minute of browsing their site. What else is there?

 

Also, it's a great tool for social engineering. And a great list of contacts for a competitor.

Edited by cybergibbons

I have a blog, some of which is about alarm security and reverse engineering:
http://cybergibbons.com/

 

 

 

Archived

This topic is now archived and is closed to further replies.

Go to topic listing

Recently Browsing 0

  • No registered users viewing this page.

Important Information

By using this site, you agree to our Terms of Use.

I accept

Account

Navigation

Search

Search

Configure browser push notifications
Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.