Nova-Security Posted November 24, 2015 Share Posted November 24, 2015 id of thought that security on a security signalling device is pretty damn important I thought it was a published standard, But its mentioned in a post above about self certificate this is where the whole industry falls down. Quote www.nova-security.co.uk www.nsiapproved.co.uk No PMs please unless i know you or you are using this board with your proper name. Link to comment Share on other sites More sharing options...
james.wilson Posted November 24, 2015 Share Posted November 24, 2015 But its mentioned in a post above about self certificate this is where the whole industry falls down. Agreed What, and take your fun away, never!! I've stayed away from 'this' technology on purpose waiting for this day of reckoning. Whichever the way you look at it it'll only get worse, or more entertaining, before it gets better. Stayed away from what technology? Quote securitywarehouse Security Supplies from Security Warehouse Trade Members please contact us for your TSI vetted trade discount. Link to comment Share on other sites More sharing options...
al-yeti Posted November 24, 2015 Share Posted November 24, 2015 I know this won't help, but realistically can't you just cert self yourselves and no big deal ? We need changes We need secured industry We need quals We need GF rights! Quote Link to comment Share on other sites More sharing options...
Dick Posted November 24, 2015 Share Posted November 24, 2015 Stayed away from what technology? The whole 3rd party monitoring malarkey, the automated heating hardware, again with its fate largely decided by someone else and how good their security is. Alarm apps, another risky minefield. All rather sexy but undoubtedly a bigger risk than without. 1 Quote Link to comment Share on other sites More sharing options...
james.wilson Posted November 24, 2015 Share Posted November 24, 2015 The whole 3rd party monitoring malarkey, the automated heating hardware, again with its fate largely decided by someone else and how good their security is. Alarm apps, another risky minefield. All rather sexy but undoubtedly a bigger risk than without. So what do U use? Quote securitywarehouse Security Supplies from Security Warehouse Trade Members please contact us for your TSI vetted trade discount. Link to comment Share on other sites More sharing options...
Dick Posted November 24, 2015 Share Posted November 24, 2015 So what do U use? None of the above. 1 Quote Link to comment Share on other sites More sharing options...
james.wilson Posted November 24, 2015 Share Posted November 24, 2015 so what do u use? Quote securitywarehouse Security Supplies from Security Warehouse Trade Members please contact us for your TSI vetted trade discount. Link to comment Share on other sites More sharing options...
Dick Posted November 24, 2015 Share Posted November 24, 2015 so what do u use?What I use is irrelevant. What I don't use is all that matters to me. Let's hope Andrew can expose more insecure, shoddy security software peddlers to encourage/force them to clean up their act. Furthermore, it'd be good if self certification was made a thing of the past. I will be following with interest. 1 Quote Link to comment Share on other sites More sharing options...
norman Posted November 24, 2015 Share Posted November 24, 2015 Dialer I guess 1 Quote Nothing is foolproof to a sufficiently talented fool. Link to comment Share on other sites More sharing options...
Nova-Security Posted November 25, 2015 Share Posted November 25, 2015 Dialer I guess Self certified, Grade 4 Quote www.nova-security.co.uk www.nsiapproved.co.uk No PMs please unless i know you or you are using this board with your proper name. Link to comment Share on other sites More sharing options...
cybergibbons Posted November 25, 2015 Author Share Posted November 25, 2015 Agreed Stayed away from what technology? Problem is, neither CSL or Intertek are going to openly say "The CSL CS2300 board testing to EN50136 had some parts self declared, including the encryption and substitution protection". Testing the boards to the depth I tested them would cost between £10k and £20k. That's about one third of the cost of testing again. If you wanted the problems fixed, and needed in-depth advice, add another £5k at least. I don't know if WebWayOne want to pass comment on the self declared aspects of standards testing? Interestingly, since the research went live, two separate people have contacted me to talk about integrating the CSL protocol into panels. They were both shocked at how basic the protocol was, and how bad the documentation was. I'm still finding it odd how little has been said by CSL. The post has far exceeded the traffic generated by Heatmiser vulnerabilities. Quote I have a blog, some of which is about alarm security and reverse engineering:http://cybergibbons.com/ Link to comment Share on other sites More sharing options...
james.wilson Posted November 25, 2015 Share Posted November 25, 2015 I would hope it was viewed more than a heating controller. Its a bit more serious. I suppose at some point it will be taken up by mainstream media? Quote securitywarehouse Security Supplies from Security Warehouse Trade Members please contact us for your TSI vetted trade discount. Link to comment Share on other sites More sharing options...
cybergibbons Posted November 25, 2015 Author Share Posted November 25, 2015 The Guardian were going to run it, but then CSL claimed it was only 600 units. Not big enough. Quote I have a blog, some of which is about alarm security and reverse engineering:http://cybergibbons.com/ Link to comment Share on other sites More sharing options...
BUSTER Posted November 25, 2015 Share Posted November 25, 2015 CG how old was the unit you tested, CSL upgraded lots of ours earlier this year Quote Any comments / opinions posted are my opinion only and do not represent those of my employer or Company Link to comment Share on other sites More sharing options...
james.wilson Posted November 25, 2015 Share Posted November 25, 2015 The Guardian were going to run it, but then CSL claimed it was only 600 units. Not big enough. How would one verify that? Quote securitywarehouse Security Supplies from Security Warehouse Trade Members please contact us for your TSI vetted trade discount. Link to comment Share on other sites More sharing options...
james.wilson Posted November 25, 2015 Share Posted November 25, 2015 are there any dates on the versions you have or a list of firmware release dates? Quote securitywarehouse Security Supplies from Security Warehouse Trade Members please contact us for your TSI vetted trade discount. Link to comment Share on other sites More sharing options...
cybergibbons Posted November 25, 2015 Author Share Posted November 25, 2015 CG how old was the unit you tested, CSL upgraded lots of ours earlier this year Earliest 2009, latest 2013. What did they upgrade them to? Quote I have a blog, some of which is about alarm security and reverse engineering:http://cybergibbons.com/ Link to comment Share on other sites More sharing options...
james.wilson Posted November 25, 2015 Share Posted November 25, 2015 So 2013 firmware was in your report? Quote securitywarehouse Security Supplies from Security Warehouse Trade Members please contact us for your TSI vetted trade discount. Link to comment Share on other sites More sharing options...
cybergibbons Posted November 25, 2015 Author Share Posted November 25, 2015 How would one verify that? Almost impossible as a third party. As of April 2015, the latest firmware they had available for download suffered from these issues. They don't provide any release notes or changelog, so really hard to tell. Quote I have a blog, some of which is about alarm security and reverse engineering:http://cybergibbons.com/ Link to comment Share on other sites More sharing options...
james.wilson Posted November 25, 2015 Share Posted November 25, 2015 So as of April 2015 your findings are valid? Quote securitywarehouse Security Supplies from Security Warehouse Trade Members please contact us for your TSI vetted trade discount. Link to comment Share on other sites More sharing options...
cybergibbons Posted November 25, 2015 Author Share Posted November 25, 2015 So 2013 firmware was in your report? Firmware that was on a device installed 2013 - 2.5x. The latest on their site was 3.53 or 3.10 for UDL. This is the version number that flashes up as the board is booting. I'd be interested to hear about other versions of the firmware though. I have two DigiAirs now, so I am presently giving them a once over. So as of April 2015 your findings are valid? Unless CSL secretly deployed a later firmware version using programmers that no installers have, yes. If one of you still have a valid login to the CSL installer area, you could check what the latest firmware version is. Maybe ask them what the latest version is for the Gradeshift as well... Quote I have a blog, some of which is about alarm security and reverse engineering:http://cybergibbons.com/ Link to comment Share on other sites More sharing options...
james.wilson Posted November 25, 2015 Share Posted November 25, 2015 Be interesting if that's just 100 affected units? Can't agree that its a round 600 units affected. That is imo bullsh1t Is that grade 3 units, or gradeshift grade 4 Most end users won't know, care or give one as their insurer will come back on the maintainer. I wonder what the insurers think on this. As usual the insurers will ask for Dualcom plus Quote securitywarehouse Security Supplies from Security Warehouse Trade Members please contact us for your TSI vetted trade discount. Link to comment Share on other sites More sharing options...
cybergibbons Posted November 25, 2015 Author Share Posted November 25, 2015 Be interesting if that's just 100 affected units? Can't agree that its a round 600 units affected. That is imo bullsh1t Is that grade 3 units, or gradeshift grade 4 Most end users won't know, care or give one as their insurer will come back on the maintainer. I wonder what the insurers think on this. As usual the insurers will ask for Dualcom plus I can't see any difference between the different units - certainly the ones I have, the grade is just an option set in NVRAM. What is "Dualcom plus" - seen that in insurance docs, but doesn't seem to line up with a product. Quote I have a blog, some of which is about alarm security and reverse engineering:http://cybergibbons.com/ Link to comment Share on other sites More sharing options...
sixwheeledbeast Posted November 25, 2015 Share Posted November 25, 2015 I'd be interested to hear about other versions of the firmware though.3.77 Is that grade 3 units, or gradeshift grade 4It still not clear, but they seem to be all the same hardware. You can buy spare units and program them to be whatever grade you need. Most end users won't know, care or give one as their insurer will come back on the maintainer.Completely agree. Quote Link to comment Share on other sites More sharing options...
james.wilson Posted November 26, 2015 Share Posted November 26, 2015 Surprised as such maintainers will be liable that it isn't a busier topic. My take is that I needed to remove them. Seems a lot of firms don't care that they are fitting very insecure devices. Quote securitywarehouse Security Supplies from Security Warehouse Trade Members please contact us for your TSI vetted trade discount. Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.