Jump to content
Security Installer Community

Csl Dualcom Cs2300-R Vulnerabilities


Recommended Posts

Surprised as such maintainers will be liable that it isn't a busier topic. My take is that I needed to remove them. Seems a lot of firms don't care that they are fitting very insecure devices.

 

Nope ARC is liable as we subcontract the monitoring out.

www.nova-security.co.uk

www.nsiapproved.co.uk

No PMs please unless i know you or you are using this board with your proper name.

Link to comment
Share on other sites

Is that the number as reported when you turn the board on? Do you know when it was purchased?

Yep. No but it's new.

Im also surprised there hasn't been a response from csl on this. I was personally contacted after my videos of Dualcom vs, Redcare, vs webway.

Really? Was that the side by side catastrophic failure test?

Link to comment
Share on other sites

the vpn bit from what i read is very last mile. Its not end to end.

 

Plus i believe alarm delivery and polling are different routes so polling imo does not prove path availability for alarm transmission.

ie some use the same path end to end to poll and deliver alarms.

securitywarehouse Security Supplies from Security Warehouse

Trade Members please contact us for your TSI vetted trade discount.

Link to comment
Share on other sites

I don't know if WebWayOne want to pass comment on the self declared aspects of standards testing?

Difficult topic for me to be involved in tbh.

 

The levels of testing that can be done in respect of substitution and encryption are complex and I do believe that when we carried out certification to EN50136 this aspect was largely self declaration. Not ideal I would agree.

 

As a company our core specialty is (and always has been) secure communications. Ever since we entered the market with the first IP based ATS back in 2005 we have been under the microscope from all aspects of the industry. So 128AES, key exchange, substitution protection etc etc are what we eat sleep and breathe. 

 

In a separate topic I mentioned that we have had the ATS independently pen tested on multiple occasions, we would not have been successful in internet signalling within the financial sector & corporate space without. This level of testing was (as it should be) intense and incredibly thorough, carried out under NDA as well because we were almost at the level where we were talking about the core of the encryption and substitution techniques we developed.

Jim Carter

WebWayOne Ltd

www.webwayone.co.uk

Link to comment
Share on other sites

 

Thanks. That's interesting. I don't understand why it would take more than 10 minutes regardless of grade. I think the standard is a joke in this respect.

I spoke to my CSL rep yesterday who denied there site was hacked and also claimed any units tested were more than six years old and there units are completely secure.

 

As in, they denied this?

 

http://cybergibbons.com/alarms-2/customer-database-leak-on-csl-dualcoms-sim-registration-portal/

 

I have the emails from Santosh Chandorkar where we discussed it.

 

The units were old, but there is no evidence that the newer units don't suffer from the same issues.

the vpn bit from what i read is very last mile. Its not end to end.

 

Plus i believe alarm delivery and polling are different routes so polling imo does not prove path availability for alarm transmission.

ie some use the same path end to end to poll and deliver alarms.

 

As far as I can work out, the VPN is from the ARC to CSL. Certainly on the firmware I looked at there is no VPN functionality. The processors they use - the NEC 78K0R - are very small. They'd have to write the VPN software from the ground-up themselves. The way the latest firmware I have works, it just doesn't have room to do this.

 

The primary reason behind this is that the CS2300-R has been coded to deal with 4 different GRPS modems. The way this is done, it makes the code 4 times bigger in a lot of places. I'd estimate about 40% of the flash memory is taken up with this - there just is not room for a VPN client.

 

Possibly on later units, they have trimmed this out, allowing them to add functionality.

Difficult topic for me to be involved in tbh.

 

The levels of testing that can be done in respect of substitution and encryption are complex and I do believe that when we carried out certification to EN50136 this aspect was largely self declaration. Not ideal I would agree.

 

As a company our core specialty is (and always has been) secure communications. Ever since we entered the market with the first IP based ATS back in 2005 we have been under the microscope from all aspects of the industry. So 128AES, key exchange, substitution protection etc etc are what we eat sleep and breathe. 

 

In a separate topic I mentioned that we have had the ATS independently pen tested on multiple occasions, we would not have been successful in internet signalling within the financial sector & corporate space without. This level of testing was (as it should be) intense and incredibly thorough, carried out under NDA as well because we were almost at the level where we were talking about the core of the encryption and substitution techniques we developed.

 

That's the thing then - where the standards are weak, you and your customers have demanded that pen testing takes up the slack.

I have a blog, some of which is about alarm security and reverse engineering:
http://cybergibbons.com/

 

 

 

Link to comment
Share on other sites

But surely there would be a record of failures where perhaps a bulgary or fire took place and perhaps no signalling was sent ,regardless of csl it would show up with the Maintainer no?

That's irrelevant.

 

The whole point of data security (or Security for that matter) is not simply what has occurred in the past, it's what can happen today or in the future.

 

It's like insurance - if you didn't have it and you had an accident you'd soon get some...

 

If you want to risk not having any and just hope it never happens...that's your lookout.

 

We do happen to be in the Security Industry, don't we?

Jim Carter

WebWayOne Ltd

www.webwayone.co.uk

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.