james.wilson Posted November 26, 2015 Share Posted November 26, 2015 Im also surprised there hasn't been a response from csl on this. I was personally contacted after my videos of Dualcom vs, Redcare, vs webway. Quote securitywarehouse Security Supplies from Security Warehouse Trade Members please contact us for your TSI vetted trade discount. Link to comment Share on other sites More sharing options...
Nova-Security Posted November 26, 2015 Share Posted November 26, 2015 Surprised as such maintainers will be liable that it isn't a busier topic. My take is that I needed to remove them. Seems a lot of firms don't care that they are fitting very insecure devices. Nope ARC is liable as we subcontract the monitoring out. Quote www.nova-security.co.uk www.nsiapproved.co.uk No PMs please unless i know you or you are using this board with your proper name. Link to comment Share on other sites More sharing options...
al-yeti Posted November 26, 2015 Share Posted November 26, 2015 Nope ARC is liable as we subcontract the monitoring out. How? Quote Link to comment Share on other sites More sharing options...
cybergibbons Posted November 26, 2015 Author Share Posted November 26, 2015 3.77 Is that the number as reported when you turn the board on? Do you know when it was purchased? Quote I have a blog, some of which is about alarm security and reverse engineering:http://cybergibbons.com/ Link to comment Share on other sites More sharing options...
cybergibbons Posted November 26, 2015 Author Share Posted November 26, 2015 I don't know why CSL haven't responded more robustly to it. Fundamentally, what I have published doesn't say the system is ruined. Surprised they haven't defended themselves better. Quote I have a blog, some of which is about alarm security and reverse engineering:http://cybergibbons.com/ Link to comment Share on other sites More sharing options...
sixwheeledbeast Posted November 26, 2015 Share Posted November 26, 2015 Is that the number as reported when you turn the board on? Do you know when it was purchased? Yep. No but it's new. Im also surprised there hasn't been a response from csl on this. I was personally contacted after my videos of Dualcom vs, Redcare, vs webway. Really? Was that the side by side catastrophic failure test? Quote Link to comment Share on other sites More sharing options...
james.wilson Posted November 26, 2015 Share Posted November 26, 2015 Really? Was that the side by side catastrophic failure test? yes Quote securitywarehouse Security Supplies from Security Warehouse Trade Members please contact us for your TSI vetted trade discount. Link to comment Share on other sites More sharing options...
cybergibbons Posted November 26, 2015 Author Share Posted November 26, 2015 Yep. No but it's new. Fancy dropping an email to CSL support asking for release notes or a changelog between 3.53 and 3.77? Quote I have a blog, some of which is about alarm security and reverse engineering:http://cybergibbons.com/ Link to comment Share on other sites More sharing options...
cybergibbons Posted November 26, 2015 Author Share Posted November 26, 2015 yes I missed this. Can you share it privately? Quote I have a blog, some of which is about alarm security and reverse engineering:http://cybergibbons.com/ Link to comment Share on other sites More sharing options...
james.wilson Posted November 26, 2015 Share Posted November 26, 2015 http://www.thesecurityinstaller.co.uk/community/topic/32716-dual-path-signalling-devices-dual-path-failure-reporting-times/ Quote securitywarehouse Security Supplies from Security Warehouse Trade Members please contact us for your TSI vetted trade discount. Link to comment Share on other sites More sharing options...
Belfastengineer Posted November 26, 2015 Share Posted November 26, 2015 I spoke to my CSL rep yesterday who denied there site was hacked and also claimed any units tested were more than six years old and there units are completely secure. Quote Link to comment Share on other sites More sharing options...
james.wilson Posted November 26, 2015 Share Posted November 26, 2015 the tests by cg cast doubt on that. Quote securitywarehouse Security Supplies from Security Warehouse Trade Members please contact us for your TSI vetted trade discount. Link to comment Share on other sites More sharing options...
Belfastengineer Posted November 26, 2015 Share Posted November 26, 2015 the tests by cg cast doubt on that. Agreed Got me thinking how secure is there VPNS into ARCS which support there UDL units are Quote Link to comment Share on other sites More sharing options...
james.wilson Posted November 26, 2015 Share Posted November 26, 2015 the vpn bit from what i read is very last mile. Its not end to end. Plus i believe alarm delivery and polling are different routes so polling imo does not prove path availability for alarm transmission. ie some use the same path end to end to poll and deliver alarms. Quote securitywarehouse Security Supplies from Security Warehouse Trade Members please contact us for your TSI vetted trade discount. Link to comment Share on other sites More sharing options...
james.wilson Posted November 26, 2015 Share Posted November 26, 2015 didnt know it was posted elsewhere http://www.diynot.com/diy/threads/csl-dualcom-cs2300-r-vulnerabilities.447125/ Quote securitywarehouse Security Supplies from Security Warehouse Trade Members please contact us for your TSI vetted trade discount. Link to comment Share on other sites More sharing options...
jimcarter Posted November 27, 2015 Share Posted November 27, 2015 I don't know if WebWayOne want to pass comment on the self declared aspects of standards testing? Difficult topic for me to be involved in tbh. The levels of testing that can be done in respect of substitution and encryption are complex and I do believe that when we carried out certification to EN50136 this aspect was largely self declaration. Not ideal I would agree. As a company our core specialty is (and always has been) secure communications. Ever since we entered the market with the first IP based ATS back in 2005 we have been under the microscope from all aspects of the industry. So 128AES, key exchange, substitution protection etc etc are what we eat sleep and breathe. In a separate topic I mentioned that we have had the ATS independently pen tested on multiple occasions, we would not have been successful in internet signalling within the financial sector & corporate space without. This level of testing was (as it should be) intense and incredibly thorough, carried out under NDA as well because we were almost at the level where we were talking about the core of the encryption and substitution techniques we developed. Quote Jim Carter WebWayOne Ltd www.webwayone.co.uk Link to comment Share on other sites More sharing options...
GalaxyGuy Posted November 27, 2015 Share Posted November 27, 2015 Featured on hackaday: http://hackaday.com/2015/11/26/hacker-uncovers-security-holes-at-csl-dualcom/ Quote Link to comment Share on other sites More sharing options...
al-yeti Posted November 27, 2015 Share Posted November 27, 2015 CSL Response http://cybergibbons.com/wp-content/uploads/2015/11/CSL_statement.txt Quote Link to comment Share on other sites More sharing options...
cybergibbons Posted November 27, 2015 Author Share Posted November 27, 2015 http://www.thesecurityinstaller.co.uk/community/topic/32716-dual-path-signalling-devices-dual-path-failure-reporting-times/ Thanks. That's interesting. I don't understand why it would take more than 10 minutes regardless of grade. I think the standard is a joke in this respect. I spoke to my CSL rep yesterday who denied there site was hacked and also claimed any units tested were more than six years old and there units are completely secure. As in, they denied this? http://cybergibbons.com/alarms-2/customer-database-leak-on-csl-dualcoms-sim-registration-portal/ I have the emails from Santosh Chandorkar where we discussed it. The units were old, but there is no evidence that the newer units don't suffer from the same issues. the vpn bit from what i read is very last mile. Its not end to end. Plus i believe alarm delivery and polling are different routes so polling imo does not prove path availability for alarm transmission. ie some use the same path end to end to poll and deliver alarms. As far as I can work out, the VPN is from the ARC to CSL. Certainly on the firmware I looked at there is no VPN functionality. The processors they use - the NEC 78K0R - are very small. They'd have to write the VPN software from the ground-up themselves. The way the latest firmware I have works, it just doesn't have room to do this. The primary reason behind this is that the CS2300-R has been coded to deal with 4 different GRPS modems. The way this is done, it makes the code 4 times bigger in a lot of places. I'd estimate about 40% of the flash memory is taken up with this - there just is not room for a VPN client. Possibly on later units, they have trimmed this out, allowing them to add functionality. Difficult topic for me to be involved in tbh. The levels of testing that can be done in respect of substitution and encryption are complex and I do believe that when we carried out certification to EN50136 this aspect was largely self declaration. Not ideal I would agree. As a company our core specialty is (and always has been) secure communications. Ever since we entered the market with the first IP based ATS back in 2005 we have been under the microscope from all aspects of the industry. So 128AES, key exchange, substitution protection etc etc are what we eat sleep and breathe. In a separate topic I mentioned that we have had the ATS independently pen tested on multiple occasions, we would not have been successful in internet signalling within the financial sector & corporate space without. This level of testing was (as it should be) intense and incredibly thorough, carried out under NDA as well because we were almost at the level where we were talking about the core of the encryption and substitution techniques we developed. That's the thing then - where the standards are weak, you and your customers have demanded that pen testing takes up the slack. Quote I have a blog, some of which is about alarm security and reverse engineering:http://cybergibbons.com/ Link to comment Share on other sites More sharing options...
cybergibbons Posted November 27, 2015 Author Share Posted November 27, 2015 This is where I reported the issue to Santosh, and he responded, eventually. Quote I have a blog, some of which is about alarm security and reverse engineering:http://cybergibbons.com/ Link to comment Share on other sites More sharing options...
cybergibbons Posted November 29, 2015 Author Share Posted November 29, 2015 55,000 views in a week, which isn't bad at all. Still very surprised as CSL's lack of response - Twitter and Google are not looking bright for them. Quote I have a blog, some of which is about alarm security and reverse engineering:http://cybergibbons.com/ Link to comment Share on other sites More sharing options...
al-yeti Posted November 29, 2015 Share Posted November 29, 2015 But how many failures are known? Quote Link to comment Share on other sites More sharing options...
cybergibbons Posted November 29, 2015 Author Share Posted November 29, 2015 But how many failures are known? No idea - that's for CSL to answer. But they can't, because they don't have any way of detecting it. Quote I have a blog, some of which is about alarm security and reverse engineering:http://cybergibbons.com/ Link to comment Share on other sites More sharing options...
al-yeti Posted November 29, 2015 Share Posted November 29, 2015 But surely there would be a record of failures where perhaps a bulgary or fire took place and perhaps no signalling was sent ,regardless of csl it would show up with the Maintainer no? Quote Link to comment Share on other sites More sharing options...
jimcarter Posted November 29, 2015 Share Posted November 29, 2015 But surely there would be a record of failures where perhaps a bulgary or fire took place and perhaps no signalling was sent ,regardless of csl it would show up with the Maintainer no? That's irrelevant. The whole point of data security (or Security for that matter) is not simply what has occurred in the past, it's what can happen today or in the future. It's like insurance - if you didn't have it and you had an accident you'd soon get some... If you want to risk not having any and just hope it never happens...that's your lookout. We do happen to be in the Security Industry, don't we? Quote Jim Carter WebWayOne Ltd www.webwayone.co.uk Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.