CSL Dualcom CS2300-R vulnerabilities

C

cybergibbons

Joined
10 Apr 2010
Messages
146
Reaction score
13
Location
London
Country
United Kingdom
As many of you know, I spent some time researching the CSL CS2300-R SPTs last year. I found a series of issues that I think are serious problems. CSL have had 17 months to deal with these issues, and after them dawdling, I opted for co-ordinated disclosure of the issues via CERT/CC.

CSL have had 45 days to respond to CERT/CC, and only did so on Friday with a statement that is largely spin and distraction.

In summary, the issues found:
  1. CSL have developed incredibly bad encryption, on a par with techniques state-of-the-art in the time before computers.
  2. CSL have not protected against substitution very well
  3. CSL can’t fix issues when they are found because they can’t update the firmware
  4. There seems to be a big gap between the observed behaviour of the CS2300-R boards and the standards
  5. It’s likely that the test house didn’t actually test the encryption or electronic security
  6. Even if a device adheres to the standard, it could still be full of holes
  7. CSL either lack the skill or drive to develop secure systems, making mistake after mistake
I have written a blog post detailing these issues, which also links to the full PDF report.

Until CSL can demonstrate that their products are standards compliant and secure, I would advise not using them, especially for higher grades.
 
Sponsored Links
Anyone had this sort of problem with CS2300-R, goodness knows how many were/are out there?

No. 6. From reading SGs link I thought he did not have the Standards to check against because this information is restricted, so what is he going on about?

Bet almost anything electronic on the market 'has holes' and if it meets the Standards ................

Get the Standards changed

The CS2300-R has been around long enough for 'his' problems to arise, anyone?
 
Last edited:
Europlex said:
Anyone had this sort of problem with CS2300-R, goodness knows how many were/are out there?
Click to expand...

No one had a problem with the HeartBleed OpenSSL bug until it was discovered. Things change. The CSL Dualcom products are so far behind the curve that it's not funny.

Europlex said:
No. 6. From reading SGs link I thought he did not have the Standards to check against because this information is restricted, so what is he going on about?
Click to expand...

4, 5 and 6 concern the standards. I'm not sure why you don't think I have the standards, given that there are multiple excerpts in the blog post and PDF.

Europlex said:
Bet almost anything electronic on the market 'has holes' and if it meets the Standards ................
Click to expand...

Yes, everything can have issues. That's why anyone who has any sense has their security designed by someone competent, pen-tested by someone competent, and allows for updates to be made. Not one of their devices allows firmware updates.

Europlex said:
Get the Standards changed
Click to expand...

That is what I am pushing for. Unfortunately, it's just an old-boys club. It's easier to use market pressure.

The CS2300-R has been around long enough for 'his' problems to arise, anyone?
Click to expand...

CSL disclosed to me at a meeting that the units don't always work. They have no idea why.
 
Sponsored Links
Lets us wait until this evening to see what other comments are made.

I apologise for my mistake.
 
Can be any less secure than fast format or sia which has been out since the eighties.....
 
We had trouble with some DualComs simply not working - activations of alarms didn't go through to the ARC. That's one of the reasons why we stopped installing new ones.

Did anyone get a problem (other than the line faults) when the Redcare Secure system went down for a couple of hours on Tuesday? Were there any "lucky burglars" that caught this window?

Let's face it - there's no foolproof 24/7 communication system of any sort out there. Even satellite systems drop out sometimes.
 
Or was it the ARC ? A few years ago had a break in not come up at the ARC .... In panel log comms successful and the call logged in the phone system..... The ARC had to pay out , some issue at the ARC...
 
sparkymarka said:
Can be any less secure than fast format or sia which has been out since the eighties.....
Click to expand...

No - and many systems do send those over the Internet, totally in the open. I guess the difference is that they are known to be insecure and the level of threat is generally much lower.
 
EightyTwo said:
We had trouble with some DualComs simply not working - activations of alarms didn't go through to the ARC. That's one of the reasons why we stopped installing new ones.
Click to expand...

You aren't the only person who has mentioned this being an issue. Looking at the protocol and architecture, it just doesn't allow for thing to be truly reliable - there is no end-to-end acknowledgement of the messages.

There's also this (that I only found out about today):
http://www.thesecurityinstaller.co....ng-devices-dual-path-failure-reporting-times/

5 hours to report both paths failing? Ouch.

EightyTwo said:
Did anyone get a problem (other than the line faults) when the Redcare Secure system went down for a couple of hours on Tuesday? Were there any "lucky burglars" that caught this window?
Click to expand...

Part of the issue here is you need to inform people a system is down, but you'd best hope there is no one malicious being informed!

EightyTwo said:
Let's face it - there's no foolproof 24/7 communication system of any sort out there. Even satellite systems drop out sometimes.
Click to expand...

No, there isn't, but you can certainly do better than CSL have.
 
EightyTwo said:
Let's face it - there's no foolproof 24/7 communication system of any sort out there. Even satellite systems drop out sometimes.
Click to expand...
True but detection of a failure in the comms system is simple to detect and raise local alarms when it happens. If any security system loses communications such that it cannot report an alarm situation then alarms must be raised.

Sending a regular test "Are you there" and checking for a reply " Yes I am here" is simple to set up. If no reply then a local alarm is generated to heighten security at the protected location.
 
nothing is 100% secure, its a case of somethings are more secure than others.

if the data is intercepted, altered etc it relies on the hacker knowing what they have, if its worth stealing and having a team to do it.

if a poll doesn't get to a an ARC the alarm is raised (should be raised).

in general a burglar isn't likely to know a whole system is down unless they took it down, and if that's the case they must have a target in mind and know what security and reporting measures it has.

if a lot of effort is put in then the rewards should be great to make it worth while?

As for both paths going down, how likely is that, assuming they are using separate technologies to do the coms.
 
sparkymarka said:
Yes Bernard it's called polling , it's been happening since the eighties ! Lol
Click to expand...
Yes I know, even before the 80's. I was designing polling into systems in the 70's Equipment operating in the 60's had polling as well.

But so many system designers today seem to consider it an un-necessary extra burden considering that communications are so very secure.
 
secureiam said:
nothing is 100% secure, its a case of somethings are more secure than others.

if the data is intercepted, altered etc it relies on the hacker knowing what they have, if its worth stealing and having a team to do it.

if a poll doesn't get to a an ARC the alarm is raised (should be raised).

in general a burglar isn't likely to know a whole system is down unless they took it down, and if that's the case they must have a target in mind and know what security and reporting measures it has.

if a lot of effort is put in then the rewards should be great to make it worth while?

As for both paths going down, how likely is that, assuming they are using separate technologies to do the coms.
Click to expand...

I can't really comment on the actual threats from physical intruders that are seen day-to-day. But the signalling market and the standards dictate that the encryption must be there. It doesn't appear to be.

In my opinion, the there are other threats. A denial-of-service attack across an entire signalling system could be really harmful.

The attacks I suggest don't need two paths taking down. You spoof one, the other won't ever get used.
 
D

DIYnot Local

Staff member

If you need to find a tradesperson to get your job done, please try our local search below, or if you are doing it yourself you can find suppliers local to you.

Select the supplier or trade you require, enter your location to begin your search.


Are you a trade or supplier? You can create your listing free at DIYnot Local

 
You must log in or register to reply here.
Sponsored Links

Similar threads

P
Third Party Testing
2
Replies
21
Views
3K
Pensdown
P
Back
Top