As many of you know, I spent some time researching the CSL CS2300-R SPTs last year. I found a series of issues that I think are serious problems. CSL have had 17 months to deal with these issues, and after them dawdling, I opted for co-ordinated disclosure of the issues via CERT/CC.
CSL have had 45 days to respond to CERT/CC, and only did so on Friday with a statement that is largely spin and distraction.
In summary, the issues found:
Until CSL can demonstrate that their products are standards compliant and secure, I would advise not using them, especially for higher grades.
CSL have had 45 days to respond to CERT/CC, and only did so on Friday with a statement that is largely spin and distraction.
In summary, the issues found:
- CSL have developed incredibly bad encryption, on a par with techniques state-of-the-art in the time before computers.
- CSL have not protected against substitution very well
- CSL can’t fix issues when they are found because they can’t update the firmware
- There seems to be a big gap between the observed behaviour of the CS2300-R boards and the standards
- It’s likely that the test house didn’t actually test the encryption or electronic security
- Even if a device adheres to the standard, it could still be full of holes
- CSL either lack the skill or drive to develop secure systems, making mistake after mistake
Until CSL can demonstrate that their products are standards compliant and secure, I would advise not using them, especially for higher grades.