CERT/CC Vulnerability Note VU#428280

Overview

CSL DualCom GPRS CS2300-R alarm signalling boards, firmware versions v1.25 to v3.53, contain multiple vulnerabilties.

Description

CSL DualCom GPRS CS2300-R alarm signalling boards are secure premises transmitters (SPT) that notify alarm receiving centers (ARC) when an alarm system is tripped. According to researcher Andrew Tierney, CS2300-R boards are vulnerable to signal spoofing and tampering due to the vendor's use of a weak communications protocol and proprietary encryption scheme. The vendor has generally disputed the researcher's findings with the following statement:

- As with all our products, this product has been certified as compliant to the required European standard EN-50136
- Our internal review of the report concluded there is no threat to these systems

For the full vendor statement, refer to the Vendor Information section below.

For full details about the vulnerabilities and their discovery, refer to the researcher's disclosure.

CWE-287: Improper Authentication - CVE-2015-7285

Communications between CS2300-R SPTs and ARC polling servers are not mutually authenticated. Consequently, the SPT cannot confirm the authenticity of messages received from ARC servers. An attacker capable of performing man in the middle (MITM) attacks can spoof responses that will be accepted as valid by vulnerable SPTs.

CWE-327: Use of a Broken or Risky Cryptographic Algorithm - CVE-2015-7286

Communications between CS2300-R SPTs and ARC servers are encrypted using a proprietary encryption scheme. A number of issues are identified by the researcher by which messages can be decrypted or otherwise manipulated, resulting in denial of service, false alarms, suppressed alarms, and a general inability to trust communications bilaterally. Combined with the previously described lack of mutual authentication, a capable attacker may be able to bilaterally spoof or block any messages between endpoints.

Specifically, the following issues are described by the researcher:

the encryption algorithm is a polyalphabetic substitution cipher and subject to decryption via common cryptanalytic techniques
encryption keys (mapping tables for substitution) are hardcoded in the firmware and have not changed from v1.25 to v3.53
effective key length is very short
messages do not contain sequence numbers
messages do not make use of checksums or hashes
messages do not contain message authentication codes (MAC)
key material cannot be readily updated
sensitive SPT identification information can be obtained by capturing and analyzing single messages

CWE-255: Credentials Management - CVE-2015-7287

CS2300-R SPTs make use of a non-unique, default PIN code to restrict users from issuing remote commands via SMS. An attacker may use the default PIN to issue remote commands to vulnerable devices.

CWE-912: Hidden Functionality - CVE-2015-7288

CS2300-R SPTs contain multiple undocumented SMS commands that can be used to alter the configuration of devices.

The CVSS score reflects CVE-2015-7286.

Impact

A remote, unauthenticated attacker may be able to decrypt communications and spoof messages between SPTs and ARCs, resulting in denial of service, false alarms, suppressed alarms, and a general inability to trust communications bilaterally.

Solution

The CERT/CC is currently unaware of a practical solution to this problem. According to the researcher, hardware limitations may render a cryptographic solution difficult while maintaining current functionality. Note that the vendor has generally disputed the researcher's findings with the following statement:

- As with all our products, this product has been certified as compliant to the required European standard EN-50136
- Our internal review of the report concluded there is no threat to these systems

Vendor Information

428280

Filter by status:

Filter by content: Additional information available

Sort by:

Expand all

CSL DualCom Unknown

Notified: October 26, 2015 Updated: November 20, 2015

Statement Date: November 04, 2015

Status

Unknown

Vendor Statement

Thank you for allowing us time to review the vulnerabilities disclosed in line with your vulnerability disclosure policy. This has given us time to provide consideration to the disclosure provided by Mr Tierney of Cybergibbons ltd. He had made us aware of his intention to reverse engineer our product and whilst we offered to engage him on a consultancy basis he declined. We do welcome his findings and our advice to customers is as follows.

The product tested was a 6 year old GPRS/IP Dualpath signalling unit. This testing was conducted in a lab environment that isn’t representative of the threat model the product is designed to be implemented in line with. The Dualpath signalling unit is designed to be used as part of a physically secured environment with threat actors that would not be targeting the device but the assets of the device End User.
DualCom units provide multiple communication paths between the Alarm Panel in the premises and the Alarm Receiving Centre (ARC). The objective is to ensure a greater chance of an alarm activation being received and acted upon by the ARC, Keyholder and/or Authorities
No vulnerabilities were identified that could be exploited remotely via either the PSTN connectivity or GPRS connection which significantly reduces the impact of the vulnerabilities identified.
In addition DualCom units, together with CSL Gemini Platform, monitor these communication paths and alert the ARC should one or all of these paths not be available.
The price point for the DualCom unit is 򣈀 / $350. CSL DualCom also have devices in their portfolio that are tamper resistant or tamper evident to enable customers to defend against more advanced or better funded threat actors. Customers are then able to spend on defence in line with the value of their assets.

The product is certified to the required European Standard by an independent test authority. As part of an on-going review of vulnerabilities we have enhanced our product testing to incorporate independent penetration testing in line with the product’s threat model.

If customers are concerned about the impact of these vulnerabilities CSL are releasing a new product in May which addresses all of the areas highlighted. CSL products are not remotely patchable as we believe over the air updates could be susceptible to compromise by the very threat actors we are defending against.

In relation to the website issues, CSL does not hold any sensitive information on these sites and there has been no data breach. However, we have taken the comments on board and have made several improvements as a result.

We are committed to offering effective and reliable managed services at an affordable price and we will continue to do so. CSL are committed to working with the information security community and incorporating researcher’s feedback into our product roadmap.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

CVSS Metrics

Group	Score	Vector
Base	9.3	AV:N/AC:M/Au:N/C:C/I:C/A:C
Temporal	8	E:POC/RL:U/RC:UR
Environmental	2.0	CDP:ND/TD:L/CR:ND/IR:ND/AR:ND

References

Acknowledgements

Thanks to Andrew Tierney for reporting these vulnerabilities.

This document was written by Joel Land.

Other Information

CVE IDs:	CVE-2015-7285, CVE-2015-7286, CVE-2015-7287, CVE-2015-7288
Date Public:	2015-11-23
Date First Published:	2015-11-23
Date Last Updated:	2015-11-23 14:30 UTC
Document Revision:	29

Software Engineering Institute

CERT Coordination Center

CSL DualCom GPRS CS2300-R alarm signalling boards contain multiple vulnerabilties

Vulnerability Note VU#428280

Overview

Description

Impact

Solution

Vendor Information

CSL DualCom Unknown

Status

Vendor Statement

Vendor Information

CVSS Metrics

References

Acknowledgements

Other Information

Contact CERT/CC