British penetration tester Andrew Tierney says he has found dangerous vulnerabilities in network-connected alarm systems sold by the UK's self-proclaimed market leader CSL DualCom.
Tierney says the flaws, also reported by the US Government CERT Coordination Center, relate to "incredibly bad" encryption, clunky physical firmware updating requirements, alleged non-compliance with standards, and poor overall security design.
CSL has "generally disputed" the disclosure, according to CERT CC. The company has been contacted for comment.
Tierney gives the company a pasting in a vulnerability analysis in which he rebuts the vendor's assertions that the threats are either over-stated or not within the product risk model.
He says the CSL DualCom GPRS CS2300-R alarm signalling boards are open to signal spoofing and tampering thanks to poor communications protocol and a roll-your-own crypto scheme.
The units alert alarm receiving centres when alarms are tripped.
"I cannot stress how bad this encryption is," Tierney says.
"Whoever developed it doesn’t even have basic knowledge of protocol design, never mind secure protocol design.
"I would expect this level of work to come from a short coursework from A-level IT students, not a security company."
The bugs according to Tierney and CERT CC include improper authentication (CVE-2015-7285), busted crypto (CVE-2015-7286), duplicate and default credentials (CVE-2015-7287), and an undocumented SMS command (CVE-2015-7288) that attackers could intercept to alter device configuration.
The penetration tester has written a 27-page report [PDF] on the flaws.
Tierney claims the company says more risk-averse customers can buy more expensive and better secured devices. ®