Vulnerability Note VU#428280

CSL DualCom GPRS CS2300-R alarm signalling boards contain multiple vulnerabilties

Original Release date: 23 Nov 2015 | Last revised: 23 Nov 2015

Overview

CSL DualCom GPRS CS2300-R alarm signalling boards, firmware versions v1.25 to v3.53, contain multiple vulnerabilties.

Description

CSL DualCom GPRS CS2300-R alarm signalling boards are secure premises transmitters (SPT) that notify alarm receiving centers (ARC) when an alarm system is tripped. According to researcher Andrew Tierney, CS2300-R boards are vulnerable to signal spoofing and tampering due to the vendor's use of a weak communications protocol and proprietary encryption scheme. The vendor has generally disputed the researcher's findings with the following statement:

    - As with all our products, this product has been certified as compliant to the required European standard EN-50136
    - Our internal review of the report concluded there is no threat to these systems


For the full vendor statement, refer to the Vendor Information section below.

For full details about the vulnerabilities and their discovery, refer to the researcher's disclosure.

CWE-287: Improper Authentication - CVE-2015-7285

Communications between CS2300-R SPTs and ARC polling servers are not mutually authenticated. Consequently, the SPT cannot confirm the authenticity of messages received from ARC servers. An attacker capable of performing man in the middle (MITM) attacks can spoof responses that will be accepted as valid by vulnerable SPTs.

CWE-327: Use of a Broken or Risky Cryptographic Algorithm - CVE-2015-7286

Communications between CS2300-R SPTs and ARC servers are encrypted using a proprietary encryption scheme. A number of issues are identified by the researcher by which messages can be decrypted or otherwise manipulated, resulting in denial of service, false alarms, suppressed alarms, and a general inability to trust communications bilaterally. Combined with the previously described lack of mutual authentication, a capable attacker may be able to bilaterally spoof or block any messages between endpoints.

Specifically, the following issues are described by the researcher:
  • the encryption algorithm is a polyalphabetic substitution cipher and subject to decryption via common cryptanalytic techniques
  • encryption keys (mapping tables for substitution) are hardcoded in the firmware and have not changed from v1.25 to v3.53
  • effective key length is very short
  • messages do not contain sequence numbers
  • messages do not make use of checksums or hashes
  • messages do not contain message authentication codes (MAC)
  • key material cannot be readily updated
  • sensitive SPT identification information can be obtained by capturing and analyzing single messages

CWE-255: Credentials Management - CVE-2015-7287

CS2300-R SPTs make use of a non-unique, default PIN code to restrict users from issuing remote commands via SMS. An attacker may use the default PIN to issue remote commands to vulnerable devices.

CWE-912: Hidden Functionality - CVE-2015-7288

CS2300-R SPTs contain multiple undocumented SMS commands that can be used to alter the configuration of devices.

The CVSS score reflects CVE-2015-7286.

Impact

A remote, unauthenticated attacker may be able to decrypt communications and spoof messages between SPTs and ARCs, resulting in denial of service, false alarms, suppressed alarms, and a general inability to trust communications bilaterally.

Solution

The CERT/CC is currently unaware of a practical solution to this problem. According to the researcher, hardware limitations may render a cryptographic solution difficult while maintaining current functionality. Note that the vendor has generally disputed the researcher's findings with the following statement:

    - As with all our products, this product has been certified as compliant to the required European standard EN-50136
    - Our internal review of the report concluded there is no threat to these systems

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
CSL DualComUnknown26 Oct 201520 Nov 2015
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C
Temporal 8.0 E:POC/RL:U/RC:UR
Environmental 2.0 CDP:ND/TD:L/CR:ND/IR:ND/AR:ND

References

Credit

Thanks to Andrew Tierney for reporting these vulnerabilities.

This document was written by Joel Land.

Other Information

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.