CSL DualCom GPRS CS2300-R alarm signalling boards, firmware versions v1.25 to v3.53, contain multiple vulnerabilties.
CSL DualCom GPRS CS2300-R alarm signalling boards are secure premises transmitters (SPT) that notify alarm receiving centers (ARC) when an alarm system is tripped. According to researcher Andrew Tierney, CS2300-R boards are vulnerable to signal spoofing and tampering due to the vendor's use of a weak communications protocol and proprietary encryption scheme. The vendor has generally disputed the researcher's findings with the following statement:
- As with all our products, this product has been certified as compliant to the required European standard EN-50136
CWE-255: Credentials Management - CVE-2015-7287
CS2300-R SPTs make use of a non-unique, default PIN code to restrict users from issuing remote commands via SMS. An attacker may use the default PIN to issue remote commands to vulnerable devices.
CWE-912: Hidden Functionality - CVE-2015-7288
CS2300-R SPTs contain multiple undocumented SMS commands that can be used to alter the configuration of devices.
The CVSS score reflects CVE-2015-7286.
A remote, unauthenticated attacker may be able to decrypt communications and spoof messages between SPTs and ARCs, resulting in denial of service, false alarms, suppressed alarms, and a general inability to trust communications bilaterally.
The CERT/CC is currently unaware of a practical solution to this problem. According to the researcher, hardware limitations may render a cryptographic solution difficult while maintaining current functionality. Note that the vendor has generally disputed the researcher's findings with the following statement:
Thanks to Andrew Tierney for reporting these vulnerabilities.
This document was written by Joel Land.