Notified:  October 26, 2015 Updated: November 20, 2015

Statement Date:   November 04, 2015

Status

Unknown

Vendor Statement

Thank you for allowing us time to review the vulnerabilities disclosed in line with your vulnerability disclosure policy. This has given us time to provide consideration to the disclosure provided by Mr Tierney of Cybergibbons ltd. He had made us aware of his intention to reverse engineer our product and whilst we offered to engage him on a consultancy basis he declined. We do welcome his findings and our advice to customers is as follows. The product tested was a 6 year old GPRS/IP Dualpath signalling unit. This testing was conducted in a lab environment that isn’t representative of the threat model the product is designed to be implemented in line with. The Dualpath signalling unit is designed to be used as part of a physically secured environment with threat actors that would not be targeting the device but the assets of the device End User. DualCom units provide multiple communication paths between the Alarm Panel in the premises and the Alarm Receiving Centre (ARC). The objective is to ensure a greater chance of an alarm activation being received and acted upon by the ARC, Keyholder and/or Authorities No vulnerabilities were identified that could be exploited remotely via either the PSTN connectivity or GPRS connection which significantly reduces the impact of the vulnerabilities identified. In addition DualCom units, together with CSL Gemini Platform, monitor these communication paths and alert the ARC should one or all of these paths not be available. The price point for the DualCom unit is £200 / $350. CSL DualCom also have devices in their portfolio that are tamper resistant or tamper evident to enable customers to defend against more advanced or better funded threat actors. Customers are then able to spend on defence in line with the value of their assets. The product is certified to the required European Standard by an independent test authority. As part of an on-going review of vulnerabilities we have enhanced our product testing to incorporate independent penetration testing in line with the product’s threat model. If customers are concerned about the impact of these vulnerabilities CSL are releasing a new product in May which addresses all of the areas highlighted. CSL products are not remotely patchable as we believe over the air updates could be susceptible to compromise by the very threat actors we are defending against. In relation to the website issues, CSL does not hold any sensitive information on these sites and there has been no data breach. However, we have taken the comments on board and have made several improvements as a result. We are committed to offering effective and reliable managed services at an affordable price and we will continue to do so. CSL are committed to working with the information security community and incorporating researcher’s feedback into our product roadmap.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.