Why have I removed all the CSL Dualcom posts?

Update: the full report into the issues I found with the CS2300-R boards has been published.

Update: The posts are being republished November 2015.

As part of my reverse engineering of the CSL Dualcom alarm signalling boards, I have uncovered some issues that I would classify as vulnerabilities. I have recently informed CSL Dualcom about one the issues, alongside tweeting some rather unexpected findings about the encryption used.

In response to this, CSL Dualcom have requested that I remove the blog posts and tweets until I meet with them. I have decided, out of courtesy, to hide the posts for now. This is not an admission of any wrong doing, censorship of my posts, or response to legal threats.

As always, my approach to vulnerability disclosure is to follow the model of responsible disclosure. As this is an embedded system with a very large deployment, it would only be reasonable to have an extended period for the vendor to respond.

2 thoughts on “Why have I removed all the CSL Dualcom posts?

  1. Permalink  ⋅ Reply


    May 8, 2014 at 8:28pm

    Good to hear they didn’t try threatening you – from my reading, companies that do that tend to be the ones that hide the bugs rather than fix them. Hopefully your efforts are going to result in some good upgrades to the kit 🙂

Leave a Reply

Your email will not be published. Name and Email fields are required.

This site uses Akismet to reduce spam. Learn how your comment data is processed.