When CSL made their statement last Friday, it was noticeable that they didn’t actually claim that any of my report was false. To me, that implies that the content of the report is true.
CSL should be answering questions right now, but are maintaining silence.
If you are a big customer of CSL, I would be asking:
- What encryption methods do your new devices, the Gradeshift and DigiAir, use?
- How often are the keys changed on these devices?
- If there was a serious security issue requiring the firmware to be updated, who pays for it?
- Do these devices have SMS controls? If so, what is the PIN and how do I change it?
- Are any of the device in my estate using the encryption mentioned in the report?
I suspect answers won’t be forthcoming.
Chris
November 24, 2015 at 10:52amYou’re featured on elReg, well done, great work
http://www.theregister.co.uk/2015/11/24/dualcom_cameras_vulnerability/
John
November 26, 2015 at 12:22pmTheir statement does say they’ve followed your advice dude and made fixes. Nice work. I suspect most installers are only going to give a damn though if a robber can use it as part of a heist. Not sure how them making a statement is maintaining silence. Nice to get a vendor that actually responds with fixes and not with ignorance.
cybergibbons
November 27, 2015 at 5:23pmThe problem is that fixing these issues still won’t build a secure system, or a secure company.