EVL 4, DSC and lost installer code - hacking my own system

Information and support for EnvisaLink modules.

Moderators: EyezOnRich, GrandWizard

mikep
Posts: 131
Joined: Wed May 30, 2012 1:49 pm
Contact:

Re: EVL 4, DSC and lost installer code - hacking my own system

Postby mikep » Fri Jan 11, 2019 4:05 pm

WPA2 is hackable, but not causally and the hacker needs to be local... personally I'm not a high value target so I don't loose much sleep over it - seems like a criminal with that skill would have bigger fish to fry.

Folks that port forward 4025 that need to be very cautious - I received a few requests for my DscKeypad app to remove the warning I have (which I refused), so I know some are doing it. A glance at my network logs tells me how constantly overseas hackers are trying to break in to my (and I'm sure everyone else's) router - an open port is a juicy target and a password isn't that much protection.

Password and lockouts are good things but what folks miss (because they're so used to it being otherwise) is that the envisalink is NOT using SSL/TLS - communication over the API is NOT encrypted. So the PINs and passwords are wide open to anything sniffing the network. Ok at home on WPA2 or using a VPN, but checking on the system from a coffee shop is asking for trouble...

Smith
Posts: 10
Joined: Thu Jan 03, 2019 7:12 pm

Re: EVL 4, DSC and lost installer code - hacking my own system

Postby Smith » Fri Jan 11, 2019 4:51 pm

mikep wrote:WPA2 is hackable, but not causally and the hacker needs to be local... personally I'm not a high value target so I don't loose much sleep over it - seems like a criminal with that skill would have bigger fish to fry.

Folks that port forward 4025 that need to be very cautious - I received a few requests for my DscKeypad app to remove the warning I have (which I refused), so I know some are doing it. A glance at my network logs tells me how constantly overseas hackers are trying to break in to my (and I'm sure everyone else's) router - an open port is a juicy target and a password isn't that much protection.

Password and lockouts are good things but what folks miss (because they're so used to it being otherwise) is that the envisalink is NOT using SSL/TLS - communication over the API is NOT encrypted. So the PINs and passwords are wide open to anything sniffing the network. Ok at home on WPA2 or using a VPN, but checking on the system from a coffee shop is asking for trouble...


I would imagine you should not expose anything to the internet. Many routers have built in VPN options.

Most router admin/config pages are not SSL/TLS either. I guess if someone manages to get in ..... then they're in.

I'm wondering if the communication between the cloud service and the EVL is encrypted. But OTOH maybe it doesn't matter, because I don't think there normally are any passwords flying over the wires in this traffic?

mikep
Posts: 131
Joined: Wed May 30, 2012 1:49 pm
Contact:

Re: EVL 4, DSC and lost installer code - hacking my own system

Postby mikep » Sat Jan 12, 2019 1:05 pm

Agree, the best choice is nothing exposed, especially not the admin panel (even though is SSL capable I still use a VPN to get in). Right, outgoing is a big concern too. Most cloud devices are encrypted and I believe this includes envisalink, but I sure worry about the ownership and protection of the servers where those new, very inexpensive cameras and switches connect.

GrandWizard
Posts: 1812
Joined: Tue Nov 16, 2010 4:08 pm

Re: EVL 4, DSC and lost installer code - hacking my own system

Postby GrandWizard » Thu Jan 17, 2019 9:04 am

Smith wrote:I'm wondering if the communication between the cloud service and the EVL is encrypted. But OTOH maybe it doesn't matter, because I don't think there normally are any passwords flying over the wires in this traffic?


Yes the entire service is encrypted end-to-end. As MikeP points out, the local TPI was never intended to be used outside of the LAN because the Envisalink lacks TLS capability on the TPI.

Envisacor's new cloud API, due out shortly, is fully SSL with OAUTH2 authorization so I assume the need for the TPI in most applications will diminish.

Going back to the OP's original topic, I'm really surprised that DSC doesn't have a keypad lockout on the installers code like they do on regular users codes. I wonder if that is the same on newer panels.


Return to “EnvisaLink ( IP100D, IP170D, 2DS, 3, 4)”

Who is online

Users browsing this forum: No registered users and 9 guests