Page 3 of 3

Re: EVL 4, DSC and lost installer code - hacking my own system

Posted: Fri Jan 11, 2019 4:05 pm
by mikep
WPA2 is hackable, but not causally and the hacker needs to be local... personally I'm not a high value target so I don't loose much sleep over it - seems like a criminal with that skill would have bigger fish to fry.

Folks that port forward 4025 that need to be very cautious - I received a few requests for my DscKeypad app to remove the warning I have (which I refused), so I know some are doing it. A glance at my network logs tells me how constantly overseas hackers are trying to break in to my (and I'm sure everyone else's) router - an open port is a juicy target and a password isn't that much protection.

Password and lockouts are good things but what folks miss (because they're so used to it being otherwise) is that the envisalink is NOT using SSL/TLS - communication over the API is NOT encrypted. So the PINs and passwords are wide open to anything sniffing the network. Ok at home on WPA2 or using a VPN, but checking on the system from a coffee shop is asking for trouble...

Re: EVL 4, DSC and lost installer code - hacking my own system

Posted: Fri Jan 11, 2019 4:51 pm
by Smith
mikep wrote:WPA2 is hackable, but not causally and the hacker needs to be local... personally I'm not a high value target so I don't loose much sleep over it - seems like a criminal with that skill would have bigger fish to fry.

Folks that port forward 4025 that need to be very cautious - I received a few requests for my DscKeypad app to remove the warning I have (which I refused), so I know some are doing it. A glance at my network logs tells me how constantly overseas hackers are trying to break in to my (and I'm sure everyone else's) router - an open port is a juicy target and a password isn't that much protection.

Password and lockouts are good things but what folks miss (because they're so used to it being otherwise) is that the envisalink is NOT using SSL/TLS - communication over the API is NOT encrypted. So the PINs and passwords are wide open to anything sniffing the network. Ok at home on WPA2 or using a VPN, but checking on the system from a coffee shop is asking for trouble...


I would imagine you should not expose anything to the internet. Many routers have built in VPN options.

Most router admin/config pages are not SSL/TLS either. I guess if someone manages to get in ..... then they're in.

I'm wondering if the communication between the cloud service and the EVL is encrypted. But OTOH maybe it doesn't matter, because I don't think there normally are any passwords flying over the wires in this traffic?

Re: EVL 4, DSC and lost installer code - hacking my own system

Posted: Sat Jan 12, 2019 1:05 pm
by mikep
Agree, the best choice is nothing exposed, especially not the admin panel (even though is SSL capable I still use a VPN to get in). Right, outgoing is a big concern too. Most cloud devices are encrypted and I believe this includes envisalink, but I sure worry about the ownership and protection of the servers where those new, very inexpensive cameras and switches connect.

Re: EVL 4, DSC and lost installer code - hacking my own system

Posted: Thu Jan 17, 2019 9:04 am
by GrandWizard
Smith wrote:I'm wondering if the communication between the cloud service and the EVL is encrypted. But OTOH maybe it doesn't matter, because I don't think there normally are any passwords flying over the wires in this traffic?


Yes the entire service is encrypted end-to-end. As MikeP points out, the local TPI was never intended to be used outside of the LAN because the Envisalink lacks TLS capability on the TPI.

Envisacor's new cloud API, due out shortly, is fully SSL with OAUTH2 authorization so I assume the need for the TPI in most applications will diminish.

Going back to the OP's original topic, I'm really surprised that DSC doesn't have a keypad lockout on the installers code like they do on regular users codes. I wonder if that is the same on newer panels.

Re: EVL 4, DSC and lost installer code - hacking my own system

Posted: Wed Feb 06, 2019 5:42 am
by Smith
GrandWizard wrote:Yes the entire service is encrypted end-to-end. As MikeP points out, the local TPI was never intended to be used outside of the LAN because the Envisalink lacks TLS capability on the TPI. Envisacor's new cloud API, due out shortly, is fully SSL with OAUTH2 authorization so I assume the need for the TPI in most applications will diminish.


Hopefully the TPI does not get deprecated though, because I can see how it very well fits a need when bridging an existing home alarm system to other things in home automation. (Also for people who set up some more hack-ish solutions like me)

GrandWizard wrote:Going back to the OP's original topic, I'm really surprised that DSC doesn't have a keypad lockout on the installers code like they do on regular users codes. I wonder if that is the same on newer panels.


It's a good question. It's an old PC5015 panel as i wrote before (probably 20+ years old, also the firmware v1.05 is a lot earlier than the latest firmware googlable for the model, which seems to be v2.2).

What I am able to tell you, is that when I could finally see how the panel was configured, I found out that "invalid codes before lockout" was set to 001 and "keypad lockout duration" was set to 000. Perhaps these settings also affects installer's code attempts, not sure.

One way to find out is probably by trying wrong installer's codes on a throwaway panel, just to see what happens.

Re: EVL 4, DSC and lost installer code - hacking my own system

Posted: Wed Mar 13, 2019 5:47 pm
by tcor26@aol.com
The attached 40-pin circuit board installer code discovery procedure worked for me on a DSC 1555MX panel with a PC5508Z Keypad to display the Installer Code.

Re: EVL 4, DSC and lost installer code - hacking my own system

Posted: Mon Sep 02, 2019 9:59 pm
by syntxerr
Anyone have luck with the code? Mine seems to be crawling so slowly!

Panel is a PC1832 w/ expander, extra PSU PC5200 and wireless module 3G2060R

Also, not sure if this matters but when I run this, the keypad doesn't beep either?

Re: EVL 4, DSC and lost installer code - hacking my own system

Posted: Tue Sep 10, 2019 12:39 am
by lyha
First of all I want to say thanks for posting the perl code.

I've been running the script on a PC1832 and it has been going slow for me as well. About 30 seconds per attempt, and no beeping at the keypad. I've been through 4000-9999 with no success, except for at 6666 (dummy installer code). I'll keep trying and report if I manage to crack it.

Re: EVL 4, DSC and lost installer code - hacking my own system

Posted: Tue Sep 10, 2019 11:02 pm
by lyha
SUCCESS!

I was on my last 2000 numbers and was losing faith but to my surprise I came home to the 'success' message! Huge thanks to Smith for starting this thread and the script. I was able to turn off the dialer and stop the communication error messages.