EVL 4, DSC and lost installer code - hacking my own system

Information and support for EnvisaLink modules.

Moderators: EyezOnRich, GrandWizard

mikep
Posts: 133
Joined: Wed May 30, 2012 1:49 pm
Contact:

Re: EVL 4, DSC and lost installer code - hacking my own system

Postby mikep » Fri Jan 11, 2019 4:05 pm

WPA2 is hackable, but not causally and the hacker needs to be local... personally I'm not a high value target so I don't loose much sleep over it - seems like a criminal with that skill would have bigger fish to fry.

Folks that port forward 4025 that need to be very cautious - I received a few requests for my DscKeypad app to remove the warning I have (which I refused), so I know some are doing it. A glance at my network logs tells me how constantly overseas hackers are trying to break in to my (and I'm sure everyone else's) router - an open port is a juicy target and a password isn't that much protection.

Password and lockouts are good things but what folks miss (because they're so used to it being otherwise) is that the envisalink is NOT using SSL/TLS - communication over the API is NOT encrypted. So the PINs and passwords are wide open to anything sniffing the network. Ok at home on WPA2 or using a VPN, but checking on the system from a coffee shop is asking for trouble...
DscServer for android/linux/windows: https://sites.google.com/site/mppsuite/dscserver

Smith
Posts: 11
Joined: Thu Jan 03, 2019 7:12 pm

Re: EVL 4, DSC and lost installer code - hacking my own system

Postby Smith » Fri Jan 11, 2019 4:51 pm

mikep wrote:WPA2 is hackable, but not causally and the hacker needs to be local... personally I'm not a high value target so I don't loose much sleep over it - seems like a criminal with that skill would have bigger fish to fry.

Folks that port forward 4025 that need to be very cautious - I received a few requests for my DscKeypad app to remove the warning I have (which I refused), so I know some are doing it. A glance at my network logs tells me how constantly overseas hackers are trying to break in to my (and I'm sure everyone else's) router - an open port is a juicy target and a password isn't that much protection.

Password and lockouts are good things but what folks miss (because they're so used to it being otherwise) is that the envisalink is NOT using SSL/TLS - communication over the API is NOT encrypted. So the PINs and passwords are wide open to anything sniffing the network. Ok at home on WPA2 or using a VPN, but checking on the system from a coffee shop is asking for trouble...


I would imagine you should not expose anything to the internet. Many routers have built in VPN options.

Most router admin/config pages are not SSL/TLS either. I guess if someone manages to get in ..... then they're in.

I'm wondering if the communication between the cloud service and the EVL is encrypted. But OTOH maybe it doesn't matter, because I don't think there normally are any passwords flying over the wires in this traffic?

mikep
Posts: 133
Joined: Wed May 30, 2012 1:49 pm
Contact:

Re: EVL 4, DSC and lost installer code - hacking my own system

Postby mikep » Sat Jan 12, 2019 1:05 pm

Agree, the best choice is nothing exposed, especially not the admin panel (even though is SSL capable I still use a VPN to get in). Right, outgoing is a big concern too. Most cloud devices are encrypted and I believe this includes envisalink, but I sure worry about the ownership and protection of the servers where those new, very inexpensive cameras and switches connect.
DscServer for android/linux/windows: https://sites.google.com/site/mppsuite/dscserver

GrandWizard
Posts: 1884
Joined: Tue Nov 16, 2010 4:08 pm

Re: EVL 4, DSC and lost installer code - hacking my own system

Postby GrandWizard » Thu Jan 17, 2019 9:04 am

Smith wrote:I'm wondering if the communication between the cloud service and the EVL is encrypted. But OTOH maybe it doesn't matter, because I don't think there normally are any passwords flying over the wires in this traffic?


Yes the entire service is encrypted end-to-end. As MikeP points out, the local TPI was never intended to be used outside of the LAN because the Envisalink lacks TLS capability on the TPI.

Envisacor's new cloud API, due out shortly, is fully SSL with OAUTH2 authorization so I assume the need for the TPI in most applications will diminish.

Going back to the OP's original topic, I'm really surprised that DSC doesn't have a keypad lockout on the installers code like they do on regular users codes. I wonder if that is the same on newer panels.

Smith
Posts: 11
Joined: Thu Jan 03, 2019 7:12 pm

Re: EVL 4, DSC and lost installer code - hacking my own system

Postby Smith » Wed Feb 06, 2019 5:42 am

GrandWizard wrote:Yes the entire service is encrypted end-to-end. As MikeP points out, the local TPI was never intended to be used outside of the LAN because the Envisalink lacks TLS capability on the TPI. Envisacor's new cloud API, due out shortly, is fully SSL with OAUTH2 authorization so I assume the need for the TPI in most applications will diminish.


Hopefully the TPI does not get deprecated though, because I can see how it very well fits a need when bridging an existing home alarm system to other things in home automation. (Also for people who set up some more hack-ish solutions like me)

GrandWizard wrote:Going back to the OP's original topic, I'm really surprised that DSC doesn't have a keypad lockout on the installers code like they do on regular users codes. I wonder if that is the same on newer panels.


It's a good question. It's an old PC5015 panel as i wrote before (probably 20+ years old, also the firmware v1.05 is a lot earlier than the latest firmware googlable for the model, which seems to be v2.2).

What I am able to tell you, is that when I could finally see how the panel was configured, I found out that "invalid codes before lockout" was set to 001 and "keypad lockout duration" was set to 000. Perhaps these settings also affects installer's code attempts, not sure.

One way to find out is probably by trying wrong installer's codes on a throwaway panel, just to see what happens.

tcor26@aol.com
Posts: 1
Joined: Wed Mar 13, 2019 5:37 pm

Re: EVL 4, DSC and lost installer code - hacking my own system

Postby tcor26@aol.com » Wed Mar 13, 2019 5:47 pm

The attached 40-pin circuit board installer code discovery procedure worked for me on a DSC 1555MX panel with a PC5508Z Keypad to display the Installer Code.
Attachments
DSC Panel Reset Procedure-Installer Lockout On.pdf
(696.55 KiB) Downloaded 97 times

syntxerr
Posts: 1
Joined: Mon Sep 02, 2019 8:15 pm

Re: EVL 4, DSC and lost installer code - hacking my own system

Postby syntxerr » Mon Sep 02, 2019 9:59 pm

Anyone have luck with the code? Mine seems to be crawling so slowly!

Panel is a PC1832 w/ expander, extra PSU PC5200 and wireless module 3G2060R

Also, not sure if this matters but when I run this, the keypad doesn't beep either?

lyha
Posts: 2
Joined: Tue Sep 10, 2019 12:34 am

Re: EVL 4, DSC and lost installer code - hacking my own system

Postby lyha » Tue Sep 10, 2019 12:39 am

First of all I want to say thanks for posting the perl code.

I've been running the script on a PC1832 and it has been going slow for me as well. About 30 seconds per attempt, and no beeping at the keypad. I've been through 4000-9999 with no success, except for at 6666 (dummy installer code). I'll keep trying and report if I manage to crack it.

lyha
Posts: 2
Joined: Tue Sep 10, 2019 12:34 am

Re: EVL 4, DSC and lost installer code - hacking my own system

Postby lyha » Tue Sep 10, 2019 11:02 pm

SUCCESS!

I was on my last 2000 numbers and was losing faith but to my surprise I came home to the 'success' message! Huge thanks to Smith for starting this thread and the script. I was able to turn off the dialer and stop the communication error messages.


Return to “EnvisaLink ( IP100D, IP170D, 2DS, 3, 4)”

Who is online

Users browsing this forum: No registered users and 10 guests