A few weeks ago, ADT replaced my legacy DSC panel with a new Qolsys IQ Panel 2 which I was not too thrilled about as I had build a ESP8266 to interface to the keybus using https://github.com/taligentx/dscKeybusInterface I knew that I would loose my integration but hoped to find a way to integrate in the future with Home Assistant.
While reading through the Qolsys installation manual, I came across a page talking about a 3rd party connections.
When you enable this option, it gives you a token and opens TCP port 12345 which seems to be a https server. I was wondering if we could leverage this port somehow to get status of the panel. Does anyone else have one of these panels and know about this?
I ran a testssl against it:
Testing protocols via sockets except NPN+ALPN SSLv2 not offered (OK) SSLv3 offered (NOT ok) TLS 1 offered (deprecated) TLS 1.1 offered (deprecated) TLS 1.2 offered (OK) TLS 1.3 not offered and downgraded to a weaker protocol NPN/SPDY not offered ALPN/HTTP2 not offered Testing cipher categories NULL ciphers (no encryption) not offered (OK) Anonymous NULL Ciphers (no authentication) not offered (OK) Export ciphers (w/o ADH+NULL) not offered (OK) LOW: 64 Bit + DES, RC[2,4] (w/o export) offered (NOT ok) Triple DES Ciphers / IDEA not offered Obsolete CBC ciphers (AES, ARIA etc.) offered Strong encryption (AEAD ciphers) offered (OK) Testing robust (perfect) forward secrecy, (P)FS -- omitting Null Authentication/Encryption, 3DES, RC4 PFS is offered (OK) ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA Elliptic curves offered: prime256v1 DH group offered: Unknown DH group (1024 bits) Testing server preferences Has server cipher order? no (NOT ok) Negotiated protocol TLSv1.2 Negotiated cipher ECDHE-RSA-RC4-SHA, 256 bit ECDH (P-256) -- inconclusive test, matching cipher in list missing, better see below Negotiated cipher per proto (matching cipher in list missing) ECDHE-RSA-AES256-SHA: SSLv3, TLSv1, TLSv1.1 ECDHE-RSA-AES256-GCM-SHA384: TLSv1.2 No further cipher order check has been done as order is determined by the client Testing server defaults (Server Hello) TLS extensions (standard) "renegotiation info/#65281" "EC point formats/#11" Session Ticket RFC 5077 hint no -- no lifetime advertised SSL Session ID support yes Session Resumption Tickets no, ID: yes TLS clock skew Random values, no fingerprinting possible Signature Algorithm SHA256 with RSA Server key size RSA 4096 bits Server key usage -- Server extended key usage -- Serial / Fingerprints 58E4C8DE / SHA1 69855C20F32895AF72FD3A0ACF02DDD1470AC4E8 SHA256 A3285F61F7CC5F7795600C59AB108D5744AE2D957C9E75462E265CFDE0199150 Common Name (CN) qolsys subjectAltName (SAN) missing -- no SAN is deprecated Issuer qolsys Trust (hostname) certificate does not match supplied URI Chain of trust NOT ok (self signed) EV cert (experimental) no ETS/"eTLS", visibility info not present Certificate Validity (UTC) expired (2017-04-05 06:37 --> 2018-04-05 06:37) # of certificates provided 1 Certificate Revocation List -- OCSP URI -- NOT ok -- neither CRL nor OCSP URI provided OCSP stapling not offered OCSP must staple extension -- DNS CAA RR (experimental) not offered Certificate Transparency N/A Testing vulnerabilities Heartbleed (CVE-2014-0160) not vulnerable (OK), no heartbeat extension CCS (CVE-2014-0224) not vulnerable (OK) Ticketbleed (CVE-2016-9244), experiment. -- (applicable only for HTTPS) ROBOT not vulnerable (OK) Secure Renegotiation (RFC 5746) supported (OK) Secure Client-Initiated Renegotiation VULNERABLE (NOT ok), potential DoS threat CRIME, TLS (CVE-2012-4929) not vulnerable (OK) (not using HTTP anyway) POODLE, SSL (CVE-2014-3566) VULNERABLE (NOT ok), uses SSLv3+CBC (check TLS_FALLBACK_SCSV mitigation below) TLS_FALLBACK_SCSV (RFC 7507) Downgrade attack prevention supported (OK) SWEET32 (CVE-2016-2183, CVE-2016-6329) not vulnerable (OK) FREAK (CVE-2015-0204) not vulnerable (OK) DROWN (CVE-2016-0800, CVE-2016-0703) not vulnerable on this host and port (OK) make sure you don't use this certificate elsewhere with SSLv2 enabled services https://censys.io/ipv4?q=A3285F61F7CC5F7795600C59AB108D5744AE2D957C9E75462E265CFDE0199150 could help you to find out LOGJAM (CVE-2015-4000), experimental not vulnerable (OK): no DH EXPORT ciphers But: Unknown DH group (1024 bits) BEAST (CVE-2011-3389) SSL3: ECDHE-RSA-AES256-SHA DHE-RSA-AES256-SHA AES256-SHA ECDHE-RSA-AES128-SHA DHE-RSA-AES128-SHA AES128-SHA TLS1: ECDHE-RSA-AES256-SHA DHE-RSA-AES256-SHA AES256-SHA ECDHE-RSA-AES128-SHA DHE-RSA-AES128-SHA AES128-SHA VULNERABLE -- but also supports higher protocols TLSv1.1 TLSv1.2 (likely mitigated) LUCKY13 (CVE-2013-0169), experimental potentially VULNERABLE, uses cipher block chaining (CBC) ciphers with TLS. Check patches RC4 (CVE-2013-2566, CVE-2015-2808) VULNERABLE (NOT ok): ECDHE-RSA-RC4-SHA RC4-SHA