Review Queue

14 findings awaiting your judgement

Campaign

Use case

Confidence 0.30 – 0.70

Reviewer

Sort

13 of 14 shown

Awaiting

findings in queue

Avg review time

1m 12s

per finding (last 7 days)

Your throughput today

findings reviewed

1155332/18445300ECS30a

Needs Review — possibly False Positive

0.48

ECS30a fuzzed Length field at edge case (Length = 0). Meter responded with valid DefaultResponse and no alert was raised. ProtoCrawler scored as concern due to atypical Length value.

Why this needs review

No clear GBCS mandate on edge-case Length handling. Existing rule R-011 covers boundary cases but this specific Length=0 variant has not been seen before.

1155332/41203350ECS47

Needs Review — possibly False Positive

0.51

ECS47 Update Tariff command with fuzzed price element. Meter responded with alert 8F30 (Source Does Not Have Authority) instead of expected 8F1E (Integrity check failed). Both alerts are plausible per spec but typically 8F1E is preferred for content-level failures.

Why this needs review

Alert code substitution may indicate firmware misclassification of error type. Needs review for whether 8F30 is acceptable in this context.

1155332/8842400CS03

Needs Review — possibly False Positive

0.55

CS03 Method A Join with fuzzed device EUI64. No alert was raised by the meter and no security log entries were recorded within the test window. ProtoCrawler flagged the case because expected join-failure alert was absent.

Why this needs review

GBCS §13.5.2 is ambiguous on whether silent rejection of malformed join requests is required to produce an alert. Expert interpretation needed.

1155332/13506700CS06

Needs Review — possibly Firmware Issue

0.58

Similar pattern to 1155332/13507 (CS06 with fuzzed RemotePartyID RNG 9 mutation) but the meter sent a partial response before timing out. Partial response decoded as a malformed CS06_response with truncated Originator System Title.

Why this needs review

Partial response is ambiguous — could indicate firmware corruption during processing, or could be a correct DLMS-layer error recovery.

1155332/40012360ECS47

Needs Review — possibly Firmware Issue

0.59

ECS47 Update Tariff with valid signature but fuzzed time-of-use band index. Meter accepted with no alert, leaving tariff in an undefined intermediate state until next reboot.

Why this needs review

Possible state-corruption bug — needs senior reviewer.

1155332/3998410ECS80

Needs Review — possibly False Positive

0.60

ECS80 Generic NonCritical Alert with fuzzed Cluster ID = 0xFFFE (reserved). No alert raised; meter accepted command silently.

Why this needs review

Reserved cluster IDs not covered by existing rules — needs tester ruling.

1155332/135071850CS06

Needs Review — possibly Firmware Issue

0.62

Test case timed out after 360 seconds during CS06 firmware activation with fuzzed RemotePartyID. Stack trace indicates ZbSimCommunicator dataSendWaitAck timeout. Cannot determine from packet trace alone whether the meter rebooted, hung, or correctly rejected the command without responding.

Why this needs review

Device shutdown or no-response observed — requires expert judgement on whether this is a firmware defect or expected protective behaviour under malformed Critical command.

1155332/9034310CS02g

Needs Review — possibly False Positive

0.63

CS02g executionDateTime fuzz with Random Length=0. Meter rejected with 8F1E. Pattern adjacent to R-006 but with new edge case.

Why this needs review

Distinct enough from R-006 to consider separate rule.

1155332/19204340CS04

Needs Review — possibly False Positive

0.64

CS04 Unjoin with malformed sequence number. Meter raised 8F30 (Source Does Not Have Authority). Behaviour matches R-010 but in a sub-pattern not yet rule-covered.

Why this needs review

Verifying that R-010 should be widened to cover this Unjoin sub-pattern.

1155332/15672360CS03

Needs Review — possibly False Positive

0.66

CS03 Method A Join with fuzzed device EUI64 byte 7. Silent rejection by meter without alert; no security log entry within 30 seconds.

Why this needs review

Adjacent to 1155332/8842 — same cluster of join-rejection ambiguity.

1155332/27891380CS02e

Needs Review — possibly Firmware Issue

0.67

CS02e Provide Device Certificate command with single 8F4C alert raised 4.2 seconds after command receipt. Per GBCS guidance, mandated alerts should be raised promptly (within 2 seconds is typical). Delay may indicate firmware processing pathway inefficiency.

Why this needs review

Delay-based heuristics are not absolute in GBCS. Expert needed to determine if 4.2s is acceptable for this device class.

1155332/22107520CS06

Needs Review — possibly Firmware Issue

0.69

CS06 Critical with fuzzed Originator Counter at 2^32-1 boundary. Meter responded with 8F1A but did not increment local counter as expected per GBCS §6.2.4.

Why this needs review

Counter handling at u32 boundary is under-specified in GBCS §6.2.4.

1155332/29841480CS02b

Needs Review — possibly False Positive

0.70

CS02b alert log timestamp drift of 5.3 seconds vs packet trace timestamp. Drift may be ProtoCrawler async correlation artefact rather than firmware time-skew.

Why this needs review

Borderline against R-007 threshold (5s) — Rule Learner suggests refinement.