Popular Wiretapping Tool Used By Law Enforcement Includes Backdoor With Hardcoded Password

from the i'm-sure-that-won't-be-abused dept

One of the major concerns that people have raised about the increasing pervasiveness of surveillance tools from not just the NSA, but various law enforcement agencies, is that all of this is making us significantly less safe. That's because if law enforcement and intelligence employees can use these tools, so can those with malicious intent. Driving home that point is the news from some security researchers that a popular tool used by law enforcement to wiretap communications has "a litany of critical weaknesses, including an undocumented backdoor secured with a hardcoded password." Because, surely, no "bad guys" would ever figure that out. The details are fairly damning.
Attackers are able to completely compromise the voice recording / surveillance solution as they can gain access to the system and database level and listen to recorded calls without prior authentication.

Furthermore, attackers would be able to use the voice recording server as a jumphost for further attacks of the internal voice VLAN, depending on the network setup.
As for the root backdoor, it's like the whole thing was created by security amateurs:
The MySQL database table "usr" contains a "root" user with USRKEY / user id 1 with administrative access rights. This user account does NOT show up within the "user administration" menu when logged in as administrator user account in the web interface. Hence the password can't be changed there.

As a side note: Password hashes are shown in the user administration menu for each user within HTML source code.
The people who make these things often seem to assume that they can get away with security by obscurity, since they never consider that non-law enforcement types will get access to their systems. That seems hopelessly naive.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: vulnerabilities, wiretapping


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    John Fenderson (profile), 29 May 2014 @ 2:07pm

    Usually management

    "The people who make these things often seem to assume that they can get away with security by obscurity, since they never consider that non-law enforcement types will get access to their systems."

    Yup, and it's usually management. At my workplace, I found a security weakness by which someone who is in possession of one of our enterprise server products can subvert systems running particular client software even if they don't actually have permission or control of the client machines.

    When I brought this up as a serious security problem, management responded with "the server software costs 5 figures, so hackers won't be able to get it".

    To which I answered "I guess you've never heard of piracy?" and a battle began. The vulnerability got fixed, but someone less determined than I might not have achieved that result.

    link to this | view in chronology ]

    • icon
      That One Guy (profile), 29 May 2014 @ 2:47pm

      Differing priorities

      For management, profits and costs generally take precedence over security and functionality, and only a clear and present threat or potential threat to the former will really get them to care about the latter.

      For those that actually have to deal with the code/programs, it's the other way around.

      link to this | view in chronology ]

    • identicon
      Anonymous Coward, 29 May 2014 @ 4:38pm

      Re: Usually management

      I'm surprised you still have a job. Where I work (a major ISP), you wouldn't.

      link to this | view in chronology ]

      • icon
        ltlw0lf (profile), 29 May 2014 @ 8:13pm

        Re: Re: Usually management

        I'm surprised you still have a job. Where I work (a major ISP), you wouldn't.

        Could you let us know what ISP you work for so we can avoid using it? k thx.

        Certainly, I'd rather work for a manager who properly applied logic, such as risk assessment and mitigation instead of a manager who shoots the messenger and dismisses all risk with "it can't be done because nobody who would do it wants to buy our expensive software." You can only insert your head up your ass so far. The fact that his manager decided to come around with logic over emotion is commendable. Sadly, there are quite a few companies out there whose managers care more about saving face than protecting their employees, business processes, and customers from known flaws in their software.

        link to this | view in chronology ]

        • identicon
          Anonymous Coward, 3 Jun 2014 @ 5:56am

          Re: Re: Re: Usually management

          "Could you let us know what ISP you work for so we can avoid using it? k thx."

          As if though you'd have any viable options.

          link to this | view in chronology ]

      • icon
        John Fenderson (profile), 30 May 2014 @ 8:28am

        Re: Re: Usually management

        Any place that would fire me for trying to ensure that our product or service was excellent, correct, and of real benefit to our customers is a company that I don't want to work for. It would be a badge of honor to get fired from such a place.

        link to this | view in chronology ]

    • identicon
      Anonymous Coward, 30 May 2014 @ 4:45am

      Re: Usually management

      Amazing you are still employed.

      Best start looking for a job before they fing some way to remove the problem - you.

      link to this | view in chronology ]

      • icon
        John Fenderson (profile), 30 May 2014 @ 8:46am

        Re: Re: Usually management

        They don't have to find a reason: my employment is at-will and they can fire me any time they like without cause. It's not a real risk, though. I am fortunate enough to have a reasonably impressive CV stretching about 30 years and have hard-to-find skills. They couldn't afford to fire me, and if they did I'd have no problem getting a job elsewhere within a week anyway.

        But I'll let you in on something that took me far too long to learn: it's not generally very risky to make a stink about things, if you're making a stink about the right things. I learned this during a few years I spent doing contract work. Since contractors have a set end-date (and get blamed for everything after they leave anyway), I didn't have to worry about bullshit like company politics or whether or not I stepped on the wrong toes. So I started simply speaking truths. I was astonished that, every single time, the permanent developers would say to me things like "Thank you for speaking out. I've been wanting to say that for years."

        Once I decided to stop doing contract work, I kept up the habit of speaking truth -- and I've never once been punished for it. I've certainly had argument, and sometimes heated ones, but never suffered retribution. In fact, some of my biggest opponents became my biggest supporters, because the learned three key things about me: my intention is to make the product better for everybody (including the company), that I'm not an idiot, and that I'm honest.

        link to this | view in chronology ]

  • icon
    DannyB (profile), 29 May 2014 @ 2:18pm

    Forget about it being abused

    It makes any evidence gathered using the wiretapping tool suspect and unreliable. That's the big deal. It effectively destroys any credibility the tool might have had in court.

    A plausible argument can even be made that law enforcement used the back door to insert incriminating data into the tool. It doesn't have to be true, it only has to be plausible.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 29 May 2014 @ 3:30pm

    It should go without saying but I'm going to say it anyway.
    The number one problem with hardcoded passwords is that once it's out there, it's out there.

    link to this | view in chronology ]

    • icon
      vancedecker (profile), 29 May 2014 @ 3:49pm

      Re:

      The FBI, like many government agencies does not hire people that are not trustworthy.

      For instance, my bad...ass credit report, precludes me from ever being trusted by the FBI or NSA.

      Instead, only good people who can trusted are hired through an extensive background check and lie detector test.

      In this manner, nobody who would reveal such a password would ever know about it.

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 29 May 2014 @ 4:05pm

        Re: Re:

        For instance, my bad...ass credit report, precludes me from ever being trusted by the FBI or NSA.

        You'd be surprised. It may keep you out of a sensitive position, but it may not. There are quite a few folks who have back-taxes owed to the government that still manage to have jobs (though some of them may have, since it appeared in national news outlets, lost their jobs.)

        In this manner, nobody who would reveal such a password would ever know about it.

        Guess we don't have much to worry about, except that much "government work" in this sector is done by contractors, who will more than happily sell the password to the highest bidder if they think they can get away with it.

        link to this | view in chronology ]

        • icon
          vancedecker (profile), 29 May 2014 @ 4:30pm

          Re: Re: Re:

          Only trustworthy contractors from large firms which leaders in our intelligence community know on a personal basis and have gone golfing with are allowed to work for our government.

          In this manner, companies which would employ untrustworthy employees are simply not allowed to provide services to our government.

          Additionally, the traditional bid process, which could allow unsavory elements to subvert the free market nature of private contracting firms, have been replaced by no-bid-free-market contracts.

          link to this | view in chronology ]

          • identicon
            Anonymous Coward, 31 May 2014 @ 2:26am

            Re: Re: Re: Re:

            Well thank a god that they use the golf test. I know I'll sleep better tonight knowing that.

            link to this | view in chronology ]

      • identicon
        Just Another Anonymous Troll, 30 May 2014 @ 8:17am

        Re: Re:

        "The FBI, like many government agencies does not hire people that are not trustworthy."
        *pan out to shot of planet Earth, insert loud laughter, use shakeycam*

        link to this | view in chronology ]

      • icon
        John Fenderson (profile), 30 May 2014 @ 8:52am

        Re: Re:

        "The FBI, like many government agencies does not hire people that are not trustworthy."

        This is the funniest thing I've heard this morning. Thank you!

        BTW, lie detector tests don't work, and using them as part of the hiring process does not increase the quality of hires.

        link to this | view in chronology ]

    • identicon
      Donglebert The Needlessly Unready, 30 May 2014 @ 3:38am

      Re:

      To be fair, whilst not ignoring the sheer stupidity, hardcoded passwords can be changed. You just can't do it via user admin forms.

      I'm pretty certain even heavyweight databases eg Oracle have root userids/passwords that can't be accessed via the normal forms. The difference is that it's widely documented in the install process, and requires the installer to update it.

      link to this | view in chronology ]

    • icon
      DannyB (profile), 3 Jun 2014 @ 12:41pm

      Re:

      > The number one problem with hardcoded passwords
      > is that once it's out there, it's out there.


      Why is that a problem?

      Take off your common sense hat for a moment, and put on your management hat.

      People can just buy new devices that have the hardcoded back doors. Sounds like a good business plan to me.

      link to this | view in chronology ]

  • icon
    charliebrown (profile), 29 May 2014 @ 4:38pm

    Password

    I'll tell you my password right now! It's

    link to this | view in chronology ]

  • icon
    charliebrown (profile), 29 May 2014 @ 4:38pm

    Damn, my comment didn't work. It's **********

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 29 May 2014 @ 5:22pm

      Re:

      "Damn, my comment didn't work. It's **********"

      Hey, that's the same as my password!

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 30 May 2014 @ 5:26am

        Re: Re:

        How stupid are you to reveal your password in such a public place? I'd never do something like that with MY password and always ensure I NEVER tell anyone that it's **********

        link to this | view in chronology ]

    • icon
      vancedecker (profile), 29 May 2014 @ 5:24pm

      Re:

      Just update your Metasploit framework sploits, I'm sure it's in there now under automated SQL subversion.

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 29 May 2014 @ 8:37pm

    Forget about bad guys, the backdoor is obviously there for law enforcement personnel to do things that law enforcement personnel shouldn't be seen doing.

    link to this | view in chronology ]

  • icon
    ethorad (profile), 30 May 2014 @ 12:37am

    potato potahto

    if law enforcement and intelligence employees can use these tools, so can those with malicious intent

    Depressingly, sometimes it seems there's a chunky overlap between those two groups.

    link to this | view in chronology ]

  • identicon
    Capt ICE Enforcer, 30 May 2014 @ 3:22am

    Password Is

    After Snowden helped the planet with his actions, I shall do the same. The password for this back door is.

    1234

    Capt ICE Enforcer,

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 30 May 2014 @ 5:27am

    It's a government 'backdoor' password so I'm guessing its fuckdueprocess123

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 30 May 2014 @ 11:54am

    Its unlikely they will be tapping into a persons of importance , like a banker or CEO....just you poor folk. So you peasants need to just shut the fuck up, we are here to protect you from yourself

    Now nod your head cause you know that i am right..

    link to this | view in chronology ]

  • identicon
    Anonymous, 30 May 2014 @ 1:54pm

    I recently bought video recording glasses in the clearance section of Wal-Mart for $25.00.

    link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.