Popular Wiretapping Tool Used By Law Enforcement Includes Backdoor With Hardcoded Password
from the i'm-sure-that-won't-be-abused dept
One of the major concerns that people have raised about the increasing pervasiveness of surveillance tools from not just the NSA, but various law enforcement agencies, is that all of this is making us significantly less safe. That's because if law enforcement and intelligence employees can use these tools, so can those with malicious intent. Driving home that point is the news from some security researchers that a popular tool used by law enforcement to wiretap communications has "a litany of critical weaknesses, including an undocumented backdoor secured with a hardcoded password." Because, surely, no "bad guys" would ever figure that out. The details are fairly damning.Attackers are able to completely compromise the voice recording / surveillance solution as they can gain access to the system and database level and listen to recorded calls without prior authentication.As for the root backdoor, it's like the whole thing was created by security amateurs:
Furthermore, attackers would be able to use the voice recording server as a jumphost for further attacks of the internal voice VLAN, depending on the network setup.
The MySQL database table "usr" contains a "root" user with USRKEY / user id 1 with administrative access rights. This user account does NOT show up within the "user administration" menu when logged in as administrator user account in the web interface. Hence the password can't be changed there.The people who make these things often seem to assume that they can get away with security by obscurity, since they never consider that non-law enforcement types will get access to their systems. That seems hopelessly naive.
As a side note: Password hashes are shown in the user administration menu for each user within HTML source code.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: vulnerabilities, wiretapping
Reader Comments
Subscribe: RSS
View by: Time | Thread
Usually management
Yup, and it's usually management. At my workplace, I found a security weakness by which someone who is in possession of one of our enterprise server products can subvert systems running particular client software even if they don't actually have permission or control of the client machines.
When I brought this up as a serious security problem, management responded with "the server software costs 5 figures, so hackers won't be able to get it".
To which I answered "I guess you've never heard of piracy?" and a battle began. The vulnerability got fixed, but someone less determined than I might not have achieved that result.
[ link to this | view in chronology ]
Differing priorities
For those that actually have to deal with the code/programs, it's the other way around.
[ link to this | view in chronology ]
Re: Usually management
[ link to this | view in chronology ]
Re: Re: Usually management
Could you let us know what ISP you work for so we can avoid using it? k thx.
Certainly, I'd rather work for a manager who properly applied logic, such as risk assessment and mitigation instead of a manager who shoots the messenger and dismisses all risk with "it can't be done because nobody who would do it wants to buy our expensive software." You can only insert your head up your ass so far. The fact that his manager decided to come around with logic over emotion is commendable. Sadly, there are quite a few companies out there whose managers care more about saving face than protecting their employees, business processes, and customers from known flaws in their software.
[ link to this | view in chronology ]
Re: Re: Re: Usually management
As if though you'd have any viable options.
[ link to this | view in chronology ]
Re: Re: Usually management
[ link to this | view in chronology ]
Re: Usually management
Best start looking for a job before they fing some way to remove the problem - you.
[ link to this | view in chronology ]
Re: Re: Usually management
But I'll let you in on something that took me far too long to learn: it's not generally very risky to make a stink about things, if you're making a stink about the right things. I learned this during a few years I spent doing contract work. Since contractors have a set end-date (and get blamed for everything after they leave anyway), I didn't have to worry about bullshit like company politics or whether or not I stepped on the wrong toes. So I started simply speaking truths. I was astonished that, every single time, the permanent developers would say to me things like "Thank you for speaking out. I've been wanting to say that for years."
Once I decided to stop doing contract work, I kept up the habit of speaking truth -- and I've never once been punished for it. I've certainly had argument, and sometimes heated ones, but never suffered retribution. In fact, some of my biggest opponents became my biggest supporters, because the learned three key things about me: my intention is to make the product better for everybody (including the company), that I'm not an idiot, and that I'm honest.
[ link to this | view in chronology ]
Forget about it being abused
A plausible argument can even be made that law enforcement used the back door to insert incriminating data into the tool. It doesn't have to be true, it only has to be plausible.
[ link to this | view in chronology ]
The number one problem with hardcoded passwords is that once it's out there, it's out there.
[ link to this | view in chronology ]
Re:
For instance, my bad...ass credit report, precludes me from ever being trusted by the FBI or NSA.
Instead, only good people who can trusted are hired through an extensive background check and lie detector test.
In this manner, nobody who would reveal such a password would ever know about it.
[ link to this | view in chronology ]
Re: Re:
You'd be surprised. It may keep you out of a sensitive position, but it may not. There are quite a few folks who have back-taxes owed to the government that still manage to have jobs (though some of them may have, since it appeared in national news outlets, lost their jobs.)
In this manner, nobody who would reveal such a password would ever know about it.
Guess we don't have much to worry about, except that much "government work" in this sector is done by contractors, who will more than happily sell the password to the highest bidder if they think they can get away with it.
[ link to this | view in chronology ]
Re: Re: Re:
In this manner, companies which would employ untrustworthy employees are simply not allowed to provide services to our government.
Additionally, the traditional bid process, which could allow unsavory elements to subvert the free market nature of private contracting firms, have been replaced by no-bid-free-market contracts.
[ link to this | view in chronology ]
Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re:
*pan out to shot of planet Earth, insert loud laughter, use shakeycam*
[ link to this | view in chronology ]
Re: Re:
This is the funniest thing I've heard this morning. Thank you!
BTW, lie detector tests don't work, and using them as part of the hiring process does not increase the quality of hires.
[ link to this | view in chronology ]
Re:
I'm pretty certain even heavyweight databases eg Oracle have root userids/passwords that can't be accessed via the normal forms. The difference is that it's widely documented in the install process, and requires the installer to update it.
[ link to this | view in chronology ]
Re:
> is that once it's out there, it's out there.
Why is that a problem?
Take off your common sense hat for a moment, and put on your management hat.
People can just buy new devices that have the hardcoded back doors. Sounds like a good business plan to me.
[ link to this | view in chronology ]
Password
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
Hey, that's the same as my password!
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
potato potahto
Depressingly, sometimes it seems there's a chunky overlap between those two groups.
[ link to this | view in chronology ]
Password Is
1234
Capt ICE Enforcer,
[ link to this | view in chronology ]
Re: Password Is
[ link to this | view in chronology ]
Re: Re: Password Is
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Now nod your head cause you know that i am right..
[ link to this | view in chronology ]
[ link to this | view in chronology ]