Hide Techdirt is off for the long weekend! We'll be back with our regular posts tomorrow.

Popular Wiretapping Tool Used By Law Enforcement Includes Backdoor With Hardcoded Password

from the i'm-sure-that-won't-be-abused dept

One of the major concerns that people have raised about the increasing pervasiveness of surveillance tools from not just the NSA, but various law enforcement agencies, is that all of this is making us significantly less safe. That’s because if law enforcement and intelligence employees can use these tools, so can those with malicious intent. Driving home that point is the news from some security researchers that a popular tool used by law enforcement to wiretap communications has “a litany of critical weaknesses, including an undocumented backdoor secured with a hardcoded password.” Because, surely, no “bad guys” would ever figure that out. The details are fairly damning.

Attackers are able to completely compromise the voice recording / surveillance solution as they can gain access to the system and database level and listen to recorded calls without prior authentication.

Furthermore, attackers would be able to use the voice recording server as a jumphost for further attacks of the internal voice VLAN, depending on the network setup.

As for the root backdoor, it’s like the whole thing was created by security amateurs:

The MySQL database table “usr” contains a “root” user with USRKEY / user id 1 with administrative access rights. This user account does NOT show up within the “user administration” menu when logged in as administrator user account in the web interface. Hence the password can’t be changed there.

As a side note: Password hashes are shown in the user administration menu for each user within HTML source code.

The people who make these things often seem to assume that they can get away with security by obscurity, since they never consider that non-law enforcement types will get access to their systems. That seems hopelessly naive.

Filed Under: ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Popular Wiretapping Tool Used By Law Enforcement Includes Backdoor With Hardcoded Password”

Subscribe: RSS Leave a comment
John Fenderson (profile) says:

Usually management

“The people who make these things often seem to assume that they can get away with security by obscurity, since they never consider that non-law enforcement types will get access to their systems.”

Yup, and it’s usually management. At my workplace, I found a security weakness by which someone who is in possession of one of our enterprise server products can subvert systems running particular client software even if they don’t actually have permission or control of the client machines.

When I brought this up as a serious security problem, management responded with “the server software costs 5 figures, so hackers won’t be able to get it”.

To which I answered “I guess you’ve never heard of piracy?” and a battle began. The vulnerability got fixed, but someone less determined than I might not have achieved that result.

ltlw0lf (profile) says:

Re: Re: Usually management

I’m surprised you still have a job. Where I work (a major ISP), you wouldn’t.

Could you let us know what ISP you work for so we can avoid using it? k thx.

Certainly, I’d rather work for a manager who properly applied logic, such as risk assessment and mitigation instead of a manager who shoots the messenger and dismisses all risk with “it can’t be done because nobody who would do it wants to buy our expensive software.” You can only insert your head up your ass so far. The fact that his manager decided to come around with logic over emotion is commendable. Sadly, there are quite a few companies out there whose managers care more about saving face than protecting their employees, business processes, and customers from known flaws in their software.

John Fenderson (profile) says:

Re: Re: Usually management

They don’t have to find a reason: my employment is at-will and they can fire me any time they like without cause. It’s not a real risk, though. I am fortunate enough to have a reasonably impressive CV stretching about 30 years and have hard-to-find skills. They couldn’t afford to fire me, and if they did I’d have no problem getting a job elsewhere within a week anyway.

But I’ll let you in on something that took me far too long to learn: it’s not generally very risky to make a stink about things, if you’re making a stink about the right things. I learned this during a few years I spent doing contract work. Since contractors have a set end-date (and get blamed for everything after they leave anyway), I didn’t have to worry about bullshit like company politics or whether or not I stepped on the wrong toes. So I started simply speaking truths. I was astonished that, every single time, the permanent developers would say to me things like “Thank you for speaking out. I’ve been wanting to say that for years.”

Once I decided to stop doing contract work, I kept up the habit of speaking truth — and I’ve never once been punished for it. I’ve certainly had argument, and sometimes heated ones, but never suffered retribution. In fact, some of my biggest opponents became my biggest supporters, because the learned three key things about me: my intention is to make the product better for everybody (including the company), that I’m not an idiot, and that I’m honest.

DannyB (profile) says:

Forget about it being abused

It makes any evidence gathered using the wiretapping tool suspect and unreliable. That’s the big deal. It effectively destroys any credibility the tool might have had in court.

A plausible argument can even be made that law enforcement used the back door to insert incriminating data into the tool. It doesn’t have to be true, it only has to be plausible.

vancedecker (profile) says:

Re: Re:

The FBI, like many government agencies does not hire people that are not trustworthy.

For instance, my bad…ass credit report, precludes me from ever being trusted by the FBI or NSA.

Instead, only good people who can trusted are hired through an extensive background check and lie detector test.

In this manner, nobody who would reveal such a password would ever know about it.

Anonymous Coward says:

Re: Re: Re:

For instance, my bad…ass credit report, precludes me from ever being trusted by the FBI or NSA.

You’d be surprised. It may keep you out of a sensitive position, but it may not. There are quite a few folks who have back-taxes owed to the government that still manage to have jobs (though some of them may have, since it appeared in national news outlets, lost their jobs.)

In this manner, nobody who would reveal such a password would ever know about it.

Guess we don’t have much to worry about, except that much “government work” in this sector is done by contractors, who will more than happily sell the password to the highest bidder if they think they can get away with it.

vancedecker (profile) says:

Re: Re: Re: Re:

Only trustworthy contractors from large firms which leaders in our intelligence community know on a personal basis and have gone golfing with are allowed to work for our government.

In this manner, companies which would employ untrustworthy employees are simply not allowed to provide services to our government.

Additionally, the traditional bid process, which could allow unsavory elements to subvert the free market nature of private contracting firms, have been replaced by no-bid-free-market contracts.

Donglebert The Needlessly Unready says:

Re: Re:

To be fair, whilst not ignoring the sheer stupidity, hardcoded passwords can be changed. You just can’t do it via user admin forms.

I’m pretty certain even heavyweight databases eg Oracle have root userids/passwords that can’t be accessed via the normal forms. The difference is that it’s widely documented in the install process, and requires the installer to update it.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...