Shocking: Software Used To Monitor UK Students Against Radicalization Found To Be Exploitable

from the hack-attack dept

Well, that didn’t take long. It was only a month or so ago that we brought to you the delightful news that software for monitoring the UK youth in classrooms was being recommended to comply with the UK’s insane policy that conscripts teachers to watch out for scary future-Muslim-terrorists. The idea was that the software, from American company Impero Software, would report back to teachers should the children under their watchful gaze search around for terms deemed to be terrorist related. The teachers were then supposed to involve school admins, law enforcement, or parents as deemed necessary. Because, see, possible-might-be-future-terrorists sprouting up from our own children is a very scary, albeit not-yet-existing threat to something something.

Unfortunately, Impero’s monitoring agents themselves come with an actual threat, thanks to the laughably cliche security fails within the software’s design.

Impero has a lot of power over its clients’ data, whether stored on PCs, servers or children’s personal technology. If compromised, it could expose reams of information on pupils, teachers and the school as a whole. And that’s certainly possible in light of the findings of researcher ‘raylee’, real name Zammis Clark, who discovered the Impero platform was using a default password of “password” to connect clients to its servers. “Basically, if you use Impero, please don’t,” the researcher wrote in a Github post describing the flaw and releasing attack code to prove the problem existed.

The researcher told FORBES that if an attacker can gain access to the Impero server, all connected machines “are completely open to compromise”, due to the apparent lack of decent authentication. “Given that schools have been affected with malware like CryptoLocker in the past, exploit kits or spearphishing could be a way for an attacker to get into a school network. Also, there’s the threat of someone inside such a school (a student perhaps) exploiting the vulnerability,” he added.

Impero set the software up so that the password between the students’ devices and the server was “password.” They made the password “password.” Okay, here’s a new rule for the world: if you’re a company whose single reason for existing has anything to do with both technology and security, and you create your system in such a way that it ships to your customers and is allowed to work with a default password of “password”, then you don’t get to exist any longer. This is the kind of stuff people who work in IT consulting like me see all the time… at companies that don’t have any actual IT staff onsite. But this came from the software designer itself. And the most hilarious thing? Well, part of Impero’s response to the publishing of the exploit was to release a fix after its disclosure… which failed to actually fix the exploit.

The other part of Impero’s response was to go all legal on the security researcher for publishing the exploit in the first place, because of course it was.

In a letter to Clark dated 13 July, delivered by legal firm Gately, he is accused of breaking the terms and conditions laid out by the firm, including a stipulation that the software not be tampered with; modification is only allowed to achieve “interoperability”, meaning hackers looking for security issues are not welcome. He is also accused of copyright infringement and has been asked to remove all links from Github, Twitter and other channels that point to the public vulnerability disclosure.

In an emailed statement to FORBES, Impero director of marketing Nikki Annison claimed the offending party had “maliciously and illegally hacked our product, subsequently making this hack public rather than bringing it to our attention privately and in confidence. No customers have been affected by this and no data has been leaked or compromised.”

Excuse me, but no customers have been affected by this exploit… yet. And now they probably won’t be, assuming your team can get a proper fix in place. And the youth of the UK will have the security researcher to thank for it, since that appears to be what lit a fire under your collective asses to get this thing fixed. The marketing director also had this to say.

This hack could only be exploited if basic network security does not exist and if the attacker is physically present with local network access. We have been in communication with all our customers throughout.

Interesting response. I’m sure antivirus makers, under the notion above, could simply release software that didn’t actually do anything and then claim that if customers have a perimeter firewall up and use basic browsing common sense, their non-working software would work just fine to prevent malware. If Impero isn’t going to bother to use basic best practices when it comes to security passwords, it probably shouldn’t be issuing lectures to its customers about basic security best practices.

Or we could just side-step this whole problem by not using Impero’s sotware.

Filed Under: , , , , , ,
Companies: impero

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Shocking: Software Used To Monitor UK Students Against Radicalization Found To Be Exploitable”

Subscribe: RSS Leave a comment
29 Comments
That One Guy (profile) says:

Well he got it half right at least

He released the vulnerability publicly, but he forgot to do it anonymously.

In an emailed statement to FORBES, Impero director of marketing Nikki Annison claimed the offending party had “maliciously and illegally hacked our product, subsequently making this hack public rather than bringing it to our attention privately and in confidence. No customers have been affected by this and no data has been leaked or compromised.”

Hey, that’s a good point, clearly he should have privately gone to them first, I’m sure they would have acted responsibly, thanked him for his discovery, promptly admitted that the vulnerability existed, and got right on fixing it.

In a letter to Clark dated 13 July, delivered by legal firm Gately, he is accused of breaking the terms and conditions laid out by the firm, including a stipulation that the software not be tampered with; modification is only allowed to achieve “interoperability”, meaning hackers looking for security issues are not welcome. He is also accused of copyright infringement and has been asked to remove all links from Github, Twitter and other channels that point to the public vulnerability disclosure.

… or not, if their reaction is anything to go by.

Had he done the stupid thing and gone to them first, I have absolutely no doubt they would have accused him of violating the terms of the software, just like they did here, along with including a hefty threat should he go public with his findings.

Once again the message is clear, though apparently this particular researcher forgot it: Always go public with your findings, always do it anonymously, and never try and contact the company in question beforehand. Break the ‘rule’ and you’ll be sued into the ground, and the problem will never be fixed.

Klaus says:

Flawed thinking from the get go

From Forbes: “…when any youngsters look at certain material on the web…”

So the idea is that when schoolchildren look up terrorist related material on the web they are flagged up and reported to the authorities, well, what happens if a bright and inquisitive schoolchild has an interest in current affairs and is wondering what gives with all this “terrorist” talk that grownups engage in, and googles said stuff?

http://news.bbc.co.uk/1/hi/uk/6359363.stm

Bad in 2007 and not getting any better…

Anonymous Coward says:

I guess hacking does not now mean what it used to.

Apparently people at Impero have watched to many bad hacker movies where several passwords are entered before shouting “Im In” and they thought that was cool.

On a side note, the UK students are forced to use this crappy spyware on their own machines or is it on school machines only?

Better not eat Ike & Mikes in front of the computer spy cam.

Josh in CharlotteNC (profile) says:

“This hack could only be exploited if basic network security does not exist and if the attacker is physically present with local network access.”

I’m guessing no.

Does anyone with even a tiny bit of IT security experience think for a second that software setup with no authentication and a default password of “password” has no other glaring security holes?

Anonymous Coward says:

Re: Re:

When software can be subjected to holistic testing, such as the crash testing carried out on cars, or running them for thousands of miles on cobbles,, then it may be possible to get relevant liability insurance. Until that is possible, failure modes that a user can find will exist in software, because it is impossible to test all combinations of input data and user triggered actions.
That said, the case under discussion may contain grounds for legal action, as it can be described as gross negligence due to the vendor ignoring a well known and well publicised problem.

WaitWot says:

Hacking shmacking

“including a stipulation that the software not be tampered with”

Impero assumes the researcher hacked their product, so the onus of proof would need to be on them unequivocally show this was the case.

Meanwhile there’s like a gazillion website with ‘most common password’ lists… who’s to say the researcher didn’t start at the top of the list and bingo, 1-3 entries down the list he’s in.

If I was the researcher my response to Impero would be a clear and concise GFY

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...