Popular Wiretapping Tool Used By Law Enforcement Includes Backdoor With Hardcoded Password
from the i'm-sure-that-won't-be-abused dept
One of the major concerns that people have raised about the increasing pervasiveness of surveillance tools from not just the NSA, but various law enforcement agencies, is that all of this is making us significantly less safe. That’s because if law enforcement and intelligence employees can use these tools, so can those with malicious intent. Driving home that point is the news from some security researchers that a popular tool used by law enforcement to wiretap communications has “a litany of critical weaknesses, including an undocumented backdoor secured with a hardcoded password.” Because, surely, no “bad guys” would ever figure that out. The details are fairly damning.
Attackers are able to completely compromise the voice recording / surveillance solution as they can gain access to the system and database level and listen to recorded calls without prior authentication.
Furthermore, attackers would be able to use the voice recording server as a jumphost for further attacks of the internal voice VLAN, depending on the network setup.
As for the root backdoor, it’s like the whole thing was created by security amateurs:
The MySQL database table “usr” contains a “root” user with USRKEY / user id 1 with administrative access rights. This user account does NOT show up within the “user administration” menu when logged in as administrator user account in the web interface. Hence the password can’t be changed there.
As a side note: Password hashes are shown in the user administration menu for each user within HTML source code.
The people who make these things often seem to assume that they can get away with security by obscurity, since they never consider that non-law enforcement types will get access to their systems. That seems hopelessly naive.
Filed Under: vulnerabilities, wiretapping
Comments on “Popular Wiretapping Tool Used By Law Enforcement Includes Backdoor With Hardcoded Password”
Usually management
“The people who make these things often seem to assume that they can get away with security by obscurity, since they never consider that non-law enforcement types will get access to their systems.”
Yup, and it’s usually management. At my workplace, I found a security weakness by which someone who is in possession of one of our enterprise server products can subvert systems running particular client software even if they don’t actually have permission or control of the client machines.
When I brought this up as a serious security problem, management responded with “the server software costs 5 figures, so hackers won’t be able to get it”.
To which I answered “I guess you’ve never heard of piracy?” and a battle began. The vulnerability got fixed, but someone less determined than I might not have achieved that result.
Re: Differing priorities
For management, profits and costs generally take precedence over security and functionality, and only a clear and present threat or potential threat to the former will really get them to care about the latter.
For those that actually have to deal with the code/programs, it’s the other way around.
Re: Usually management
I’m surprised you still have a job. Where I work (a major ISP), you wouldn’t.
Re: Re: Usually management
I’m surprised you still have a job. Where I work (a major ISP), you wouldn’t.
Could you let us know what ISP you work for so we can avoid using it? k thx.
Certainly, I’d rather work for a manager who properly applied logic, such as risk assessment and mitigation instead of a manager who shoots the messenger and dismisses all risk with “it can’t be done because nobody who would do it wants to buy our expensive software.” You can only insert your head up your ass so far. The fact that his manager decided to come around with logic over emotion is commendable. Sadly, there are quite a few companies out there whose managers care more about saving face than protecting their employees, business processes, and customers from known flaws in their software.
Re: Re: Re: Usually management
“Could you let us know what ISP you work for so we can avoid using it? k thx.”
As if though you’d have any viable options.
Re: Re: Usually management
Any place that would fire me for trying to ensure that our product or service was excellent, correct, and of real benefit to our customers is a company that I don’t want to work for. It would be a badge of honor to get fired from such a place.
Re: Usually management
Amazing you are still employed.
Best start looking for a job before they fing some way to remove the problem – you.
Re: Re: Usually management
They don’t have to find a reason: my employment is at-will and they can fire me any time they like without cause. It’s not a real risk, though. I am fortunate enough to have a reasonably impressive CV stretching about 30 years and have hard-to-find skills. They couldn’t afford to fire me, and if they did I’d have no problem getting a job elsewhere within a week anyway.
But I’ll let you in on something that took me far too long to learn: it’s not generally very risky to make a stink about things, if you’re making a stink about the right things. I learned this during a few years I spent doing contract work. Since contractors have a set end-date (and get blamed for everything after they leave anyway), I didn’t have to worry about bullshit like company politics or whether or not I stepped on the wrong toes. So I started simply speaking truths. I was astonished that, every single time, the permanent developers would say to me things like “Thank you for speaking out. I’ve been wanting to say that for years.”
Once I decided to stop doing contract work, I kept up the habit of speaking truth — and I’ve never once been punished for it. I’ve certainly had argument, and sometimes heated ones, but never suffered retribution. In fact, some of my biggest opponents became my biggest supporters, because the learned three key things about me: my intention is to make the product better for everybody (including the company), that I’m not an idiot, and that I’m honest.
Forget about it being abused
It makes any evidence gathered using the wiretapping tool suspect and unreliable. That’s the big deal. It effectively destroys any credibility the tool might have had in court.
A plausible argument can even be made that law enforcement used the back door to insert incriminating data into the tool. It doesn’t have to be true, it only has to be plausible.
It should go without saying but I’m going to say it anyway.
The number one problem with hardcoded passwords is that once it’s out there, it’s out there.
Re: Re:
The FBI, like many government agencies does not hire people that are not trustworthy.
For instance, my bad…ass credit report, precludes me from ever being trusted by the FBI or NSA.
Instead, only good people who can trusted are hired through an extensive background check and lie detector test.
In this manner, nobody who would reveal such a password would ever know about it.
Re: Re: Re:
For instance, my bad…ass credit report, precludes me from ever being trusted by the FBI or NSA.
You’d be surprised. It may keep you out of a sensitive position, but it may not. There are quite a few folks who have back-taxes owed to the government that still manage to have jobs (though some of them may have, since it appeared in national news outlets, lost their jobs.)
In this manner, nobody who would reveal such a password would ever know about it.
Guess we don’t have much to worry about, except that much “government work” in this sector is done by contractors, who will more than happily sell the password to the highest bidder if they think they can get away with it.
Re: Re: Re: Re:
Only trustworthy contractors from large firms which leaders in our intelligence community know on a personal basis and have gone golfing with are allowed to work for our government.
In this manner, companies which would employ untrustworthy employees are simply not allowed to provide services to our government.
Additionally, the traditional bid process, which could allow unsavory elements to subvert the free market nature of private contracting firms, have been replaced by no-bid-free-market contracts.
Re: Re: Re:2 Re:
Well thank a god that they use the golf test. I know I’ll sleep better tonight knowing that.
Re: Re: Re:
“The FBI, like many government agencies does not hire people that are not trustworthy.”
pan out to shot of planet Earth, insert loud laughter, use shakeycam
Re: Re: Re:
“The FBI, like many government agencies does not hire people that are not trustworthy.”
This is the funniest thing I’ve heard this morning. Thank you!
BTW, lie detector tests don’t work, and using them as part of the hiring process does not increase the quality of hires.
Re: Re:
To be fair, whilst not ignoring the sheer stupidity, hardcoded passwords can be changed. You just can’t do it via user admin forms.
I’m pretty certain even heavyweight databases eg Oracle have root userids/passwords that can’t be accessed via the normal forms. The difference is that it’s widely documented in the install process, and requires the installer to update it.
Re: Re:
Password
I’ll tell you my password right now! It’s
Damn, my comment didn’t work. It’s **********
Re: Re:
“Damn, my comment didn’t work. It’s **********”
Hey, that’s the same as my password!
Re: Re: Re:
How stupid are you to reveal your password in such a public place? I’d never do something like that with MY password and always ensure I NEVER tell anyone that it’s **********
Re: Re:
Just update your Metasploit framework sploits, I’m sure it’s in there now under automated SQL subversion.
Forget about bad guys, the backdoor is obviously there for law enforcement personnel to do things that law enforcement personnel shouldn’t be seen doing.
Re: Re:
e.g. fabricating “incriminating” evidence
potato potahto
if law enforcement and intelligence employees can use these tools, so can those with malicious intent
Depressingly, sometimes it seems there’s a chunky overlap between those two groups.
Password Is
After Snowden helped the planet with his actions, I shall do the same. The password for this back door is.
1234
Capt ICE Enforcer,
Re: Password Is
That’s amazing! I’ve got the same combination on my luggage!
Re: Re: Password Is
Eagle River?!
It’s a government ‘backdoor’ password so I’m guessing its fuckdueprocess123
Its unlikely they will be tapping into a persons of importance , like a banker or CEO….just you poor folk. So you peasants need to just shut the fuck up, we are here to protect you from yourself
Now nod your head cause you know that i am right..
I recently bought video recording glasses in the clearance section of Wal-Mart for $25.00.