Popular Wiretapping Tool Used By Law Enforcement Includes Backdoor With Hardcoded Password

from the i'm-sure-that-won't-be-abused dept

One of the major concerns that people have raised about the increasing pervasiveness of surveillance tools from not just the NSA, but various law enforcement agencies, is that all of this is making us significantly less safe. That's because if law enforcement and intelligence employees can use these tools, so can those with malicious intent. Driving home that point is the news from some security researchers that a popular tool used by law enforcement to wiretap communications has "a litany of critical weaknesses, including an undocumented backdoor secured with a hardcoded password." Because, surely, no "bad guys" would ever figure that out. The details are fairly damning.
Attackers are able to completely compromise the voice recording / surveillance solution as they can gain access to the system and database level and listen to recorded calls without prior authentication.

Furthermore, attackers would be able to use the voice recording server as a jumphost for further attacks of the internal voice VLAN, depending on the network setup.
As for the root backdoor, it's like the whole thing was created by security amateurs:
The MySQL database table "usr" contains a "root" user with USRKEY / user id 1 with administrative access rights. This user account does NOT show up within the "user administration" menu when logged in as administrator user account in the web interface. Hence the password can't be changed there.

As a side note: Password hashes are shown in the user administration menu for each user within HTML source code.
The people who make these things often seem to assume that they can get away with security by obscurity, since they never consider that non-law enforcement types will get access to their systems. That seems hopelessly naive.

Reader Comments (rss)

(Flattened / Threaded)

  •  
    icon
    John Fenderson (profile), May 29th, 2014 @ 2:07pm

    Usually management

    "The people who make these things often seem to assume that they can get away with security by obscurity, since they never consider that non-law enforcement types will get access to their systems."

    Yup, and it's usually management. At my workplace, I found a security weakness by which someone who is in possession of one of our enterprise server products can subvert systems running particular client software even if they don't actually have permission or control of the client machines.

    When I brought this up as a serious security problem, management responded with "the server software costs 5 figures, so hackers won't be able to get it".

    To which I answered "I guess you've never heard of piracy?" and a battle began. The vulnerability got fixed, but someone less determined than I might not have achieved that result.

     

    reply to this | link to this | view in chronology ]

    •  
      icon
      That One Guy (profile), May 29th, 2014 @ 2:47pm

      Differing priorities

      For management, profits and costs generally take precedence over security and functionality, and only a clear and present threat or potential threat to the former will really get them to care about the latter.

      For those that actually have to deal with the code/programs, it's the other way around.

       

      reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, May 29th, 2014 @ 4:38pm

      Re: Usually management

      I'm surprised you still have a job. Where I work (a major ISP), you wouldn't.

       

      reply to this | link to this | view in chronology ]

      •  
        icon
        ltlw0lf (profile), May 29th, 2014 @ 8:13pm

        Re: Re: Usually management

        I'm surprised you still have a job. Where I work (a major ISP), you wouldn't.

        Could you let us know what ISP you work for so we can avoid using it? k thx.

        Certainly, I'd rather work for a manager who properly applied logic, such as risk assessment and mitigation instead of a manager who shoots the messenger and dismisses all risk with "it can't be done because nobody who would do it wants to buy our expensive software." You can only insert your head up your ass so far. The fact that his manager decided to come around with logic over emotion is commendable. Sadly, there are quite a few companies out there whose managers care more about saving face than protecting their employees, business processes, and customers from known flaws in their software.

         

        reply to this | link to this | view in chronology ]

        •  
          identicon
          Anonymous Coward, Jun 3rd, 2014 @ 5:56am

          Re: Re: Re: Usually management

          "Could you let us know what ISP you work for so we can avoid using it? k thx."

          As if though you'd have any viable options.

           

          reply to this | link to this | view in chronology ]

      •  
        icon
        John Fenderson (profile), May 30th, 2014 @ 8:28am

        Re: Re: Usually management

        Any place that would fire me for trying to ensure that our product or service was excellent, correct, and of real benefit to our customers is a company that I don't want to work for. It would be a badge of honor to get fired from such a place.

         

        reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, May 30th, 2014 @ 4:45am

      Re: Usually management

      Amazing you are still employed.

      Best start looking for a job before they fing some way to remove the problem - you.

       

      reply to this | link to this | view in chronology ]

      •  
        icon
        John Fenderson (profile), May 30th, 2014 @ 8:46am

        Re: Re: Usually management

        They don't have to find a reason: my employment is at-will and they can fire me any time they like without cause. It's not a real risk, though. I am fortunate enough to have a reasonably impressive CV stretching about 30 years and have hard-to-find skills. They couldn't afford to fire me, and if they did I'd have no problem getting a job elsewhere within a week anyway.

        But I'll let you in on something that took me far too long to learn: it's not generally very risky to make a stink about things, if you're making a stink about the right things. I learned this during a few years I spent doing contract work. Since contractors have a set end-date (and get blamed for everything after they leave anyway), I didn't have to worry about bullshit like company politics or whether or not I stepped on the wrong toes. So I started simply speaking truths. I was astonished that, every single time, the permanent developers would say to me things like "Thank you for speaking out. I've been wanting to say that for years."

        Once I decided to stop doing contract work, I kept up the habit of speaking truth -- and I've never once been punished for it. I've certainly had argument, and sometimes heated ones, but never suffered retribution. In fact, some of my biggest opponents became my biggest supporters, because the learned three key things about me: my intention is to make the product better for everybody (including the company), that I'm not an idiot, and that I'm honest.

         

        reply to this | link to this | view in chronology ]

  •  
    icon
    DannyB (profile), May 29th, 2014 @ 2:18pm

    Forget about it being abused

    It makes any evidence gathered using the wiretapping tool suspect and unreliable. That's the big deal. It effectively destroys any credibility the tool might have had in court.

    A plausible argument can even be made that law enforcement used the back door to insert incriminating data into the tool. It doesn't have to be true, it only has to be plausible.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, May 29th, 2014 @ 3:30pm

    It should go without saying but I'm going to say it anyway.
    The number one problem with hardcoded passwords is that once it's out there, it's out there.

     

    reply to this | link to this | view in chronology ]

    •  
      icon
      vancedecker (profile), May 29th, 2014 @ 3:49pm

      Re:

      The FBI, like many government agencies does not hire people that are not trustworthy.

      For instance, my bad...ass credit report, precludes me from ever being trusted by the FBI or NSA.

      Instead, only good people who can trusted are hired through an extensive background check and lie detector test.

      In this manner, nobody who would reveal such a password would ever know about it.

       

      reply to this | link to this | view in chronology ]

      •  
        identicon
        Anonymous Coward, May 29th, 2014 @ 4:05pm

        Re: Re:

        For instance, my bad...ass credit report, precludes me from ever being trusted by the FBI or NSA.

        You'd be surprised. It may keep you out of a sensitive position, but it may not. There are quite a few folks who have back-taxes owed to the government that still manage to have jobs (though some of them may have, since it appeared in national news outlets, lost their jobs.)

        In this manner, nobody who would reveal such a password would ever know about it.

        Guess we don't have much to worry about, except that much "government work" in this sector is done by contractors, who will more than happily sell the password to the highest bidder if they think they can get away with it.

         

        reply to this | link to this | view in chronology ]

        •  
          icon
          vancedecker (profile), May 29th, 2014 @ 4:30pm

          Re: Re: Re:

          Only trustworthy contractors from large firms which leaders in our intelligence community know on a personal basis and have gone golfing with are allowed to work for our government.

          In this manner, companies which would employ untrustworthy employees are simply not allowed to provide services to our government.

          Additionally, the traditional bid process, which could allow unsavory elements to subvert the free market nature of private contracting firms, have been replaced by no-bid-free-market contracts.

           

          reply to this | link to this | view in chronology ]

          •  
            identicon
            Anonymous Coward, May 31st, 2014 @ 2:26am

            Re: Re: Re: Re:

            Well thank a god that they use the golf test. I know I'll sleep better tonight knowing that.

             

            reply to this | link to this | view in chronology ]

      •  
        identicon
        Just Another Anonymous Troll, May 30th, 2014 @ 8:17am

        Re: Re:

        "The FBI, like many government agencies does not hire people that are not trustworthy."
        *pan out to shot of planet Earth, insert loud laughter, use shakeycam*

         

        reply to this | link to this | view in chronology ]

      •  
        icon
        John Fenderson (profile), May 30th, 2014 @ 8:52am

        Re: Re:

        "The FBI, like many government agencies does not hire people that are not trustworthy."

        This is the funniest thing I've heard this morning. Thank you!

        BTW, lie detector tests don't work, and using them as part of the hiring process does not increase the quality of hires.

         

        reply to this | link to this | view in chronology ]

    •  
      identicon
      Donglebert The Needlessly Unready, May 30th, 2014 @ 3:38am

      Re:

      To be fair, whilst not ignoring the sheer stupidity, hardcoded passwords can be changed. You just can't do it via user admin forms.

      I'm pretty certain even heavyweight databases eg Oracle have root userids/passwords that can't be accessed via the normal forms. The difference is that it's widely documented in the install process, and requires the installer to update it.

       

      reply to this | link to this | view in chronology ]

    •  
      icon
      DannyB (profile), Jun 3rd, 2014 @ 12:41pm

      Re:

      > The number one problem with hardcoded passwords
      > is that once it's out there, it's out there.


      Why is that a problem?

      Take off your common sense hat for a moment, and put on your management hat.

      People can just buy new devices that have the hardcoded back doors. Sounds like a good business plan to me.

       

      reply to this | link to this | view in chronology ]

  •  
    icon
    charliebrown (profile), May 29th, 2014 @ 4:38pm

    Password

    I'll tell you my password right now! It's

     

    reply to this | link to this | view in chronology ]

  •  
    icon
    charliebrown (profile), May 29th, 2014 @ 4:38pm

    Damn, my comment didn't work. It's **********

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, May 29th, 2014 @ 5:22pm

      Re:

      "Damn, my comment didn't work. It's **********"

      Hey, that's the same as my password!

       

      reply to this | link to this | view in chronology ]

      •  
        identicon
        Anonymous Coward, May 30th, 2014 @ 5:26am

        Re: Re:

        How stupid are you to reveal your password in such a public place? I'd never do something like that with MY password and always ensure I NEVER tell anyone that it's **********

         

        reply to this | link to this | view in chronology ]

    •  
      icon
      vancedecker (profile), May 29th, 2014 @ 5:24pm

      Re:

      Just update your Metasploit framework sploits, I'm sure it's in there now under automated SQL subversion.

       

      reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, May 29th, 2014 @ 8:37pm

    Forget about bad guys, the backdoor is obviously there for law enforcement personnel to do things that law enforcement personnel shouldn't be seen doing.

     

    reply to this | link to this | view in chronology ]

  •  
    icon
    ethorad (profile), May 30th, 2014 @ 12:37am

    potato potahto

    if law enforcement and intelligence employees can use these tools, so can those with malicious intent

    Depressingly, sometimes it seems there's a chunky overlap between those two groups.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Capt ICE Enforcer, May 30th, 2014 @ 3:22am

    Password Is

    After Snowden helped the planet with his actions, I shall do the same. The password for this back door is.

    1234

    Capt ICE Enforcer,

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, May 30th, 2014 @ 5:27am

    It's a government 'backdoor' password so I'm guessing its fuckdueprocess123

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, May 30th, 2014 @ 11:54am

    Its unlikely they will be tapping into a persons of importance , like a banker or CEO....just you poor folk. So you peasants need to just shut the fuck up, we are here to protect you from yourself

    Now nod your head cause you know that i am right..

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous, May 30th, 2014 @ 1:54pm

    I recently bought video recording glasses in the clearance section of Wal-Mart for $25.00.

     

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
Advertisement
Essential Reading
Techdirt Deals
Techdirt Insider Chat
Techdirt Reading List
Advertisement
Recent Stories
Advertisement
Support Techdirt - Get Great Stuff!

Close

Email This

This feature is only available to registered users. Register or sign in to use it.