Software-Based Backdoor Discovered in Police Surveillance Equipment

This Wednesday, researchers from the Internet security outfit SEC Consult revealed their report which claims that dozens of surveillance devices and software programs used by local law enforcement to spy on citizens are flawed, containing a litany of backdoors and compromised code that allows ordinary citizens to eavesdrop on active investigations.

Photo: Anton Prado / Shutterstock

Photo: Anton Prado / Shutterstock

Provided primarily by Israel-based Nice Systems, the Nice Recording eXpress is just one of several different pieces of recording software that US investigative units depend on to gather valuable intel during a sting or stakeout operation.

This means that data collected by police departments for official investigations could easily be traced and used by anyone with a rudimentary understanding of how to swipe it, leaving the sanctity of people’s privacy in even more jeopardy than it already is today.

“Attackers are able to completely compromise the voice recording/surveillance solution as they can gain access to the system and database level and listen to recorded calls without prior authentication,” the researchers from security consultancy SEC Consult wrote. “Furthermore, attackers would be able to use the voice recording server as a jumphost for further attacks of the internal voice VLAN [virtual local area network], depending on the network setup.”

And that’s not the only area that’s been thrown out of sync by SEC’s discovery. Banks, private investigators, and utility companies are all listed on the docket of customers who line up at Nice’s door for the latest in long-distance listening equipment, creating a threat radius far greater than what the average script kiddie might be able to snatch while his police department is snoozing at the switch.

“The MySQL database table ‘user’ contains a ‘root’ user with USRKEY/ user id 1 with administrative access rights,” the SEC Consult researchers wrote. “This user account does NOT show up within the ‘user administration’ menu when logged in as administrator user account in the web interface. Hence the password can’t be changed there. As a side note: Password hashes are shown in the user administration menu for each user within HTML source code.”

The flaw reportedly impacts other surveillance equipment including the Cybertech eXpress and the Cybertech Myracle as well, which provide similar functions as the Nice systems albeit through slightly more archaic and convoluted formats.

Additional vulnerabilities include:

    unauthenticated access to sensitive files and voice recordings
    multiple cross-site scripting flaws which allow attackers to obtain or impersonate other users’ sessions
    low-privileged user access to other users’ sensitive data
    multiple SQL injection flaws which allow attackers to access records
    unauthenticated access which allows attackers to delete or modify data

SEC claims they notified Nice about the issue almost half a year ago back in December, and still have yet to receive a response. Because of that silence, they decided to wait it out six months before publishing their findings, informing the developers of both the Nice and Cybertech systems about the problem one last time before finally taking the story public.

As of today, all versions prior to and including 6.3.5 of Recording eXpress are affected, and that only a few partial patches have been applied to the problem in the time since the issues were first unearthed.