Backdoor in Call Monitoring, Surveillance Gear

If your company’s core business is making software designed to help first responders and police record and intercept phone calls, it’s probably a good idea to ensure the product isn’t so full of security holes that it allows trivial access by unauthorized users. Unfortunately, even companies working in this sensitive space fall victim to the classic blunder that eventually turns most software into Swiss Cheese: Trying to bolt on security only after the product has shipped.
phonetapFew companies excel at showcasing such failures asSEC Consult Vulnerability Lab, a software testing firm based in Vienna, Austria. In a post last year called Security Vendors: Do No Harm, Heal Thyself, I wrote about Symantec quietly fixing serious vulnerabilities that SEC Consult found in its Symantec Web Gateway, a popular line of security appliances designed to help “protect organizations against multiple types of Web-borne malware.” Prior to that, this blog showcased the company’s research on backdoors it discovered in security hardware and software sold by Barracuda Networks.
Today’s post looks at backdoors and other serious vulnerabilities SEC Consult found in products made by NICE Systems, an Israeli software firm that sells a variety of call recording solutions for law enforcement, public safety organizations and small businesses. According to SEC Consult, NICE’s Recording eXpress — a call recording suite designed for small and medium-sized public safety organizations (PDF) – contains an undocumented backdoor account that provides administrator-level access to the product.
“Attackers are able to completely compromise the voice recording / surveillance solution as they can gain access to the system and database level and listen to recorded calls without prior authentication,” wrote Johannes Greil and Stefan Viehböck of SEC Consult. “Furthermore, attackers would be able to use the voice recording server as a jumphost for further attacks of the internal voice VLAN, depending on the network setup.”
According to the security firm’s advisory, these and a slew of other security security holes likely also exist in Cybertech eXpress and Cybertech Myracle, older NICE products aimed at corporations seeking call recording software for customer service, training and verification.
NICE did not immediately respond to requests for comment. SEC Consult says the company has fixed the backdoor and a few other issues via a recent security update, but that serious other flaws remain unaddressed (including multiple unauthenticated SQL injection issues).
A section of the NICE Web site says the company also “provides Law Enforcement Agencies (LEAs) with mission-critical lawful interception solutions to support the fight against organized crime, drug trafficking and terrorist activities.” While the SEC Consult didn’t examine these technologies, NICE’s track record here doesn’t exactly instill confidence that those systems are any more secure.
Nicholas Weaver, a researcher at the International Computer Science Institute(ICSI) and at the University of California, Berkeley, said the NICE case is the classic worry of all those who write security monitoring software.
“If an attacker takes control, the monitoring software can easily be turned against the installer,” Weaver said. “So many critical programs exist in shadows: never discussed, never audited, and never known. For many of these programs, whenever a researcher illuminates them, discoveries like this seem almost inevitable.”