Vulnerabilities Found in Law Enforcement Surveillance System

SEC Consult has published an advisory warning people not to use a government eavesdropping product called Recording eXpress, sold by the Israeli company Nice Systems. Basically, attackers can completely compromise the system. There are good stories on this by Brian Krebs and Dan Goodin.

Posted on May 29, 2014 at 2:12 PM • 27 Comments

Comments

KnottWhittingleyMay 29, 2014 3:04 PM

It seems bizarre to me that anyone would expect Israeli software, especially security or law enforcement software, not to have backdoors for Mossad et al.

I'm not slamming the Israelis by saying that. ("Some of my best friends" and all that.)

I'm just acknowledging that of all the countries in the world, Israel is perhaps the most threatened---there are lots of people lots of places, including many of their neighbors, who want to see them destroyed.

You don't have to be for or against Israel to see that they're under a special degree of pressure to gather what intelligence the can in various countries, adversaries and allies alike. They face a constant existential threat from several sides, with inconstant allies.

Given that, you have to wonder why they're allowed to sell their software to law enforcement agencies in the US. What deal has been struck?

You also have to wonder why they're allowed to sell software in the US that has such easily detectable back doors and other vulnerabilities.

Seriously, NSA? Seriously? Couldn't you at least insist that they obfuscate those things a bit more, such that maybe our adversaries and theirs won't find and use them too? Do you think that China and Russia can't find such easily-findable back doors and security holes, or do you just not care very much, so long as you can use them?

New Tag CategoryMay 29, 2014 5:08 PM

Tags: back doors, law enforcement, privacy, rootkits, surveillance, vulnerabilities, [driving daddy's caddy]

Clive RobinsonMay 29, 2014 5:26 PM

First off ALL software that has sufficient complexity has flaws, some of these flaws will be easily exploitable. Because of this much software of sufficient complexity comes with inbuilt test/developer/debug/support code which by it's design will add more exploitable flaws. Some as in the case of CarrierIQ just go way beyond even being backdoors. Further we know that putting backdoors into commercial code either overtly or covertly is a matter of legal requirment or compulsion in many countries including the US.

Thus you should not take things as being secure unless you verify them to be so, which is difficult at best, or can mitigate the likely insecurities. This is not a new idea or one even unique to modern complex systems, the old saw of "No honour amongst thieves" is millenia old, as is "Keep your friends close, but your enemies closer".

Thus we should ask "Would you honestly expect otherwise?".

However the question of due diligence does arise, ask yourself what a smart defence lawyer could do with thi information, for their client...

Who watches the watchersMay 29, 2014 7:17 PM

Amazing how they had to hound this company to simply eliminate a root SQL user, change some privs and fix basic XSS vulns.

Shachar ShemeshMay 29, 2014 10:15 PM

@KnottWhittingley

I'm not slamming the Israelis by saying that. ("Some of my best friends" and all that.)

Right. Do name two, please. Preferably from the Israeli security software industry.

As someone who has actually worked in the Israeli security software industry (I was Checkpoint's security leader between 2000 and 2003), I think the Snowden revelation that shocked me the most was that the NSA intercepts outgoing routers and installs back doors on them.

From my experience, an Israeli security product is less, not more, likely to contain deliberate backdoors than other countries', precisely because of the reasons you state. Everybody has sort of expected Israeli products to contain backdoors since forever, and any verified accusation would be disastrous to the company in which such a back door was found.

There is no segment in the security software market I can think of where installing a deliberate backdoor on all products is commercially viable, and that market is a big enough portion of Israel's total GDP to have the government approve such a thing.

What people sort of assume is that those companies are somehow supported by the government. It's true that Checkpoint is indirectly receiving a lot of money via tax breaks, but:
A. This is public record
and
B. So do other major employers, including international companies, such as Intel.

In general, the government has no aid and no say in the design of your product[1], security or otherwise, so any analysis has to be economical, rather than "national threat" based.

It is possible that someone is intercepting routers intended for specific targets and installing back doors on those. I don't know of any such case, but then again, I wouldn't. I find it highly unlikely, considering most of the hardware products are neither manufactured in nor shipped from Israel, again, for cost reasons. If anything, it is possible that the Chinese government is installing backdoors on Israeli products.

Either way, this is not the case here. This is, in all likelihood, a simple vulnerability.

Shachar


1.
In the interest of full disclosure, I will mention the "cipher ordinance". It requires anyone dealing with, using or manufacturing ciphers to get an approval. The practicalities of the ordinance, however, are much much much less draconian than what it sounds.

For one thing, freely available downloadable encryption is explicitly excluded from the ordinance. You will not go to jail for using PGP.

In fact, you will not go to jail, period. As far as I know, the number of convictions based on this ordinance stands at zero.

Prof. Eli Biham once told me that he was approached by the Ministry of Defense and was told that what he was doing was illegal, but if he asked for permission they'd give it. So he did, and they did, and that was the end of it.

They make it explicitly clear that their policy is to enable the security software industry. They have this nice table up showing, over the years, how many requests for approvals there were, how many rejections, and how long it took to answer each request. Since 2004 they don't list a single rejection.

My personal experience matches that. I asked to approve rsyncrypto, an open source encryption software I wrote. I did this several years after it was already available, and only because I decided it was time (I.e - I could probably continue to ignore the ordinance without any repercussions). I got the highest level of approval within days, and an actual certificate within a couple of weeks.

Shachar

SkepticalMay 29, 2014 10:46 PM


They certainly have a large list of clients:

More than 5,000 enterprise class customers around the world, including 9 out of the top 10 U.S. cities, NYPD, New Jersey Transit, FAA (Federal Aviation Administration), Eiffel Tower, Beijing Metro, Dallas Fort Worth Airport and many more in the government, public safety, transportation, critical infrastructure and enterprise campus sectors, entrust their security and safety needs to NICE.

NICE Systems - Security

It sounds like this particular product is aimed at a segment of the market that would not be a high priority for Israeli intelligence services, which would make a deliberate compromise of the product very irrational from a policy perspective (and therefore less likely, all else being equal), although (as noted in a recent essay) given how connected systems are, perhaps such segments make for the best access points.

uh, MikeMay 29, 2014 11:03 PM

There are LEOs and geeks and LEO+geeks, and it's easy to imagine agencies that don't have all three. So easy that some poor security products get bought and deployed a little too often.

Nothing to see here, move along.

Fazal MajidMay 29, 2014 11:14 PM

Hanlon's razor applies. Seems more likely to sloppy coding habits - this is rife among web programmers.

The Israelis have access to that information from the NSA, with minimal safeguards, if Snowden is to be believed:
http://www.theguardian.com/world/2013/sep/11/nsa-americans-personal-data-israel-documents

More interesting are allegations that CALEA software by Israeli firms AMDOCS and Verint have back doors:
http://cryptome.org/fox-il-spy.htm

Not sure how credible these are, but plausible. Fox News certainly doesn't have the reputation of being Israel-phobic.

√ČibhearMay 30, 2014 5:04 AM

"...a government eavesdropping product..."

"Basically, attackers can completely compromise the system"

Is this not one of those curious situations where the attacker and the user are the same?

ChrisMay 30, 2014 5:55 AM

I guess that this is good news for all those indicted with this software and bad news for the law : Law enforcement could now have to prove that the evidence collected did not come from corruption of computer by a third party misusing the discovered flaw !

Bob S.May 30, 2014 6:39 AM

The irony is sweet. (Double irony is other spy machines can spy on the spies.)

Many years ago I used a very well known software firewall that after a time was constantly phoning home, all the time. Why? "Updates" said tech support. To my self, "I don't think so". Delete.

The American company had been to an Israeli company shortly before the problem arose.

Mr. PragmaMay 30, 2014 8:00 AM

My personal assumption is that this is a deliberately placed backdoor. The product being in the "small fish" range, though, it (and it's backdoor planting) probably didn't get the attention large fish products get, et voila, someone found it.

That thing comes from israel? Well, what did you expect?

After all, chances are that entities having bought that kind of product would not drag the israeli company to court, right. Which basically translates to an invitation saying "feel free to f*ck us and to spy on us".

SkepticalMay 30, 2014 11:56 AM


Noteworthy that the company is down less than 1% today on the NASDAQ.

Steve FriedlMay 30, 2014 1:11 PM

This is certainly less sinister than it looks.

These aren't backdoors in the nefarious sense; they are either remnants left over from development, or they're vehicles for support. When a customer dorks his box, having the ability for a support person fix stuff easily beats having to flatten-and-reload (or RMA) the box. These kind of maintenance accounts have existed on gear for decades, and these machines are supposed to be on a protected network anyway.

Of course, this is a terrible idea from a security perspective (though it has merit from a support perspective), but it's silly to cast this in light of three-letter agencies when a far more plausible explanation is likely.

This erosion of trust is really awful.

Steve

DBMay 30, 2014 3:28 PM

@Steve Friedl

It doesn't matter if the original intended purpose of the "backdoors" are only for support... when TLA's and hackers are able to use those very accounts to do whatever they want to any machine they want. It is the same outcome as if those accounts were specifically created for TLA and hacker use. The creators of these things need to think a bit more about security! The erosion of trust is completely fair, in fact trust was never warranted in the first place.

Steve FriedlMay 30, 2014 3:40 PM

My comments to go motives, not to effects; it matters.

They clearly shouldn't be doing this, they're clearly not thinking about security, they clearly have to fix it, but it's not sinister: merely foolish.

DBMay 30, 2014 4:28 PM

@Steve Friedl

Maybe motives matter in what severity of punishment they should get... but not whether they should get it or not, nor what should be done to fix it. :)

The thing is, these kinds of "backdoors" supposedly meant for "other" purposes (like support) are seemingly so common, that it seems almost impossible that none of them anywhere are government-influenced in any way. So I think at least being highly suspicious of it, and conducting full investigations of it are completely warranted.

Michael KohneMay 30, 2014 8:01 PM

You mean that the security and software QA of expensive software products sold only to a niche market and generally kept out of the public eye is lacking?

Say it ain't so!

Oh wait, of course it's so.

Even software sold widely, with diverse users poking at it and huge profit margins is generally crap. Why would anyone expect anything more from these guys?

SeppMay 31, 2014 4:43 AM

@Bob S.
Zonealarm was phoning home, much before it was sold to Checkpoint, and it was doing so in the open, for totally legit purposes, so on, as you'd have found out if you'd bothered to sniff the traffic.

@Shachar Shemesh
Taking this opportuinity to thank you for Rsyncrypto

AlexMay 31, 2014 8:55 AM

Regarding TrueCrypt, I'd say probably Microsoft bought them out in a smart marketing movement.

SeppMay 31, 2014 2:09 PM

@Bob S.
Encrypted now, as it should, not ten years ago. If you fear it, consider refraining from using Gmail, Facebook, Firefox, Yahoo, Comodo, ZA, Windows or even the https version of this blog. All open encrypted channels to server.

from_KSJune 2, 2014 3:38 AM

(I live next to one of Nice's development centers in Raanana/Kfar Saba.) As an Israeli working in high tech for over twenty years, I have to second Shachar Shemesh's opinion that this is most likely the result of typical Israeli hubris rather than intentional weakening.

The company I work for is in the process of introducing technology to prevent copying/reverse engineering into its products. The head of this process is an engineer with no security mindset. 'Nuf said (runs for antacid)...

Major VariolaJune 2, 2014 9:54 AM

Some seriously dead canaries and it isn't some hybrid flu strain.

Of course, if you own DNS...
Or a cert authority in DC...
Or use code that likes to goto fail a bit too often
Or grants arbitrary access to /dev/mem

One day they will license and register compilers like they did typewriters...
And running software unapproved by the State will be immediate evidence of a crime, copyright terrorism or whatever..

Your rights are as solid as the cloud they exist in..
Or the fog of the great BGP wars..

.........
Was John Galt a Truecrypt developer?

Mike the goat (horn equipped)June 2, 2014 11:32 PM

Major: who is John Galt? (Chorus: "we are")

All: while some would argue that a backdoor existing in surveillance software purveyed by an Israeli company called "Nice" is humorous, I often wonder why there is always so little effort to hide these kinds of actions. Sure, you can buy the line about them being used during development and then somehow "forgotten" when it comes to public release (like the dlink router backdoor), but in any case it is poor form and destroys the security of everyone - friends as well as adversaries.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient Systems, Inc.