Remotely Exploitable Flaws Haunt Lawfull Intercept Surveillance Gear

[Reefa]

The small, but growing, group of companies that supply so-called lawful intercept gear to intelligence agencies and law enforcement organizations around the world have operated mostly under the radar until very recently. Their products are used to record and scrutinize the communications of suspected criminals and terrorists, but now they’re finding that their products are coming under scrutiny by the security research community.

One of the companies engaged in selling this surveillance gear is NICE Systems, a New Jersey firm with several subsidiaries. The company sells a variety of products, some of which are designed to “retrieve target location, relations and conversation content from any type of communication including fax, fixed and mobile telephony, and Internet applications”. Researchers at SEC Consult, a security consultancy, discovered a wide variety of vulnerabilities in some of NICE’s lawful intercept products that allow remote, unauthenticated attackers to retrieve and listen to voice recordings of any user through database and system level access to the products.

There are nine separate vulnerabilities in the NICE Recording eXpress voice recording product, the most serious of which are a root backdoor account and remote, unauthenticated access to voice recordings on the affected products.

“Attackers are able to completely compromise the voice recording / surveillance solution as they can gain access to the system and database level and listen to recorded calls without prior authentication. Furthermore, attackers would be able to use the voice recording server as a jumphost for further attacks of the internal voice VLAN, depending on the network setup,” the SEC Consult advisorysays.

The researchers initially contacted NICE about the vulnerabilities in mid-December and went through a long process of going back and forth with the vendor about the bugs, which products were affected and when patches would be released. After more than six months without a full resolution, SEC Consult released its advisory on Wednesday. At least five of the vulnerabilities remain unpatched, including the unauthenticated access to voice recordings.

That vulnerability would essentially allow any attacker to access and listen to recordings of targets’ calls.

For example, unauthenticated attackers are able to gain access to exported lists of user accounts that are being monitored/recorded. Attackers gain access to detailed information such as personal data like first/last name, email address and username/extension,” the advisory says.

“Furthermore it is possible to gain _unauthenticated_ access to recorded voice calls of other users. Those calls will be stored in a temporary directory, if they have been accessed by a user via integrated media player in the web interface.”

In addition to that flaw, the root backdoor bug also could provide an attacker with easy access to the products.

“The MySQL database table “usr” contains a “root” user with USRKEY / user id with administrative access rights. This user account does NOT show up within the “user administration” menu when logged in as administrator user account in the web interface. Hence the password can’t be changed there,” the advisory says.

Officials at NICE did not respond to a request for comment. :P

Source