May 28, 2014

If your company’s core business is making software designed to help first responders and police record and intercept phone calls, it’s probably a good idea to ensure the product isn’t so full of security holes that it allows trivial access by unauthorized users. Unfortunately, even companies working in this sensitive space fall victim to the classic blunder that eventually turns most software into Swiss Cheese: Trying to bolt on security only after the product has shipped.

phonetapFew companies excel at showcasing such failures as SEC Consult Vulnerability Lab, a software testing firm based in Vienna, Austria. In a post last year called Security Vendors: Do No Harm, Heal Thyself, I wrote about Symantec quietly fixing serious vulnerabilities that SEC Consult found in its Symantec Web Gateway, a popular line of security appliances designed to help “protect organizations against multiple types of Web-borne malware.” Prior to that, this blog showcased the company’s research on backdoors it discovered in security hardware and software sold by Barracuda Networks.

Today’s post looks at backdoors and other serious vulnerabilities SEC Consult found in products made by NICE Systems, an Israeli software firm that sells a variety of call recording solutions for law enforcement, public safety organizations and small businesses. According to SEC Consult, NICE’s Recording eXpress — a call recording suite designed for small and medium-sized public safety organizations (PDF) — contains an undocumented backdoor account that provides administrator-level access to the product.

“Attackers are able to completely compromise the voice recording / surveillance solution as they can gain access to the system and database level and listen to recorded calls without prior authentication,” wrote Johannes Greil and Stefan Viehböck of SEC Consult. “Furthermore, attackers would be able to use the voice recording server as a jumphost for further attacks of the internal voice VLAN, depending on the network setup.”

According to the security firm’s advisory, these and a slew of other security security holes likely also exist in Cybertech eXpress and Cybertech Myracle, older NICE products aimed at corporations seeking call recording software for customer service, training and verification.

NICE did not immediately respond to requests for comment. SEC Consult says the company has fixed the backdoor and a few other issues via a recent security update, but that serious other flaws remain unaddressed (including multiple unauthenticated SQL injection issues).

A section of the NICE Web site says the company also “provides Law Enforcement Agencies (LEAs) with mission-critical lawful interception solutions to support the fight against organized crime, drug trafficking and terrorist activities.” While the SEC Consult didn’t examine these technologies, NICE’s track record here doesn’t exactly instill confidence that those systems are any more secure.

Nicholas Weaver, a researcher at the International Computer Science Institute (ICSI) and at the University of California, Berkeley, said the NICE case is the classic worry of all those who write security monitoring software.

“If an attacker takes control, the monitoring software can easily be turned against the installer,” Weaver said. “So many critical programs exist in shadows: never discussed, never audited, and never known. For many of these programs, whenever a researcher illuminates them, discoveries like this seem almost inevitable.”

Update, May 29, 3:54 p.m. ET: NICE just issued the following statement:

“External consulting firms often conduct such tests on our behalf, or on behalf of our customers, and we welcome these activities. If an issue is brought to our attention, we actively address it, as we have done in this instance. In accordance with our regular communications, we are in touch with our customers and partners about all product updates.”

“We have been addressing the issues based on priority, and can confirm that we have already resolved almost all of them, and expect the remaining fixes to be completed shortly. We do not believe any of our customers have been impacted by the items raised in this report, as these systems are deployed in a very secure environment and are not accessible outside of the organization.”

“A number of media reports inaccurately indicate that there is a root backdoor vulnerability with its NICE eXpress, Cybertech eXpress and Cybertch Myracle products. We ask media to refer to the entry of April 3, 2014 within the report which itself indicates that this issue has been fixed.”

20 thoughts on “Backdoor in Call Monitoring, Surveillance Gear

  1. Craig

    The next question is whether this NICE backdoor was the result of ineptitude or whether it was put there intentionally to facilitate access by Israeli intelligence. I doubt the NSA is the only government intelligence service in the world that works with vendors in its home country to make its work easier.

    1. SeymourB

      Most of the time it’s far more innocuous than that… it’s just an account the programmer or programming team created during development that was never removed in the rush to ship the product. Management never provides enough time at the end of the project to adequately test & patch & redress issues, so low priority tasks like a testing code review end up being trashed in the rush to fix all the massive bugs that exist prior to shipment.

      1. Christian Stork

        While I agree with your contention that most of the time such vulnerabilities are completely innocuous, one cannot discount the history of NICE Systems, its connections to Israeli intel (it was started by veterans of Unit 8200), and Israeli SIGINT operations within the United States. US Counterintelligence has long had NICE Systems on their radar, ever since an employee of theirs (later confirmed as an Israeli operative) was arrested posing as an art student while scouting DEA facilities in early 2001. This has been well-documented. The last book in James Bamford’s NSA trilogy has some good information on it.

  2. G.Scott H.

    If similar holes are found in the LEA interception software, that raises a question concerning evidence authenticity. A good defense lawyer could ask that in light of the security holes the authenticity of evidence be proved.

  3. Dick H

    Yet another good reason why testing accounts should be be disabled using compilation techniques in the final product.

    Don’t forget a comprehensive test run against both the test environment and an upgraded production environment as well as a cleanly installed production environment to ensure that nothing remains enabled in the production code.

  4. Richard Steven Hack

    When one realizes that the CALEA system used by US law enforcement was in fact compromised by Israelis to the point where the Israeli firm involved was removed from the list of approved Federal suppliers, and where the FBI threw a fit about it, this backdoor becomes MUCH more likely to have been deliberate.

    Israeli Spying in the United States

    The fact is that Israel has learned the best way to spy on other countries is to be the country that develops much of the security hardware and software that other countries use to spy on themselves and others.

    1. James

      You can’t know that about this software until there’s evidence, mistakes happen, e.g. see: Heartbleed – and a lot of the time Hanlon’s razor can apply.


    These software back-doors more then likely have already been exploited by the NSA.

  6. S. Scott

    I have often considered that just about all third party solutions offered to support the primary package will deliberately allow an access porthole to guarantee their intellectual property rights on their products.

    Possibly these back doors, if deliberate, are indeed designed to maintain control over intellectual property rights in the advent of “copying” and “on-selling” or other breech of license conditions.

    …just thoughts

    1. Einstine

      You’re thinking way to much. If you’re not doing anything illegal, then who cares who’s listening. this whole circus charade you call the internet could disappear in a moment, and it wouldn’t bother me one bit. I’m adaptable to change. the real question is, are you?

      1. maj1339

        you seem to have missed tha argument, that when given unlimited access to such software one could inject false evidence and make it easy for someone else to prove you guilty of terrorism. then you go to guantanamo for being innocently framed. how about that, smartypants?

  7. Steve TinFoilHat

    A Lavabit style exit? The first sentence has unusual phrasing. If you capitalise some letters there might be a hidden message…

    using truecrypt is (N)ot (S)ecure (A)s it may contain unfixed security issues

    Or it might just be written by someone who constructs sentences differently from me.

  8. JCitizen

    I’m waiting for a point where the businesses world wide boil over at both ineptitude and nation state spying; as they need to feel that they can conduct business with some certainty that their plans remain behind the board room door. They are not going to give a damn if the NSA, any national interest, or ANY agency seems to think they all know what is good for us. It is going to be a fact that no world wide corporation should trust ANYONE to its business model. Mark my words this is going to back fire someday soon, if it hasn’t begun already.

  9. Stuart Ward

    The biggest market for NICE systems is in the call centers, here they can be recording credit card transactions as callers give their details to an agent for payments. Not as sexy as the use you mention but probably more lucrative.

  10. Mike Rogers

    The message on TrueCrypt’s new website got me thinking:
    Using TrueCrypt is not secure as it may contain unfixed security issues

    Let’s isolate the first letter of each word:
    (U)sing (T)rueCrypt (i)s (n)ot (s)ecure (a)s (i)t (m)ay (c)ontain (u)nfixed (s)ecurity (i)ssues


    Let’s spread that!
    uti nsa im cu si

    That is latin for
    “If I wish to use the NSA”

    Stay away from future Truecrypt releases. This is clearly a warning from the developers.

    1. Dave Horsfall

      I’d like to see that Latin independantly verified. If true, it would be truly remarkable.

      — Dave

  11. Andrew Zwicker

    This is such a fantastic piece of information. Its gonna really help those people who are finding it tough to go for online electronic equipment. Thanks a lot

Comments are closed.