If your company’s core business is making software designed to help first responders and police record and intercept phone calls, it’s probably a good idea to ensure the product isn’t so full of security holes that it allows trivial access by unauthorized users. Unfortunately, even companies working in this sensitive space fall victim to the classic blunder that eventually turns most software into Swiss Cheese: Trying to bolt on security only after the product has shipped.
Few companies excel at showcasing such failures as SEC Consult Vulnerability Lab, a software testing firm based in Vienna, Austria. In a post last year called Security Vendors: Do No Harm, Heal Thyself, I wrote about Symantec quietly fixing serious vulnerabilities that SEC Consult found in its Symantec Web Gateway, a popular line of security appliances designed to help “protect organizations against multiple types of Web-borne malware.” Prior to that, this blog showcased the company’s research on backdoors it discovered in security hardware and software sold by Barracuda Networks.
Today’s post looks at backdoors and other serious vulnerabilities SEC Consult found in products made by NICE Systems, an Israeli software firm that sells a variety of call recording solutions for law enforcement, public safety organizations and small businesses. According to SEC Consult, NICE’s Recording eXpress — a call recording suite designed for small and medium-sized public safety organizations (PDF) — contains an undocumented backdoor account that provides administrator-level access to the product.
“Attackers are able to completely compromise the voice recording / surveillance solution as they can gain access to the system and database level and listen to recorded calls without prior authentication,” wrote Johannes Greil and Stefan Viehböck of SEC Consult. “Furthermore, attackers would be able to use the voice recording server as a jumphost for further attacks of the internal voice VLAN, depending on the network setup.” Continue reading →