Posts Tagged: Stefan Viehböck

May 14

Backdoor in Call Monitoring, Surveillance Gear

If your company’s core business is making software designed to help first responders and police record and intercept phone calls, it’s probably a good idea to ensure the product isn’t so full of security holes that it allows trivial access by unauthorized users. Unfortunately, even companies working in this sensitive space fall victim to the classic blunder that eventually turns most software into Swiss Cheese: Trying to bolt on security only after the product has shipped.

phonetapFew companies excel at showcasing such failures as SEC Consult Vulnerability Lab, a software testing firm based in Vienna, Austria. In a post last year called Security Vendors: Do No Harm, Heal Thyself, I wrote about Symantec quietly fixing serious vulnerabilities that SEC Consult found in its Symantec Web Gateway, a popular line of security appliances designed to help “protect organizations against multiple types of Web-borne malware.” Prior to that, this blog showcased the company’s research on backdoors it discovered in security hardware and software sold by Barracuda Networks.

Today’s post looks at backdoors and other serious vulnerabilities SEC Consult found in products made by NICE Systems, an Israeli software firm that sells a variety of call recording solutions for law enforcement, public safety organizations and small businesses. According to SEC Consult, NICE’s Recording eXpress — a call recording suite designed for small and medium-sized public safety organizations (PDF) — contains an undocumented backdoor account that provides administrator-level access to the product.

“Attackers are able to completely compromise the voice recording / surveillance solution as they can gain access to the system and database level and listen to recorded calls without prior authentication,” wrote Johannes Greil and Stefan Viehböck of SEC Consult. “Furthermore, attackers would be able to use the voice recording server as a jumphost for further attacks of the internal voice VLAN, depending on the network setup.” Continue reading →

Dec 11

New Tools Bypass Wireless Router Security

Security researchers have released new tools that can bypass the encryption used to protect many types of wireless routers. Ironically, the tools take advantage of design flaws in a technology pushed by the wireless industry that was intended to make the security features of modern routers easier to use.

At issue is a technology called “Wi-Fi Protected Setup” (WPS) that ships with many routers marketed to consumers and small businesses. According to the Wi-Fi Alliance, an industry group, WPS is “designed to ease the task of setting up and configuring security on wireless local area networks. WPS enables typical users who possess little understanding of traditional Wi-Fi configuration and security settings to automatically configure new wireless networks, add new devices and enable security.”

Setting up a home wireless network to use encryption traditionally involved navigating a confusing array of Web-based menus, selecting from a jumble of geeky-sounding and ill-explained encryption options (WEP, WPA, WPA2, TKIP, AES), and then repeating many of those procedures on the various wireless devices the user wants to connect to the network. To make matters worse, many wireless routers come with little or no instructions on how to set up encryption.

Enter WPS. Wireless routers with WPS built-in ship with a personal identification number (PIN – usually 8 digits) printed on them. Using WPS, the user can enable strong encryption for the wireless network simply by pushing a button on the router and then entering the PIN in a network setup wizard designed to interact with the router.

But according to new research, routers with WPS are vulnerable to a very basic hacking technique: The brute-force attack. Put simply, an attacker can try thousands of combinations in rapid succession until he happens on the correct 8-digit PIN that allows authentication to the device.

One way to protect against such automated attacks is to disallow authentication for a specified amount of time after a certain number of unsuccessful attempts. Stefan Viehböck, a freelance information security researcher, said some wireless access point makers implemented such an approach. The problem, he said, is that most of the vendors did so in ways that make brute-force attacks slower, but still feasible.

Earlier today, Viehböck released on his site a free tool that he said can be used to duplicate his research and findings, detailed in this paper (PDF). He said his tool took about four hours to test all possible combinations on TP-Link and D-Link routers he examined, and less than 24 hours against a Netgear router.

“The Wi-Fi alliance members were clearly opting for usability” over security, Viehböck said in a instant message conversation with “It is very unlikely that nobody noticed that the way they designed the protocol makes a brute force attack easier than it ever should.”

Continue reading →