UPDATE–The small, but growing, group of companies that supply so-called lawful intercept gear to intelligence agencies and law enforcement organizations around the world have operated mostly under the radar until very recently. Their products are used to record and scrutinize the communications of suspected criminals and terrorists, but now they’re finding that their products are coming under scrutiny by the security research community.
One of the companies engaged in selling this surveillance gear is NICE Systems, a New Jersey firm with several subsidiaries. The company sells a variety of products, some of which are designed to “retrieve target location, relations and conversation content from any type of communication including fax, fixed and mobile telephony, and Internet applications”. Researchers at SEC Consult, a security consultancy, discovered a wide variety of vulnerabilities in some of NICE’s lawful intercept products that allow remote, unauthenticated attackers to retrieve and listen to voice recordings of any user through database and system level access to the products.
There are nine separate vulnerabilities in the NICE Recording eXpress voice recording product, the most serious of which are a root backdoor account and remote, unauthenticated access to voice recordings on the affected products.
“Attackers are able to completely compromise the voice recording / surveillance solution as they can gain access to the system and database level and listen to recorded calls without prior authentication. Furthermore, attackers would be able to use the voice recording server as a jumphost for further attacks of the internal voice VLAN, depending on the network setup,” the SEC Consult advisory says.
The researchers initially contacted NICE about the vulnerabilities in mid-December and went through a long process of going back and forth with the vendor about the bugs, which products were affected and when patches would be released. After more than six months without a full resolution, SEC Consult released its advisory on Wednesday. At least five of the vulnerabilities remain unpatched, including the unauthenticated access to voice recordings.
That vulnerability would essentially allow any attacker to access and listen to recordings of targets’ calls.
For example, unauthenticated attackers are able to gain access to exported lists of user accounts that are being monitored/recorded. Attackers gain access to detailed information such as personal data like first/last name, email address and username/extension,” the advisory says.
“Furthermore it is possible to gain _unauthenticated_ access to recorded voice calls of other users. Those calls will be stored in a temporary directory, if they have been accessed by a user via integrated media player in the web interface.”
In addition to that flaw, the root backdoor bug also could provide an attacker with easy access to the products.
“The MySQL database table “usr” contains a “root” user with USRKEY / user id with administrative access rights. This user account does NOT show up within the “user administration” menu when logged in as administrator user account in the web interface. Hence the password can’t be changed there,” the advisory says.
Officials at NICE said they have been working on these issues and have been in communication with their customers and partners about them.
“We have been addressing the issues based on priority, and can confirm that we have already resolved almost all of them, and expect the remaining fixes to be completed shortly. We do not believe any of our customers have been impacted by the items raised in this report, as these systems are deployed in a very secure environment and are not accessible outside of the organization,” the company said in a statement.
NICE officials said on Friday that they have now released fixes for all of the remaining vulnerabilities.
“NICE Systems announced that as of 2 p.m. EDT today, they have made available a new release that includes the remaining fixes to the issues in the NICE Recording eXpress, Cybertech eXpress and Cybertech Myracle products, identified in a recent consulting report. NICE is currently notifying customers, none of whom have reported any issues,” the company said.
This article was updated on May 29 to add the statement from NICE. It was update on May 30 to add the second statement from NICE.