Researchers at SEC Consult Vulnerability Lab discovered that Nice Recording eXpress lawful intercept software contains numerous flaws, including a backdoor.

Nice Recording eXpress voice-recording package software used by law enforcement to intercept communications of suspects under investigation contains various flaws, this is the discovery of security researchers at SEC Consult Vulnerability Lab.

The researchers have recently published an advisory to describe the flaws and warn that critical weaknesses could expose users to attacks that compromise investigations and the security of the agency networks.

“Attackers are able to completely compromise the voice recording/surveillance solution as they can gain access to the system and database level and listen to recorded calls without prior authentication,” “Furthermore, attackers would be able to use the voice recording server as a jump host for further attacks of the internal voice VLAN [virtual local area network], depending on the network setup.” said the researchers. 

The experts have found the vulnerabilities in the NICE Recording eXpress version 6.3.5, and according to the release notes published by the vendor all previous releases are affected too and only partial fixes have been released.

Among the numerous weaknesses of the lawful interception solution, provided by Israel-based Nice Systems and used by law enforcement, there is a worrying undocumented backdoor protected with a hardcoded password.

“1) root backdoor account (REC-5180 SR1093984 – subtask REC-5424)

The MySQL database table “usr” contains a “root” user with USRKEY / user id 1 with administrative access rights. This user account does NOT show up within the “user administration” menu when logged in as administrator user account in the web interface. Hence the password can’t be changed there. As a side note: Password hashes are shown in the user administration menu for each user within HTML source code.” reported the SEC Consult Vulnerability Lab researchers.

Apart the root backdoor account, many other vulnerabilities were discovered by the researchers, including:

  • unauthenticated access to sensitive files and voice recordings
  • multiple cross-site scripting flaws which allow attackers to obtain or impersonate other users’ sessions
  • multiple SQL injection flaws which allow attackers to access records
  • unauthenticated access which allows attackers to delete or modify data
  • low-privileged user access to other users’ sensitive data

The researchers are inviting the authorities to stop using the Nice Recording eXpress voice-recording package, they advised customers not use the solution “until a thorough security review has been performed by security professionals and all identified issues have been resolved.”

The Israeli company provided “mission-critical lawful interception solutions to support the fight against organized crime, drug trafficking and terrorist activities“, it serves also forensic investigators, banks, utilities, and healthcare providers.

n1

“NICE Recording eXpress is designed specifically for the audio recording needs of the small and medium sized Public Safety organisation. This advanced recording solution offers a comprehensive, advanced, easy-to-install and affordable platform built for the Public Safety environment and Command and Control operations delivering optimal recording functionality and quality management.” 

The researchers have contacted Nice representatives, but since two weeks ago they didn’t respond.

Due the high sensitive information managed by Nice Recording eXpress and its use, it is easy to predict that a large number of attackers will try to exploit the flaws.

Pierluigi Paganini

(Editor-In-Chief, CDM)

rsa-logo