The UK’s emergency services are using voice recording systems containing security flaws that could enable calls to be tapped by hackers.
According to Austrian security consultancy SEC Consult, easy to exploit flaws within the Nice Recording eXpress – used by emergency services across the UK – could expose calls, enabling hackers to listen-in to conversations, even lead to the leaking of evidence that could be used in court.
In an advisory, SEC Consult claims that the NICE software – formerly called Cybertech eXpress – contains a root backdoor enabling unauthenticated access to voice recording. The organisation has advised users to cease using the software until the flaws are fixed.
“Attackers are able to completely compromise the voice recording/surveillance solution as they can gain access to the system and database level and listen to recorded calls without prior authentication. Furthermore, attackers would be able to use the voice recording server as a jumphost for further attacks of the internal voice VLAN, depending on the network set-up.
“It is highly recommended by SEC Consult not to use this software until a thorough security review has been performed by security professionals and all identified issues have been resolved,” according to the advisory.
It lists a number of flaws with the software, including a user account in the MySQL database that does not show up in the user administration menu that provides root access to all the data.
It also claims there are multiple SQL injection vulnerabilities, multiple cross-site scripting flaws and insufficient authorisation of administration level functions – among a whole plethora of problems.
They could enable an attacker to access sensitive calls that could be used as evidence in cases, which could undermine the cases or leave witnesses exposed.
The Isle of Man, Greater Manchester Fire and Rescue Service and Police Scotland are among the users of NICE Systems software.
The flaws are all the more acute because Israeli customer relationship management (CRM) software vendor Nice Systems also makes “lawful interception” technology.