‘Panic Button’ could be pressed by miscreants, repeatedly
The Rave Panic Button app, designed to allow businesses to summon emergency services, allows miscreants to easily ‘swat’ targets by making false reports of emergencies says security researcher Randy Westergren.
The app, which has a small install base of up to 10,000 users, has shuttered the holes Westergren identified.
The vulnerabilities allowed businesses to place a series of rapid 911 calls reporting active shooters, fires and other threats. Because it’s aimed at businesses, the app also sends emergency services building plans and alerts staff to threats. Westergren says the app could therefore cause plans to be sent to unknown parties, and staff spooked by phantom emergencies.
Westergren found serious holes in the app that allowed external attackers to lodge false emergency call outs, an act similar to swatting – maliciously summoning SWAT teams – if attackers were to select the app’s active shooter option.
“As I reviewed the code, I began to realise the product had been designed without a fundamental concern for security — an extremely concerning issue given the nature of the app and how easily attackers could abuse it,” Westergren says.
“Not only were bad actors able to view and collect sensitive data about users and facilities, they would also be able to impersonate users and make requests on their behalf.
“An attacker would be able to spoof panic calls to legitimate facility locations; he could even interfere with real-life emergency panic calls.”
Westergren found hardcoded plaintext authentication values that gave rise to easy spoofing attacks.
Developers fixed the flaws in about six weeks, but Westergren still recommends users uninstall the app citing suspicions that the software could have similar security shortfalls.
“… it remains highly concerning that the software was released in this condition at all,” the hacker says.
“Since it’s probable that other components of the system have been designed with similarly insufficient security measures, I would recommend customers of Rave’s Panic Button immediately suspend its use.” ®
Sponsored: Customer Identity and Access Management