So Much For Lawful Interception Security

“Attackers are able to completely compromise the voice recording / surveillance solution as they can gain access to the system and database level and listen to recorded calls without prior authentication.”

Thus begins a security advisory which was posted not too long ago, detailing some critical security holes in a “lawful interception” software provider’s products.

This is important because when the government spies on you, it’s supposed to be private. After all, the argument is, “if you have nothing to hide from the law, surely you mind us taking a little look once we have a warrant?”

After all, the social cost of allowing warrant-authorized searches is presumably below the ‘threshhold’ since it’s not like your competitors or frenemies get to see the goods the authorities dig up on you. Assuming you’re innocent, your J. Edgar Hooverian bedroom habits stay between you and the G-men.*

* Stop laughing, this is a hypothetical ideal case

Well, all this breaks down if the systems the authorities to wiretap your ass are themselves vulnerable to outside penetration. Gone is the confessional-like sanctity of official investigation… now, since your private-sector adversaries might well be sniffing public-sector law enforcement, you may have to defend yourself from the cops even when the cops are just doing their job.

Worth noting: all this isn’t entirely new. Matt Blaze et al found some significant weaknesses in CALEA wiretaps [1], but those didn’t let 3rd-party n’er-do-wells spy on you like the cops did.

[1] http://www.crypto.com/blog/calea_weaknesses/

https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20140528-0_NICE_Recording_eXpress_Multiple_critical_vulnerabilities_v 10.txt

Advertisements
%d bloggers like this: