Security experts have claimed the voice recording systems used by the UK emergency services contain security flaws that could be potentially exploited by hackers.
The Nice Recording eXpress system could allow cyber criminals to expose 999 calls, listen to conversations or leak evidence that could be used in court, claims security consultancy SEC Consult.
The firm warns that the Nice software, which was formerly known as Cybertech eXpress, holds a root backdoor that enables unauthorised access to voice recordings, adding that organisations should stop using the programme until the flaws have been fixed.
“Attackers are able to completely compromise the voice recording/surveillance solution as they can gain access to the system and database level and listen to recorded calls without prior authentication,” says an advisory released by SEC Consult.
“Furthermore, attacks would be able to use the voice recording server as a jumphost for further attacks of the internal voice VLAN, depending on the network set-up,” it adds.
“Numerous Flaws Discovered”
The advisory lists a number of flaws it says it found in its review of the Nice software, including:
- a user account in the MySQL database that doesn’t show up in the user administration menu
- multiple SQL injection vulnerabilities
- multiple cross-site scripting flaws
- insufficient authorisation of administration level functions.
According to SEC, these issues could allow an attacker to access sensitive calls, in some cases, undermining criminal cases or leaving witnesses exposed when key evidence is leaked.
It also claims that because Israeli software provider Nice Systems also offers CRM (customer relationship management) systems with “lawful interception” technology, the security flaws are more emphasised.
Since the issues were revealed, the vendor has responded to the claims, stating that it welcomes tests of this nature on its behalf or on behalf of its customers and updates clients with new information.
“We have been addressing the issues based on priority and can confirm that we have already resolved almost all of them and expect the remaining fixes to be completed shortly,” claimed Nice Systems.
“We do not believe any of our customers have been impacted by the items raised in this report, as these systems are deployed in a very secure environment and are not accessible outside of the organisation,” it added.