Brit school software biz unchains lawyers after crappy security exposed
Bug hunter went full-disclosure with baked-in encryption key
Brit biz Impero unleashed its legal eagles after someone published details of a security cockup in its school network management software.
The disclosed design flaw in Impero's Education Pro can be exploited to execute commands and run malicious code on a school's Windows PCs.
Last month, a security researcher called Slipstream spotted the vulnerability in Impero's software, which is supposed to lock down school computer networks and control systems remotely. He published his findings on GitHub, with proof-of-concept exploit code written in PHP, which got Impero's attention, and the company released a patch.
According to Slip, Impero's software communicates using AES encryption with a single hardcoded key and initialization vector (IV). To authenticate, a client must send an encrypted fixed string over the network to the server. Once authenticated, the client can list available PCs, and send them commands to execute, we're told.
When Slipstream examined Impero's update to address the weak security, he found that the fix was "inadequate." He warned Impero via its technical support email address and, instead of receiving acknowledgement or any thanks, he got a letter this week from lawyers threatening to sue him for damages.
Specifically, Slipstream was accused of copyright infringement for publishing the software's hardcoded AES key and IV; breach of contract for apparently breaking the licensing terms of the software; and breach of confidentiality. Slip said he is not a user of the software.
"I didn't tell them about [the vulnerability] before posting it; but posting it did get them to attempt a fix," Slipstream told The Register. "Emailing their support about how their fix wasn't good enough got me nothing but a legal threat."
Slip's advisory gist disappeared from GitHub soon after the letter from Impero's lawyers Gateley arrived in his Yahoo! Mail inbox. El Reg has seen the full exploit, and withheld publishing specific details in the interests of responsible disclosure.
"We were made aware that someone had maliciously and illegally hacked our product, subsequently making this hack public rather than bringing it to our attention privately and in confidence," Impero told The Reg in a statement.
"While we actively encourage helpful feedback that contributes to the development of the product through regular focus groups and security workshops, the methods used to identify and communicate this particular issue were not legal and we shall be taking a firm stance. Impero Education Pro is designed to protect and safeguard children in schools, and any attempt to jeopardise this by illegally obtaining and publicising sensitive information will be dealt with appropriately."
Impero, based in Nottingham, England, reckons the flaw wasn't that serious, and said an attacker must first have local network access.
The case highlights the continuing tussle over responsible disclosure practices. Publicizing a flaw before it's fixed is controversial, but the stubbornness of some companies to address vulnerabilities, and the eagerness of others to call in the lawyers, is also counterproductive. ®