Emergency 999 Calls System "Vulnerable" To Hackers

Jun 03, 2014

Security experts have claimed the voice recording systems used by the UK emergency services contain security flaws that could be potentially exploited by hackers.

The Nice Recording eXpress system could allow cyber criminals to expose 999 calls, listen to conversations or leak evidence that could be used in court, claims security consultancy SEC Consult.

The firm warns that the Nice software, which was formerly known as Cybertech eXpress, holds a root backdoor that enables unauthorised access to voice recordings, adding that organisations should stop using the programme until the flaws have been fixed.

“Attackers are able to completely compromise the voice recording/surveillance solution as they can gain access to the system and database level and listen to recorded calls without prior authentication,” says an advisory released by SEC Consult.

“Furthermore, attacks would be able to use the voice recording server as a jumphost for further attacks of the internal voice VLAN, depending on the network set-up,” it adds.

“Numerous Flaws Discovered”

The advisory lists a number of flaws it says it found in its review of the Nice software, including:

  • a user account in the MySQL database that doesn’t show up in the user administration menu
  • multiple SQL injection vulnerabilities
  • multiple cross-site scripting flaws
  • insufficient authorisation of administration level functions.

According to SEC, these issues could allow an attacker to access sensitive calls, in some cases, undermining criminal cases or leaving witnesses exposed when key evidence is leaked.

It also claims that because Israeli software provider Nice Systems also offers CRM (customer relationship management) systems with “lawful interception” technology, the security flaws are more emphasised.

Problems Now Solved

Since the issues were revealed, the vendor has responded to the claims, stating that it welcomes tests of this nature on its behalf or on behalf of its customers and updates clients with new information.

After initially claiming that it was seeking to resolve the issues, it has now announced all problems have been fixed and no reports of customers being affected have been received. 

"Nice Systems announced that as of 2 p.m. EDT today, they have made available a new release that includes the remaining fixes to the issues in the NICE Recording eXpress, Cybertech eXpress and Cybertech Myracle products, identified in a recent consulting report. Nice is currently notifying customers, none of whom have reported any issues," it claimed.

Organisations such as Police Scotland and Greater Manchester Fire and Rescue service are users of Nice Recording eXpress.

© 24N.biz 



Understanding the risks and rewards of public sector cloud 

Download the Whitepaper now




Sign up to receive latest news