School monitoring software’s hard-coded encryption key exposed

Impero Software is the creator and seller of “Impero Education Pro”, a piece of software that’s used in many UK schools to monitor school computers for extremism, and notify teachers if it finds that pupils have been looking at web material that could fall under that category.

Education Pro is also a remote access system, meaning anyone who operates it has access to anything on the system, including any personal data that may be on it.

You would think that such a software would be well secured to prevent unauthorized, potentially malicious users from using it, and you would be wrong.

According to Forbes, researcher Zammis Clark discovered that the Impero platform was using a default hard-coded encryption key to authenticate clients to their server, effectively allowing anyone who gains access to the server to also gain access to all the machines connected to it – and all the sensitive data they contain.

“Given that schools have been affected with malware like CryptoLocker in the past, exploit kits or spearphishing could be a way for an attacker to get into a school network. Also, there’s the threat of someone inside such a school (a student perhaps) exploiting the vulnerability,” he said.

When he first publicly published the exploit on GitHub, he notified Impero Software about it and the company issued a fix. Unfortunately for them, it was easy for Clark to modify the PoC to bypass the fix, and he did so.

Not satisfied with the turn of events, the company has sent a legat threat via the legal firm Gateley, accusing him of copyright infringement, breach of contract, breach of confidence, and of damaging their bottom line and reputation. They requested that he take down the GitHub posting and Tweets telling the public about the matter – and he did.

The company has commented that the “hack could only be exploited if basic network security does not exist and if the attacker is physically present with local network access,” and has said that the initial hot fix was just a short term measure.

“Since then we have been working closely with our customers and penetration testers to develop a solid long term solution,” they noted, and added that “All schools will have the new version, including the long-term fix, installed in time for the new school term.”

Clark might have made the mistake of releasing PoC code before notifying the firm about it and allowing them time to solve the issue before he went public with it, but the fact that the company legally prevents anyone to reverse-engineer its software’s code is a bad thing for security researchers, users, and, I would argue, for the company itself in the long run.

Criminals are unlikely to comply with the ban, but security researchers like Clark could make their products safer – if they are allowed to.