IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Report: UK businesses are less secure when using police-endorsed cyber security tool

The cyber security researcher found the developer of the free software to be "incompetent" and the myriad flaws in the cyber crime-fighting monitoring tool left businesses more at risk of cyber attacks

An independent cyber security researcher has dissected a prevalent vulnerability scanning and network monitoring tool used by the UK Police and labelled it “woefully unsecured”.

The Police CyberAlarm tool was launched in November 2020 at no cost to businesses who wished to use it. The Home Office-funded tool aimed to gather valuable data on the suspicious threats targeting businesses and feed it into police intelligence.

A long line of security vulnerabilities was discovered by information security consultant Paul Moore over the course of an 18-month analysis of both a pre-release and final production version of the Police CyberAlarm tool. 

Among the many vulnerabilities was the leakage of passwords in plain text. Moore didn’t detail what kind of passwords could be fetched but claimed Pervade, the software’s developer, made the situation worse after he originally highlighted security issues back when Police CyberAlarm launched in 2020.

Moore first raised the issue of Pervade implementing the SHA256 hashing algorithm for passwords in 2020 which, he said, is not “secure or appropriate for password storage”. Some believe SHA256 and also SHA512 are not secure enough and the encryption can be brute-forced with modern hardware.

Since making the first report, Moore recently observed that a logic flaw was present in the index.php file that allows plain text passwords to be sent to and returned from the software’s central API.

The central API is also unauthenticated, Moore said, which could allow an attacker to make a request using the data collector’s ID and it will return information including names, email addresses, telephone numbers, what IP addresses the tool scans, as well as the plain text passwords.

The flaw also presents the potential for an attacker to intercept the tool’s vulnerability reports. If the tool found a vulnerability, or even a zero-day exploit, and returned it to the business in the form of a report, an attacker could feasibly set the report’s target email address to their own.

Intercepting such reports could prevent the business, organisation, and Police from gathering important data on threats that could ultimately be used to launch further attacks.

Other security issues with Police CyberAlarm included poorly implemented cryptography in other areas of the app, unsecure session tokens, and password authentication not being timing-safe, among others.

Moore said the tool was not only high unsecured but the actions and response from Pervade were “incompetent”.

Moore claimed that both the NPCC and Pervade were “defensive and dismissive” when he originally came to disclose his findings in 2020, but in recent dealings with the NPCC, Moore said the organisation made “every effort to validate and rectify the issues” and even revoked member access to the aforementioned Police CyberAlarm area within an hour of their first call.

IT Pro has contacted both the NPCC and Pervade and received a response only from the NPCC’s National Cybercrime Programme.

“The Police CyberAlarm team was contacted by a security consultant relating to potential vulnerabilities within the Police CyberAlarm system,” said the NPCC to IT Pro.

“The team has engaged with the individual directly and facilitated a meeting between him and CREST STAR and NCSC-approved CHECK cyber security company who are fully investigating. As with all security concerns, we thank the individual for bringing them to our attention.

“We have switched off member access to one area of Police CyberAlarm as a precaution whilst we investigate further. We are confident that no breach has occurred, and member organisations and data remain secure.

“We will continue to ensure the security of the system by working with the provider and our partners to maintain our own robust internal testing process, as well as with CREST STAR and NCSC-approved CHECK independent cyber security companies.”

The National Cyber Security Centre (NCSC) is aware of the research but the cyber security authority has not announced any proposed action in response since its role is to provide expert advice rather than take action on individual security decisions made by other organisations. 

In the meantime, Moore suggests all organisations uninstall Police CyberAware and change their passwords, adding that the risk of using the software is higher now than it was when it first launched.

Featured Resources

Four strategies for building a hybrid workplace that works

All indications are that the future of work is hybrid, if it's not here already

Free webinar

The digital marketer’s guide to contextual insights and trends

How to use contextual intelligence to uncover new insights and inform strategies

Free Download

Ransomware and Microsoft 365 for business

What you need to know about reducing ransomware risk

Free Download

Building a modern strategy for analytics and machine learning success

Turning into business value

Free Download

Recommended

Senate report slams agencies for poor cyber security
cyber security

Senate report slams agencies for poor cyber security

3 Aug 2021
Most employees put their workplace at risk by taking cyber security shortcuts
cyber security

Most employees put their workplace at risk by taking cyber security shortcuts

27 Jul 2021
61% of organizations say improving security a top priority for 2021
cyber security

61% of organizations say improving security a top priority for 2021

29 Jun 2021
ProtectedBy.AI’s CodeLock blocks malware at source code level
software as a service (SaaS)

ProtectedBy.AI’s CodeLock blocks malware at source code level

9 Jun 2021

Most Popular

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack
hacking

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack

16 May 2022
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

13 May 2022
Windows Server admins say latest Patch Tuesday broke authentication policies
Server & storage

Windows Server admins say latest Patch Tuesday broke authentication policies

12 May 2022