Report: UK businesses are less secure when using police-endorsed cyber security tool

Police CyberAlarm logo
(Image credit: NPCC)

An independent cyber security researcher has dissected a prevalent vulnerability scanning and network monitoring tool used by the UK Police and labelled it “woefully unsecured”.

The Police CyberAlarm tool was launched in November 2020 at no cost to businesses who wished to use it. The Home Office-funded tool aimed to gather valuable data on the suspicious threats targeting businesses and feed it into police intelligence.

A long line of security vulnerabilities was discovered by information security consultant Paul Moore over the course of an 18-month analysis of both a pre-release and final production version of the Police CyberAlarm tool.

Among the many vulnerabilities was the leakage of passwords in plain text. Moore didn’t detail what kind of passwords could be fetched but claimed Pervade, the software’s developer, made the situation worse after he originally highlighted security issues back when Police CyberAlarm launched in 2020.

Moore first raised the issue of Pervade implementing the SHA256 hashing algorithm for passwords in 2020 which, he said, is not “secure or appropriate for password storage”. Some believe SHA256 and also SHA512 are not secure enough and the encryption can be brute-forced with modern hardware.

Since making the first report, Moore recently observed that a logic flaw was present in the index.php file that allows plain text passwords to be sent to and returned from the software’s central API.

The central API is also unauthenticated, Moore said, which could allow an attacker to make a request using the data collector’s ID and it will return information including names, email addresses, telephone numbers, what IP addresses the tool scans, as well as the plain text passwords.

The flaw also presents the potential for an attacker to intercept the tool’s vulnerability reports. If the tool found a vulnerability, or even a zero-day exploit, and returned it to the business in the form of a report, an attacker could feasibly set the report’s target email address to their own.

Intercepting such reports could prevent the business, organisation, and Police from gathering important data on threats that could ultimately be used to launch further attacks.

Other security issues with Police CyberAlarm included poorly implemented cryptography in other areas of the app, unsecure session tokens, and password authentication not being timing-safe, among others.

Moore said the tool was not only high unsecured but the actions and response from Pervade were “incompetent”.

Moore claimed that both the NPCC and Pervade were “defensive and dismissive” when he originally came to disclose his findings in 2020, but in recent dealings with the NPCC, Moore said the organisation made “every effort to validate and rectify the issues” and even revoked member access to the aforementioned Police CyberAlarm area within an hour of their first call.

IT Pro has contacted both the NPCC and Pervade and received a response only from the NPCC’s National Cybercrime Programme.

“The Police CyberAlarm team was contacted by a security consultant relating to potential vulnerabilities within the Police CyberAlarm system,” said the NPCC to IT Pro.

“The team has engaged with the individual directly and facilitated a meeting between him and CREST STAR and NCSC-approved CHECK cyber security company who are fully investigating. As with all security concerns, we thank the individual for bringing them to our attention.

“We have switched off member access to one area of Police CyberAlarm as a precaution whilst we investigate further. We are confident that no breach has occurred, and member organisations and data remain secure.

“We will continue to ensure the security of the system by working with the provider and our partners to maintain our own robust internal testing process, as well as with CREST STAR and NCSC-approved CHECK independent cyber security companies.”

The National Cyber Security Centre (NCSC) is aware of the research but the cyber security authority has not announced any proposed action in response since its role is to provide expert advice rather than take action on individual security decisions made by other organisations.

In the meantime, Moore suggests all organisations uninstall Police CyberAware and change their passwords, adding that the risk of using the software is higher now than it was when it first launched.

Connor Jones

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.