Last month researcher Zammis Clark (known online as ‘Slipstream’) discovered a security flaw in Impero Education Pro (IEP), a not insignificant find given the software’s application.
IEP is widely used in UK schools to monitor and restrict students’ Internet activities. According to Slipstream, the flaw had the potential to expose the personal details of thousands of users’ to hackers.
Early last month the researcher announced his find on Twitter while noting that it would allow for remote code execution on all Windows clients. Within the tweet he posted a link to his proof-of-concept code.
“Unfortunately, when I asked about their security, nobody answered me. Some reversing later, looks like Impero is completely pwned amirite.”
While Slipstream ultimately advised against using Impero’s product, he says he didn’t immediately inform the company of the vulnerability.
“Not being a customer, I wouldn’t have known where to send it, or whether they’d even reply to me,” the researcher told TF. “And, given the severity of the issue, I figured that full disclosure would cause some sort of fix pretty quickly.”
In fact, that prediction proved correct, with Impero issuing a temporary security patch to fix the flaw.
“We immediately released a hot fix, as a short-term measure, to address the issue and since then we have been working closely with our customers and penetration testers to develop a solid long-term solution,” the company said.
“All schools will have the new version, including the long-term fix, installed in time for the new school term.”
However, Slipstream claims the patch wasn’t effective.
“Of course, their fix turned out to be inadequate. After speaking to Impero users on a forum who advised me to email Impero support, I did just that, responsibly disclosing to them exactly how their fix was inadequate and that I had an updated PoC that worked against it,” he told us.
At this point it appears that relations between Slipstream and Impero had already taken a turn for the worse. After disclosing the issues with the patch almost a week ago, this week he received a legal threat from the company.
“In breach of the license terms, you have modified the software without our client’s authority, you have decompiled the software for purposes otherwise than to achieve interoperability and you have published confidential information about our client’s software,” Impero’s legal team state.
“By publicising the encryption key on the internet and on social media and other confidential information, you have enabled anyone to breach the security of our client’s software program and write destructive files to disrupt numerous software systems throughout the UK.”
Impero’s lawyers say that Slipstream’s actions have caused “direct loss and damage” in addition to “reputational damage” and “potential damage” to numerous IT systems used by schools throughout the UK.
“The loss and damage to our clients caused by your activities is significant and will in any legal action taken in the civil courts be the subject of applications to the court for restraining orders to restrict you from further copyright infringement and breach of confidence as well as court orders for monetary compensation,” the letter adds.
After advising Slipstream to seek legal advice and setting a deadline of July 17, Impero’s lawyers suggest that the damage to their clients could be mitigated if the Github posting and all associated Tweets are taken down. That has not yet happened.
Slipstream is disappointed by the threats and informs TF that taking action against researchers like himself could even prove counter-productive.
“Legal threats here would just be ‘shooting the messenger’ so to speak, and would discourage security researchers from actively reporting any issues,” he explains.
“Such legal threats to security researchers would certainly not prevent any malicious individuals from finding issues themselves, and using them for malicious purposes.”
Indeed, this last point is particularly relevant. Slipstream says that he knows someone who has found two other security issues in Impero’s software. Whether they will be tempted to speak to the company considering its aggressive legal response will remain to be seen.