Imagine a University policy which requires that you share access to any private computer you use at the University, such as your laptop, tablet or your computer in the dorms.
For example, when you use your computer on campus, a University network administrator is able to install arbitrary programs on your computer. When you use it at Starbucks, the baristas and their internet service provider (ISP) can read all of your files. When you stay in a foreign country’s hotel, the hotel staff, the local authorities and the country’s government can eavesdrop on your keystrokes and Internet sites that you visit.
In all of these cases, anyone who operates any network that you connect to has full control over your computer.
Although this policy is not written, it is the de facto policy created by a vulnerability that we recently discovered in SafeConnect.
SafeConnect is software that UNM requires to be installed on both Windows and Macintosh devices before they can be connected to certain University networks, including the LoboWifi wireless network and the dorms.
If you have SafeConnect installed on your computer, then wherever you use your computer, SafeConnect attempts to connect to one of UNM’s IT servers by sending information through internet routers.
Internet routers pass network information in pieces called packets from one router to another until they reach their destination. We have notified UNM IT of a vulnerability in SafeConnect that allows any router between the user and UNM IT’s server to take complete control of any user’s computer which has installed SafeConnect.
Some routers are small, such as the wireless router you connect directly to at Starbucks, and others are much larger, such as the national-scale routers of companies like Comcast and AT&T.
Routers can be controlled by not just companies and universities, but also by governments. Furthermore, anybody with which you share an internet connection, such as the other people in your department, the coffee shop or the hotel, can trick your computer into using theirs as a router.
When we last spoke to UNM IT, they were beginning the process of working with the SafeConnect vendor to have the vulnerability fixed. The vendor had apparently attempted to fix the vulnerability before we discovered it, but the vulnerability still exists in the newest version of SafeConnect.
Many UNM students and faculty are involved in research and other activities at home and abroad that make them targets for digital surveillance, such as global human rights activism or collaborative research with the national labs.
We are writing this letter because we feel it is necessary to let the UNM community know that any computer with SafeConnect installed is vulnerable on any network to which you connect.
The only workaround we can suggest is to uninstall SafeConnect and live with the inconvenience of not being able to connect to networks that require it.
In our research on global internet censorship and surveillance, a common theme is that users must take personal responsibility for the security and privacy of their own computers.
Just as other new technologies have led to increased responsibilities for the 21st century global citizen, we believe that taking personal responsibility for your own computing is essential to a democratic society. Network Access Control (NAC) software, such as SafeConnect, may appear to increase your computer’s security, but it is actually opening it up to a new dimension of threats.
We hope that readers will uninstall SafeConnect from their computers and consider alternatives to Windows and Macintosh.
We recommend an open-source operating system such as Ubuntu Linux, where a worldwide community develops the source code for the software in an open and transparent way so that the community of users knows everything the system is doing and there are no secrets lurking that only a select few know about.