Editor,
On Monday, the Daily Lobo printed an opinion letter written by us regarding SafeConnect, and on Tuesday there was an article about it. We wanted to write a follow-up letter to discuss the different versions of SafeConnect as we understand them.
The first version of SafeConnect, which we analyzed in June 2011, was version 4250.121. This version had a vulnerability which was so blatant and serious that it suggested to us a gross misunderstanding of networking and cryptography on the part of the software’s creators. It also had a basic architectural design issue that made it prone to many types of vulnerabilities.
In July we notified UNM IT of this vulnerability. Representatives asked us to test a newer version, version 5036.223. Version 5036.223 had attempted to fix the vulnerability, but due to a basic error in logic, the vulnerability persisted. The basic architectural design issue still existed.
Before we submitted our original opinion letter to the Daily Lobo, we checked the versions that UNM IT was distributing on the LoboWifi wireless network and on its website, finding 5036.223 and 4250.121, respectively.
On Tuesday, the day after the Daily Lobo published our original letter, our SafeConnect test machine was finally upgraded to a new version, version 5059.242. We are still analyzing version 5059.242, but it does seem to address the basic architectural design issue. This protects users from the type of vulnerability that we found in the other versions.
Our decision to move forward with alerting the UNM community about the vulnerability was based on our belief that software such as SafeConnect is fundamentally not secure in any version. Users must take responsibility for the security and privacy of their own systems; running software which has its security rooted in secrecy rather than sound practices is not something we condone.
We’re happy to see that UNM IT is taking the lead in notifying other universities who are running unsafe versions of SafeConnect.
We’re not aware of any efforts by the vendor to give any such notifications.
Were it not for our legal right as researchers to reverse-engineer SafeConnect to reveal its encryption key and decrypt its network traffic, how would the UNM community as a whole have known that we had been vulnerable for so long?
Jeffrey Knockel and Jed Crandall
UNM staff and student
Get content from The Daily Lobo delivered to your inbox
