Attn: Statement regarding a Quad Cortex security vulnerability

I really think it’s the second part in this case, sending that information in an email.

Why did you email plaintext wifi passwords with crash/debug logs? First, I can’t imagine having a wifi password in debug logs provide any benefit to support staff to debug anything. Second, using email to store logs are a bad idea. You potentially have PII in there, it’s hard to provide ACL or audit controls against who on your support team or malicious actors access that email box and email is generally publicly accessible. Just setup an debug log API, with no methods to access that data and don’t send wifi passwords.

The storing of the plaintext password seems like a red herring. Here the password is a wifi password. The QC needs to be able to retrieve the plaintext password to send it to a router. An encrypted wifi password isn’t usable by a router. Sure you could encrypt it locally and decrypt it when you need to pass it to a router, but in this case the QC itself sent the password in debug logs. So even if it were encrypted, that wouldn’t have prevented the password leak. Encrypting the wifi password would prevent someone who had physical access to the QC from maybe pulling out the SD card, and assuming if they were able to read the data on the card and access the database on it, then it would prevent them from getting the plaintext password. That’s a pretty extreme attacker to get a single wifi password from a single device.

1 Like

I 100% agree. What possible purpose is served by sending a local Wi-Fi password to Neural? Even sending the Neural account password is of dubious utility when as you say a debug API or other methods are available that use much less risky and invasive methods for troubleshooting password mismatches as the cause of connectivity problems.

Also correct that employees working in support should as a rule never be privy to passwords of any sort. With the possible exception of when they handout “change on first login” temporary passwords. And even that approach has its vulnerabilities and is best avoided. All that aside though, everyone can probably agree they should NEVER EVER be sent via email in plain text where they can potentially be “sniffed” or just straight up viewed by the bad actors you referred to. They are also infinitely more, if perhaps not totally, secure when stored encrypted on corporate servers. Good points!

I don’t know if it’s true, but someone mentioned in the NDSP Discord that the Wifi password in the debug logs was part of a memory dump included in that report. So if true, the password was just in memory at the time of the dump, presumably to connect to your router. That would explain why it got sent. They didn’t think to sanitize that password from the report before sending it.

2 Likes

Understood, thanks for the info. So there is a good chance that the passwords were sent completely inadvertently and were never intended to be part of the troubleshooting process.

As you said, the QC needs to be able to send unencrypted passwords to connect to the router, so it will need a way of sending it in plaintext at some point.

The showing of it in logs and the subsequent sending if those logs via email will all have been an accidental oversight.
I’ve worked on projects before where we had to go through and deliberately hide passwords in logs because the default is just to show everything. So I assume this was something similar.

I’d suggest that WiFi is the red herring, really. Email addresses of all users were available, paired with WiFi passwords. The hack would be that some (very few) people would use the same password for WiFi as they do for all their accounts, at which point the breach is a lot more dangerous.

Mistakes happen. I think it’s equally fair to be tolerant of the error or to flip out over it. If I were using the same password for WiFi and email, I’d be very annoyed, even though my choice to do so would have been poor. My poor security would be my fault, but the breach wouldn’t.

I’m feeling tolerant of this one only because it wasn’t an executed hack and my email address / password isn’t currently in Russia / China (probably), rather it was a reported vulnerability. Luck.

Discussion on the NDSP Discord suggests that this security hole was reported to Neural three months ago. What’s the truth?

From your job history it didn’t sound as though this was your first day on the internet. Welcome! :rofl:

1 Like

I saw this claim as well and would have to see some more proof before accepting this as being true. Until then I am viewing this as nothing more than a rumor. If it is true, then obviously Neural needs to be much more proactive than they appear to have been at the moment.

1 Like

It’s sad but true (no pun intented) I’ve been in contact with NDSP be looking into solutions for handling and rewarding stuff like this in the future. They haven’t been honest about that part which I find a little disappointing since it’s the customers right to know this stuff imho.
And yes, I got an answer by a dev confirming they where going to look into this about a week later. But for that, someone else had to demand through Instagram DM’s to the NDSP page to look into the mail, before that I didn’t get any response on it.

According to NDSP this was going to be fixed in the 2.1.0 update but my gut says no. And even if that were true, that would’ve been problematic since that update is probably months out. So that would mean almost half a year needed to patch something very simple.

Only thing I can say is that this was handled very poorly, and I really hope this will change for the better.

7 Likes

Hard to sort through exactly how long it took Neural respond when posts like this pop up. Precisely why many companies implement corporate security policies to address this sort of thing. That way you don’t have to go hunting for a fall guy when there is a problem, and the company is not making knee-jerk responses on an ad-hoc basis.

Formally codifying an improved security policy to help avoid this sort of thing in the future might be extremely timely and helpful. Nobody can guarantee impenetrable security, but measures can be taken to reduce risk and improve response time when a problem is discovered, as well as testing regularly for vulnerabilities - white-hat hacking.

1 Like

They’re not the only company that has or will screw up. They just need to be upfront about it and show us that they will take security more seriously in the future. I am waiting for an official statement regarding the handling of this incident. If they don’t acknowledge this serious mistake, then that will certainly affect my trust in them.

This the closest thing to an official statement you’ll get I think.

Hope they will actually do that.

They need actually to explain why they didn’t do anything about it months ago. This whole thing has me looking at other products in case I decide that Neural isn’t trustworthy. It’s not the breach, it’s the choice to not fix the vulnerability immediately.

1 Like

Explanation as it is:

Still problematic though. You shouldn’t rely on public pressure to keep customers safe.

1 Like

@ThomasVanIseghem , do you have a link to the mentioned discussion ? (I searched NDSP Discord server and found nothing related to this posts… :confused: )
thanks.

This is posted on the OpenCortex discord server. Not the official NDSP server.

2 Likes

Thanks ! I’ll have a look at it.

Please also see a very lively discussion of this issue at TGP: No thread on the QC data breach? | The Gear Page

i know keeping info uncrypted is inexcusable but are wifi passwords important whatsoever? like unless a hacker is coming near my home and draining my wifi i don´t see it affecting me

If you have 3300 email addresses + 430 Wi-Fi passwords, you’re likely to get at least a few matches where the Wi-Fi password is the same as the email password. From there, you’ve won the game.

i spent the last 2 hours reading this whole thread… most of it is annoying bickering but from what i gather ndsp might be in a whole lotta trouble :s and it does push me away from the company… i was already mad with the unfulfilled stuff but knew about it and was hoping for this next few months to be redeeming but now fractal seems more beautiful by the minute