Researcher threatened with prosecution for exposing flaws

Software vendor Impero Solutions, creator of Education Pro for monitoring and managing school computers, has struck back against a security researcher who exposed its flaws, but many in the industry question whether the response was proportionate.

School Computers (pic by Tony Hisgett/via Wikimedia)
School Computers (pic by Tony Hisgett/via Wikimedia)

A software company issued a legal letter against a security researcher who published details of how to attack its school computer monitoring software.

Zammis Clark, a security researcher, has published proof of concept (POC) code on Github, demonstrating how to hack Impero's Education Pro software.

Impero Solutions Ltd's solicitors, Gateley Plc, emailed the letter to Clark, and has demanded he remove details of the exploit from the internet and social media by 17 July.

Education Pro is widely used in the education sector to provide a range of services including classroom computer management, remote control and support, patch management and power management. It also has modules for monitoring internet usage for e-safety purposes, an element of the package which Clark took exception to, describing it as “essentially a corporate/educational RAT”.

In a comment celebrating the publication of the exploit code, he said: “Oh yeah - free speech for the win... internet censorship is <insert some expletives here>, and so are any and all RATs.”

The full exploit code, written in PHP, has been posted on Github.

At issue is Impero's claim that Clark published the exploit without attempting to contact them first. The company also claims that Clark violated the software agreement, which he signed up to when he downloaded the software.

In an email, Nikki Annison, director of marketing at Impero, told SCMagazineUK.com that the exploit could allow a user to “run unauthorised programs and interfere with the clients on a network”. However, it could only be used if basic network security wasn't being used and the attacker had local network access. “To date there have been no reports of any customers being affected by this,” she added. 

Impero is open to working with customers and non-customers on software improvements. “Should anyone wish to highlight security improvements directly we will make this a priority and engage accordingly, as we have done in the past,” she said.

However, after Clark found and published this weakness, the company threatened him with civil and criminal legal action under the Computer Misuse Act. A letter from the company's solicitors, a copy of which is available online, spells out the grounds for Impero's complaint including violation of the end-user licence agreement, copyright infringement, breach of contract, breach of confidence and damage caused by publishing the encryption key on the internet.

Annison said those who report flaws to Impero privately have nothing to worry about. “To confirm, we will not take legal action against people that identify security issues if ethical, private reporting practices are followed, so please don't be afraid to get in touch,” she said. “In this instance these practices were not followed.”

Impero does not run a bug bounty programme but has "a variety of channels through which these issues can be communicated and discussed," Annison said. 

Legal viewpoint

Peter Dalton, associate at law firm Kemp Little, told SCMagazineUK.com that, if Clark decompiled the source code or modified it, it would be a breach of the terms and conditions and would be likely to be unlawful.

Page 1 of 3