Doing some research into other issues with Prey I came across a blog post by someone else who pointed out issues with Prey, the issues this person pointed out are quite serious. The issue involves the ability for someone to conduct a man-in-the-middle attack and send commands to users running Prey’s system, this is particularly disasterous as the software runs as root so the attacker has full access to the system. I plan to discuss this at Defcon this week as well:
Prey is able to parse config files over the web and it blindly accepts them with no authentication whatsoever. This means if an attacker used trivial ARP spoofing attacks on a network, a coffee-shop’s wireless for example, s/he could replace your config file with their own. Worse, what is in your config file gets eval’ed by bash with full root privileges. Simply, this means the attacker can run any code s/he wants to. Your hard drive could be deleted, or a reverse SSH session could be set up giving the attacker a command prompt as root. I filed this bug on December 29th, 2010. As of Janurary 4th, 2011, the bug is still there but marked closed. 6 days is enough to fix a one line remote code execution vulnerability or at least to warn the public to disable Prey until the bug is fixed.
Sadly, it is clear that either the maintainers of Prey do not understand the severity of the problem, or Fork, the company behind Prey, would rather not sacrifice the image of Prey as secure software for better security.
This perticular bug aside, it is clear that Prey wasn’t designed with security in mind: as I have stated before, Prey runs with root privileges when it is mostly unnecessary and does not authenticate anything. Even if this eval bug is fixed, an attacker could use your webcam against you.
I was curious if this issue was resolved and reached out to “Sharp” who found the bug to see if the issue was resolved. He responded pretty quickly with the answer as well as some additional information, here is his full e-mail back to me:
I heard back from Prey after they “fixed” the bug I reported, just
telling me that I might take another look. I found the encryption they
implemented to be basic obfuscation, not real authentication or even
guaranteed confidentiality. I was told via e-mail that 0.6 would not run
I’m not surprised to hear of your interactions with their forum
moderators. They seem to be a business focused on selling accounts on
their server, with an open source branding as a selling point. Fixing
security bugs and making other developers happy seem to be important
only in the context of ensuring continued sales of accounts.
I believe Prey has security flaws which are inherent to the entire
design of the program and even if these flaws are fixed, it is my
opinion that given the seriousness and obviousness of the flaws in the
past, the Prey devs should not be trusted to write security software
worthy code in the future. As a Debian user I’m honestly a little
surprised and angry that the software was accepted into the
Take care and thanks for your e-mail,
So there you have it, I am not the only one who has issues with Prey Project or the Fork company behind it. The fact that they choose to run the software as shell scripts so that it is easier for people to participate simply makes the software unsafe, they are not developing the solution with security in mind. But then again why should they? It’s just beerware after all.