August 3, 2011
Prey Project Security Issue - Hacker Could Hijack Your System & Camera

Doing some research into other issues with Prey I came across a blog post by someone else who pointed out issues with Prey, the issues this person pointed out are quite serious. The issue involves the ability for someone to conduct a man-in-the-middle attack and send commands to users running Prey’s system, this is particularly disasterous as the software runs as root so the attacker has full access to the system. I plan to discuss this at Defcon this week as well:

Prey is able to parse config files over the web and it blindly accepts them with no authentication whatsoever. This means if an attacker used trivial ARP spoofing attacks on a network, a coffee-shop’s wireless for example, s/he could replace your config file with their own. Worse, what is in your config file gets eval’ed by bash with full root privileges. Simply, this means the attacker can run any code s/he wants to. Your hard drive could be deleted, or a reverse SSH session could be set up giving the attacker a command prompt as root. I filed this bug on December 29th, 2010. As of Janurary 4th, 2011, the bug is still there but marked closed. 6 days is enough to fix a one line remote code execution vulnerability or at least to warn the public to disable Prey until the bug is fixed.

Sadly, it is clear that either the maintainers of Prey do not understand the severity of the problem, or Fork, the company behind Prey, would rather not sacrifice the image of Prey as secure software for better security.

This perticular bug aside, it is clear that Prey wasn’t designed with security in mind: as I have stated before, Prey runs with root privileges when it is mostly unnecessary and does not authenticate anything. Even if this eval bug is fixed, an attacker could use your webcam against you.

I was curious if this issue was resolved and reached out to “Sharp” who found the bug to see if the issue was resolved. He responded pretty quickly with the answer as well as some additional information, here is his full e-mail back to me:

Steven,

I heard back from Prey after they “fixed” the bug I reported, just
telling me that I might take another look. I found the encryption they
implemented to be basic obfuscation, not real authentication or even
guaranteed confidentiality. I was told via e-mail that 0.6 would not run
as root.

I’m not surprised to hear of your interactions with their forum
moderators. They seem to be a business focused on selling accounts on
their server, with an open source branding as a selling point. Fixing
security bugs and making other developers happy seem to be important
only in the context of ensuring continued sales of accounts.

I believe Prey has security flaws which are inherent to the entire
design of the program and even if these flaws are fixed, it is my
opinion that given the seriousness and obviousness of the flaws in the
past, the Prey devs should not be trusted to write security software
worthy code in the future. As a Debian user I’m honestly a little
surprised and angry that the software was accepted into the
Ubuntu/Debian repos.

Take care and thanks for your e-mail,

So there you have it, I am not the only one who has issues with Prey Project or the Fork company behind it. The fact that they choose to run the software as shell scripts so that it is easier for people to participate simply makes the software unsafe, they are not developing the solution with security in mind. But then again why should they? It’s just beerware after all.

August 2, 2011
Email From Tomás Pollak of Prey Project Admits Using Unlicensed Geolocation

After my post here regarding my experiences with the Prey Project, Tomás Pollak the founder of the Prey Project sent me an email ( pasted the full email below), where he states “I just stumbled upon your tumblr blog thanks to a link that one of our users sent me.”  He apparently did not see questions posted as he was ” swamped with work, mainly due to server migration as (once again) we’re struggling with server load issues.” This is another red flag, a system that is being relied upon by what I am guessing are several thousand people is failing, I monitored the uptime for a while and found it was down quite a bit.

So regarding one of my main questions regarding the use of Google’s Gears API for location here is his response.

I’m aware that Google Gears’ TOS claims that the API should be accessed via the native JS interface, however I’ve personally talked about this with a couple of folks at Google I know, and it was pretty clear to me that Google doesn’t bother about us using their — publicly available, might I say — HTTP service.

So the CEO of Fort Ltd. claims that he talked with a few friends at Google and they said they don’t mind that Prey is using the API in a way that he knows is against the terms of the license. He then further states that he knows it will be deprecated, yet there is no clear path to a new solution:

Anyway, Google Gears will be deprecated so in the near future we’ll probably switch to another location provider like Skyhook (who, in fact, has already asked us to use their service).

I looked into Skyhook for my own project and they charge real money for the use of their API, Prey will not be able to hook into it for free, which means that either the customers will have to pay, or they will go without location.

The fact I also received excuses regarding why the full source code is not available for a project that claims to be open-source also raises all kinds of red flags. So when it comes to people who are critical of the project claim it is open-source or “beerware”, but go ahead and keep charging people for it. Since I made a post that was critical then I finally get reached out to regarding my questions after being threatened with being banned from their group for asking these very same and important questions. No thank you Mr. Pollak there are other real open source projects I would rather spend my time on, not a commercial entity hiding in open source clothes, especially one that is comprised of shell scripts.

===========

Hi Steve,


My name is Tomás Pollak and I’m the guy you want dead.
I just stumbled upon your tumblr blog thanks to a link that one of our users sent me.
I’ve been away the last couple of weeks so I’ve been unable to take a look at the threads on Prey’s Google Group. I wish I’d been available to answer your emails a couple of weeks ago to answer your questions. Truth is we’ve been swamped with work, mainly due to server migration as (once again) we’re struggling with server load issues.
Ok so from what I read, it seems you’re pissed because: 
a) The code for the installers isn’t available (assuming that’s what you mean by UI), and b) That the client uses Google’s Geolocation Service (from your point of view) without permission.
Let me start by saying that in my opinion your claim regarding a) is 100% valid. In fact there are other people who’ve also asked for specific parts of the code that aren’t available — such as the OSX lock binary— and I’ve personally contacted them and sent every piece of code that was asked for.
I know that this doesn’t excuse us from having all the pieces of the code available and I agree that’s something we really need to work in — just as we also need to better the docs, fix bug requests quicker, and be more responsible to answer to suport requests as well.
As you may know, Prey was born as a beerware project by me, and to be truthful I never thought it would actually catch up. Originally I thought it as my “grain of sand” to the OSS community but reality hit me back. You’d never imagine the amount of time I spend *every single day* just to keep the servers running — eg. responding to requests, processing reports, etc. And I’m not talking about paying users (those are probably around 0.01%), I’m talking about users who don’t pay a dime but obviously expect the thing to work.
If I only could get my weekends back!
As for the server code, we haven’t released it because we’d never be able to provide any kind of support to people who wanted to install the thing on their own servers — we barely manage to provide support for users who want to track their PCs!
This, in fact, is something we’ve discussed plenty of times in the group. Take a look at this message, written more than a year ago:
http://groups.google.com/group/prey-security/browse_thread/thread/3353baf8419fe77d/024cac00ba60b979#024cac00ba60b979
Now, if there’s some client-related code (written by us) that’s not available I promise it will eventually be. In the meantime just ask for it and I’ll gladly send it over. In fact I plan to move all the repos from my personal Github account over to github.com/prey — just as we did with the Android source code — and in the process fill in all the missing gaps. This includes the licensing for all the public-domain or open source third-party stuff we’re using (the Debian guys helped a lot when building the .deb package).
Regarding claim b), as Tom pointed out in the thread the one that makes the request to Google’s Geolocation Service is the geo module (written in bash, fully available), not the Control Panel. I’m aware that Google Gears’ TOS claims that the API should be accessed via the native JS interface, however I’ve personally talked about this with a couple of folks at Google I know, and it was pretty clear to me that Google doesn’t bother about us using their — publicly available, might I say — HTTP service.
Anyway, Google Gears will be deprecated so in the near future we’ll probably switch to another location provider like Skyhook (who, in fact, has already asked us to use their service). 
I hope I clarified some of your doubts about our project, and I’m available for a chat any day if you want to. You seem to be a very clever guy and you’re more that invited to join the project if you want to. My skype username is ___ and by the way, I’m not chinese. :)
Cheers,Tom


Tomás Pollak
CEO, Fork Ltd.
forkhq.com

July 19, 2011
My Experience Developing For Prey Project - Open Source Fraud

Prey Project is a self-proclaimed “open source” project from a company called Fork Ltd. based in Hong Kong. As a developer I thought it would be great to participate in the community, so I downloaded the code to take a look at this “innovative tech” only to discover it was not as innovative as I thought, the code is entirely written in shell script, that’s right, just shell scripts, to make it worse it requires that the scripts run as root. The scripts call several third party binaries, which are not open source.

I started asking questions in the Google Group regarding various things including how the open source code worked, I also noticed a lot of the code was missing. I also noticed another peculiar thing, Prey is using Google Gears’ location service API, their application it appears is using the API illegally as Prey is charging for the service, as well as using the API outside of the Gears framework. I asked questions regarding this here, nobody from the Fork company responded to me with my questions and instead I got an email from the moderator telling me that he would BAN me from the forum, here is the message below from Dave Clark who is apparently the moderator of the Prey Project Google Group:

fromDave Clark dc1999@gmail.com to
date 19 July 2011 18:13subjectRe: [Prey-Security] Where is the rest of the code?mailed-bygmail.comSigned bygmail.com Important mainly because of the words in the message.

This is a private message to the two of you.  I’d like it NOT posted to the main Prey list.

As the owner of this list, I’m concerned about this thread.  One of you seems to be accusing the developers of Prey of wrong-doing, then refusing to listen to reason or be satisfied with the answers received.

I have no ownership interest in Prey, and I’m just the guy that set up this list on googlegroups long ago because of my interest in Prey-like software after having two laptops stolen.  But, I will unsubscribe anyone who becomes abusive.

If the thread goes any further or gets any more heated, I’ll take action.

Please keep the discussion polite, sensible and in keeping with accepted netiquette.

Thank you.

Dave

This is an interesting response to a developer asking question regarding the how the licensing works and expressing concern. Interesting that a supposed open-source project would want to suppress someone asking questions.  So the question here is why are they so sensitive about me asking about licensing? Because they are using the Google Gear’s API illegally and charging people for it.  People are paying for this service expecting it to help them recover a stolen device, yet Fork Ltd. is using third party services without a license. Since the folks at Prey feel they can go ahead and censor what people ask and say in their Google Group, I will be posting my concerns here.

Liked posts on Tumblr: More liked posts »