Bytes public statement in relation to Police CyberAlarm

14th June 2022


“Police CyberAlarm is a free tool to help members understand and monitor malicious cyber activity. This service is made up of two parts: monitoring and vulnerability scanning. Police CyberAlarm acts as a “CCTV camera” monitoring the traffic seen by a member’s connection to the internet. It will detect and provide regular reports of suspected malicious activity, enabling organisations to minimise their vulnerabilities. The data collected by the system does not contain any content of the traffic. The system is designed to protect personal data, trade secrets and intellectual property.” Reproduced with permission from https://www.cyberalarm.police.uk/

The Police CyberAlarm system is the subject of publication of perceived security flaws by an independent security researcher. In response to this publication, the Corporation of the City of London (acting in its capacity as Police Authority for the City of London Police) has engaged the services of Bytes Software Services Limited (‘Bytes’) to act as an independent security company to investigate the discoveries that were published. This Statement allows the Corporation of the City of London (acting in its capacity as Police Authority for the City of London Police) to identify the approach and responses which have been taken in relation to this, and to address any concerns that may be raised about the security of the Police CyberAlarm system.

Bytes’ portfolio includes information and technical security audit and advisory services. This includes but is not limited to risk management, penetration testing, digital forensics, threat intelligence, investigative and incident management services. Bytes’ Digital Forensics, Threat Intelligence, and Incident Management (DFIM) team undertook an investigation into the independent security researcher’s discoveries. The investigation consisted of interviews of the relevant parties, review of independent security reports and creation of independent test models. All activities were undertaken to enable the DFIM team to form an independent response.

The discoveries of the DFIM team were as follows:

  • There were credible discoveries by the security researcher present within the system. However, the risk of these was lower than claimed. This result was verified by three independent security companies – including a university cryptography specialist. The lower risk identified by the DFIM team was found to be due to additional security controls and backend security measures that the security researcher had no ability to see or test from the collector. Without the additional context being available, these risks would always appear higher.
  • The security researcher highlighted areas that could enhance the security of the solution. The DFIM team agrees that whilst there are opportunities to further enhance the security of the solution, and these should be taken to guard against future vulnerabilities, the base solution was not inherently insecure. The implementation or recommendation of implementation is based on the lens through which the solution is reviewed. It is important this is recognised to understand the determinations made.
  • Theoretical and other opportunities raised were evaluated for further alignment with industry accepted good practice. While there were no inherent weaknesses exposed in these areas at the current time, further alignment with industry accepted good practice allows the solution to stand up to robust scrutiny in the market.
The chronology of security testing and independent review of the Police CyberAlarm tool, as it relates to the current build version only, has been in line with expectations for a product of this nature, and is as follows:

  • February 2021 – CHECK / CREST certified company tested the code and onsite collector;
  • November 2021 – CHECK / CREST certified company tested the code and onsite collector;
  • March / May 2022 – Bytes DFIM team independently reviewed the discoveries of the security researcher;
  • April 2022 – CHECK / CREST certified company reviewed the security researcher’s discoveries against previous code and onsite collector testing reports;
  • May 2022 – NCSC / CREST certified company tested the recommended fixes, implemented by the software developer, and verified the patch changes; and
  • May 2022 – Bytes DFIM team reviewed the security report from the NCSC / CREST certified company to conclude that the testing conducted on the latest system patch addressed the discoveries within the Bytes investigation report.
There are always vulnerabilities or opportunities for improvement within software and solutions, this is the nature of today’s code. This is expected based on the complexity and pace of change of technology, and threat actors’ capabilities ever increasing. From the solution providers perspective, a defence-in-depth model is important; one that reduces the veracity or efficacy of any attack vector against the software or solution’s attack surface, and the subsequent response of the vendor when there are discoveries that need to be addressed.

In conclusion, it is Bytes’ opinion that there are many aspects of defence-in-depth within the solution that mitigate the issues that were found by the security researcher. There was no opportunity for compromise of the systems, or reason to believe that there was any additional undue risk that could have been realised. However, Bytes do agree that some of the discoveries could be used to improve the security posture of the service and add additional layers of security to the solution to align with industry recognised good practice. These have been accepted by the Policy CyberAlarm team and a software patch created. This patch has been independently tested and verified against the recommendations made by Bytes and will be deployed shortly by the Police CyberAlarm team. Additionally, Bytes concluded during the investigation that the Police CyberAlarm team responded appropriately by reducing the attack surface while investigation and remediation works were conducted to put their members’ minds at ease. Bytes recognise this as responsible and decisive action. In Bytes’ opinion this is to be commended as many vendors do not support this approach.

The Police CyberAlarm team welcome the scrutiny of the independent security research community, as this helps to improve the overall quality and security of the service. The team would like to remind all parties that they have a responsible disclosure policy that can be found at https://cyberalarm.police.uk/responsible-disclosure/ and would ask individuals to follow this policy.

Bytes Disclaimer: This statement is restricted to the context of Police CyberAlarm and only where it concerns potential vulnerabilities identified in March 2022 by an independent security researcher. Nothing outside of this scope has been considered, and nothing should be inferred from this statement that the whole system is secure or has been reviewed by the Bytes team. Nothing in this statement should be considered as an endorsement.

Bytes Software Services Ltd
Bytes House,
Randalls Way,
Leatherhead,
Surrey
KT22 7TW
Legal@bytes.co.uk
+44 (0) 1372 418500