Improperly Set Up Database Exposed Oklahoma Police, Bank to Physical Intruders
Government (U.S.) // Oklahoma, United States
The goof was discovered by security researcher Chris Vickery.
But not before the leaky database potentially compromised the physical security of multiple Oklahoma Department of Public Safety facilities and at least one Oklahoma bank, according to the Daily Dot.
Vickery said he discovered the flawed system one day before the July 7 Dallas police shooting, which claimed the lives of five officers. He initially was concerned about publicly disclosing a vulnerability that could affect law enforcement. “I was very cautious at first about it,” he said, “but I decided the risk of doing harm with the information I was putting out there wasn’t that great.”
Vickery provided the Daily Dot with images from the database, which were accessible without a username or password. The photos show various doors, locks, RFID access panels and the controller board of an alarm system -- a device typically obscured for security purposes.
The database also contained “details on the make, model, location, warranty coverage, and even whether or not the unit was still functional,” Vickery said.
The security risk persisted for at least a week. Vickery said he notified an executive at the company that manages the database, Automation Integrated, on July 9. Reached on July 12, however, an Automation Integrated employee said “no one” in the office was aware of the problem.
The Daily Dot contacted Oklahoma’s statewide law enforcement agency, the Oklahoma Highway Patrol, to give notice of the breach, which specifically affected the building housing Troop A. "An official became hostile with the reporter during the call, responding with disbelief and insisting that the reporter did not know what he was talking about," according to the Daily Dot.
MidFirst Bank of Oklahoma City also was affected, Vickery found. “I was even able to get images from within the bank's safe deposit box vault,” he said.