Download PDF version Contact company

ExtraHop, globally renowned cloud-first detection and response solutions provider for hybrid enterprises, has issued a security advisory exposing several cases of third-party vendors ‘phoning home’ proprietary data without the knowledge of or authorisation from their customers. The advisory serves as a warning to all enterprises to hold their vendors more accountable for how they use customer data.

Phoning home proprietary data

The newly-issued advisory defines phoning home as a host connecting to a server for the purpose of sending data to the server, the ‘white hat’ term for exfiltrating data. According to the report, phoning data home is a common practice that can be used for legitimate and useful reasons with the customer’s consent. But when customers are unaware of this vendor exfiltration, it risks exposure of sensitive data, such as Personally Identifiable Information (PII), in violation of increasingly strict privacy regulations.

We decided to issue this advisory after seeing a concerning uptick in this kind of undisclosed phoning home by vendors"

“We decided to issue this advisory after seeing a concerning uptick in this kind of undisclosed phoning home by vendors,” said Jeff Costlow, ExtraHop CISO. “What was most alarming to us was that two of the four cases in the advisory were perpetrated by prominent cybersecurity vendors. These are vendors that enterprises rely on to safeguard their data. We’re urging enterprises to establish better visibility of their networks and their vendors to make sure this kind of security malpractice doesn’t go unchecked.

Data and cloud security

The advisory highlights four cases spanning the financial services, healthcare, and food service industries where ExtraHop documented vendors phoning home their customers’ data without the customer’s knowledge or authorisation, including:

  • Foul-play in financial services: During a recent training session, ExtraHop noticed that domain controllers were shipping data to a public cloud instance. The customer had no idea that domain controllers were sending SSL traffic outbound to 50 different public cloud endpoints controlled by the vendor. The report documents how a prominent cybersecurity vendor had been doing this for at least two months.
  • Medical device malpractice: A U.S. hospital was piloting a medical device management product that was only to be used on designated hospital Wi-Fi to ensure patient data privacy and HIPAA compliance. ExtraHop noticed that traffic from the workstation that was managing the initial device rollout was opening encrypted SSL:443 connections to vendor-owned cloud storage, in strict violation of HIPAA regulations.
  • When shadow IT phones home to China: While ExtraHop was onsite with a large multinational food services customer, they discovered that approximately every 30 minutes, a network-connected device was sending UDP traffic out to a questionable IP address. The device in question was a Chinese manufactured security camera that was phoning home to an IP address known to be associated with malware downloads.
  • When “on-box analysis” isn’t entirely “on box”: During a proof-of-concept (POC) with a financial services institution, ExtraHop noticed a large volume of outbound traffic headed from the customer’s S. datacenter to the United Kingdom. More than 400GB per day over two-and-a-half days (totaling more than 1TB of data) was exfiltrated by a security vendor that was also in a POC with the financial services institution. The customer was surprised because the vendor claimed to perform all analysis and machine learning ‘on-box’—meaning on the appliance deployed in the customer’s environment.

Security advisory

ExtraHop’s security advisory recommends that companies take the following actions to mitigate these kinds of phoning-home risks:

  • Monitor for vendor activity: Watch for unexpected vendor activity on your network, whether they are an active vendor, a former vendor or even a vendor post-evaluation.
  • Monitor egress traffic: Be aware of egress traffic, especially from sensitive assets such as domain controllers. When egress traffic is detected, always match it to approved applications and services.
  • Track deployment: While under evaluation, track deployments of software agents.
  • Understand regulatory considerations: Be informed about the regulatory and compliance considerations of data crossing political and geographic boundaries.
  • Understand contract agreements: Track whether data is used in compliance with vendor contract agreements.

ExtraHop also urges companies to ask questions of their vendors to ensure they understand how their data is being used, where their data is going and the vendor protocols for phoning home. ExtraHop believes these actions will hold vendors more accountable and ultimately limit the exposure of sensitive enterprise data.

Download PDF version Download PDF version

In case you missed it

Enhancing collaboration in physical security operations
Enhancing collaboration in physical security operations

In the past, security and IT teams operated independently, but today collaboration is critical. Modern security systems rely on various devices and systems that are linked to inter...

How can the industry do a better job of promoting emerging technologies in physical security environments?
How can the industry do a better job of promoting emerging technologies in physical security environments?

By all accounts, technology development is moving at a rapid pace in today's markets, including the physical security industry. However, market uptake of the newest technologies ma...

Dahua & KITT Engineering's LED screen innovations
Dahua & KITT Engineering's LED screen innovations

About a year and a half ago, Peter de Jong introduced Dahua to Fred Koks, General Manager of KITT Engineering. Since then, Dahua, KITT Engineering, and Ocean Outdoor have complete...

Quick poll
What is the most significant challenge facing smart building security today?