FreeScan security issue

K7MFC · May 21, 2018

I uninstalled FreeSCAN version 2.18 from my Windows 10 machine, and I noticed something interesting that I thought I should post here. I like to verify any remaining files/folders aren't still lingering after uninstalling a program so I did a quick search of the entire disk for "freescan" and nothing was found. I'm a bit of a deletionist, and I like to be a little more thorough, so I opened the registry editor, and did a search again for "freescan," looking for any remaining installation artifacts I could remove. Buried deep in HKEY_USERS, I found something interesting:

Right there - in plain text - is my radioreference.com username and password. If you use the RadioReference database import features and keep the "remember me" box checked, this is how your credentials are stored.

Uninstalling FreeScan, via the included uninstaller or the Windows control panel, DOES NOT remove the stored radioreference username and password from your computer. This information is accessible to any user who can open the registry editor. But more importantly, it is accessible to any executing program on your machine. I would consider this a somewhat concerning issue - storing passwords in plain text is never a good idea as a software developer. Microsoft does provide tools for Windows applications to securely handle data such as usernames and passwords - notably, the Data Protection API.

I have attempted to contact Sixpot Software to alert them to this vulnerability.

mule1075 · May 21, 2018

call_sign_null said:
I had FreeSCAN version 2.18 installed on my Windows 10 machine, and I noticed something interesting today after uninstalling. The uninstall process was quick, and I like to verify any remaining files/folders aren't still lingering so I did a quick search of the entire disk for "freescan" and nothing was found. The uninstall appeared complete. But I'm a bit of a deletionist, and I like to be a little more thorough, so I opened the registry editor, and did a search again for "freescan," looking for any remaining installation artifacts I could remove. Buried deep in HKEY_USERS, I found something interesting:

Right there - in plain text - is my radioreference.com username and password. If you use the RadioReference database import features and keep the "remember me" box checked, this is how your credentials are stored.

Uninstalling FreeScan, via the included uninstaller or the Windows control panel, DOES NOT remove the stored radioreference username and password from your computer. This information is accessible to any user who can open the registry editor. But more importantly, it is accessible to any executing program on your machine. I would consider this a somewhat concerning issue - storing passwords in plain text is never a good idea as a software developer. Microsoft does provide tools for Windows applications to securely handle data such as usernames and passwords - notably, the Data Protection API.

I have attempted to contact Sixpot Software to alert them to this vulnerability.

This is one of the reasons I use Absolute Uninstaller.

milcom_chaser · May 21, 2018

Would be interesting to see how Proscan and ARC-XT handle the "hashing" or lack thereof of passwords.

K7MFC · May 21, 2018

mule1075 said:
This is one of the reasons I use Absolute Uninstaller.

Just did a quick test on a VM and Absolute Uninstaller does not remove this data from the registry. It's not really an issue of an incomplete uninstall of the application, however. The issue here is that the developers chose an insecure method to store sensitive information like 3rd party logins. Having FreeScan installed and then storing your RadioReference credentials within the application is where the vulnerability starts.

To patch this issue on your computer, run these two commands form the command prompt - note that the exact path may differ on your local machine. Open regedit and find "FreeSCAN" in HKEY_USERS or HKEY_CURRENT_USER:

REG DELETE "HKEY_CURRENT_USER\Software\VB and VBA Program Settings\FreeSCAN\Settings" /v UserPW

REG DELETE "HKEY_CURRENT_USER\Software\VB and VBA Program Settings\FreeSCAN\Settings" /v UserName

This will delete the username and password which is stored as plain text and easily visible. After clearing these registry values, FreeSCAN users should NOT check the "Remember me" box when using the radioreference database import feature. I would also recommend changing your RadioReference password(s).

milcom_chaser said:
Would be interesting to see how Proscan and ARC-XT handle the "hashing" or lack thereof of passwords.

I'm also curious now. I will be doing a similar inspection of these applications and report back any findings.

K7MFC · May 21, 2018

It gets better (worse)! I also noticed that the requests made by FreeSCAN to the RadioReference API are not using HTTPS:

Here again you can see my username and password. The RadioReference authentication request is being sent over an insecure HTTP connection, and this sensitive info is freely visible to anyone or anything that inspects my network traffic.

K7MFC · May 21, 2018

milcom_chaser said:
Would be interesting to see how Proscan and ARC-XT handle the "hashing" or lack thereof of passwords.

Didn't take too long to discover that BuTel's ARC-XT software also stores RadioReference login credentials in an identical insecure manner:

W4ELL · May 21, 2018

FYI... I investigated ProScan and how it saves my login information. I found nothing in the registry and it looks like the information is stored in this file(in Windows 10):

C:\Users\<username>\AppData\Local\VirtualStore\Program Files (x86)\ProScan\ProScan.cfg

As you can see, it appears that ProScan does it right... both the password and username are obscured (possibly hashed?) in said cfg file:

ProScan · May 21, 2018

W4ELL said:
FYI... I investigated ProScan and how it saves my login information. I found nothing in the registry and it looks like the information is stored in this file(in Windows 10):

C:\Users\<username>\AppData\Local\VirtualStore\Program Files (x86)\ProScan\ProScan.cfg

As you can see, it appears that ProScan does it right... both the password and username are obscured (possibly hashed?) in said cfg file:

Thanks but it's not good posting encrypted passwords. Can you edit your password out as any instance of ProScan can read it.

W4ELL · May 21, 2018

ProScan said:
Thanks but it's not good posting encrypted passwords. Can you edit your password out as any instance of ProScan can read it.

Yes, thanks Bob, I didn't think of that.

ProScan · May 21, 2018

call_sign_null said:
It gets better (worse)! I also noticed that the requests made by FreeSCAN to the RadioReference API are not using HTTPS:

That has nothing to do with FREEScan. Take a look at the targetNamespace in this link https://api.radioreference.com/soap2/?wsdl&v=15

As far as the password in the clear in the Registry, Just lock your computer when not using.

K7MFC · May 22, 2018

ProScan said:
That has nothing to do with FREEScan. Take a look at the targetNamespace in this link https://api.radioreference.com/soap2/?wsdl&v=15

It's been a while since I've used SOAP APIs regularly - what is the significance of targetNamespace? Does that url indicate that RadioReference does not support https with their SOAP service? The wsdl loads ok via HTTPS.. If that is in fact the case, I can't fault the developers for a limitation of the RR API.

ProScan said:
As far as the password in the clear in the Registry, Just lock your computer when not using.

A person having physical access to the computer, opening up the registry editor and looking at the password is the least likely attack vector. Arbitrary code can be executed to read that data from the registry without the user knowing, and this is the more likely way data can be compromised. Windows has long offered operating system level tools to encrypt and store sensitive data, which is good for the developer as they do not need to rely on any third party tools to be able to securely store data like passwords. There isn't really any room to excuse this vulnerability given the long-established best practices. It's an issue that really needs to be fixed in FreeSCAN and ARC-XT, but fortunately for the developers of these programs, there are well documented solutions to patch the vulnerability.

I am glad to see that ProScan does not contain this same vulnerability, and now I'm inclined to support your software.

KE4ZNR · May 22, 2018

Something else to consider: Freescan was developed by a young college student on a whim to help him program and update his own scanners and while he has continued to support and update it here and there it was never a priority for him. He has never charged for it for that very same reason. So don't expect him to rush out with a response on this as Freescan has always been promoted as "Freeware" with little to no support from the author.

Marshall KE4ZNR

K7MFC · May 22, 2018

I would agree, this isn't the cyber crime of the century or anything and I'm not trying to be too critical of the developers, but it's an "oops" that would ideally be attended to ASAP. This post is not to shame the creators of the software - it is to inform users that their radioreference.com login information is stored in an insecure manner on their computer.

As a proponent of open source software, I can say this is one of the strongest arguments for it. Peer reviews of the codebase would would likely catch security issues like this early on in the development process. I didn't come across any public code repos for FreeSCAN or ARC-XT so I'm guessing they're not open source.

phask · May 22, 2018

KE4ZNR said:
Something else to consider: Freescan was developed by a young college student on a whim to help him program and update his own scanners and while he has continued to support and update it here and there it was never a priority for him. He has never charged for it for that very same reason. So don't expect him to rush out with a response on this as Freescan has always been promoted as "Freeware" with little to no support from the author.

Marshall KE4ZNR

Marshall - to dad, Ibelieve hee has now stopped development and has released the souce code to the "crowd".

questnz · May 22, 2018

KE4ZNR said:
Something else to consider: Freescan was developed by a young college student on a whim to help him program and update his own scanners and while he has continued to support and update it here and there it was never a priority for him. He has never charged for it for that very same reason. So don't expect him to rush out with a response on this as Freescan has always been promoted as "Freeware" with little to no support from the author.

Marshall KE4ZNR

1+ for that, it is FREE software "as is where is" one can use on your own risk.
Freescan serving its purpose for many users who don't want to for pay commercial software.
Personally I am more worried about various software we are using on Cellphones, iPads, Tablets full of security holes and collecting information from the users.
Frrescan is walk in the park in compassing to the nasty stuff get collected without us users permission via portable devices.

K7MFC · May 22, 2018

questnz said:
1+ for that, it is FREE software "as is where is" one can use on your own risk.

Exactly - and the intent of my post is to alert the users of this software to one of those risks, provide a workflow for a user to patch the vulnerability, and advise on a best practice to limit your exposure to this issue in the future.

questnz said:
Frrescan is walk in the park in compassing to the nasty stuff get collected without us users permission via portable devices.

The severity of the issue I discovered obviously pales in comparison to larger and much more publicized data security issues, but that doesn't automatically mean it should be dismissed. Before this post shifts towards a discussion of that nature, I just want to reiterate that this post was just a public service announcement to share my findings. It's up to the user to decide how to act on this information.

questnz · May 22, 2018

Thank you Matt, my post was just in "generic" terms about all stuff we are giving away willingly or unwillingly during every day use of the devices. We need to use the software and by accepting xyz terms and conditions we just give away our rights to complain. Vast amount of personal information is collected with out consent, unfortunately. Thank you for good work, very few of us actually going to OS registry
and check every possible hole in security of every software installed.

Regards Chris

n0xvz · May 22, 2018

Hmmm...my registry didn't seem to have that issue. (Yes, I use FreeSCAN.)

K7MFC · May 22, 2018

n0xvz said:
Hmmm...my registry didn't seem to have that issue. (Yes, I use FreeSCAN.)

Interesting, what version of FreeSCAN do you have installed, and did you select "Remember me" when you entered your RadioReference credentials?

n0xvz · May 22, 2018

call_sign_null said:
Interesting, what version of FreeSCAN do you have installed, and did you select "Remember me" when you entered your RadioReference credentials?

Ah, interesting. I use this particular computer with FreeSCAN quite a bit, but it appears I've never used it to download from the RR database (until now). I'll have to check the other computer.

So...nothing to see here...

FreeScan security issue

WRAA720

Member

Member

WRAA720

WRAA720

WRAA720

Member

Software Provider

Member

Software Provider

WRAA720

Radio Geek

WRAA720

Member

Member

WRAA720

Member

Member

WRAA720

Member

Similar threads