A security researcher has discovered a critical security lapse in a popular video visitation service for correctional facilities that exposed the call logs and transcriptions of conversations between inmates and the outside world – including calls supposedly protected by attorney-client privilege.
HomeWAV prides itself on offering a state-of-the-art suite of communication solution and hardware for detention facilities across the US.
The firm markets the product as a reliable revenue stream for detention facilities, as well as an efficient monitoring tool:
“From Day One, revenue from usage is shared with the detention facility … Placement of stations in secure areas eliminates need to move inmates for visitation,” reads the marketing copy on homewav.com. “No-contact visits reduce risks for contraband transfer. 100% recording and monitoring of all visits is provided.”
As reported by TechCrunch, security researcher Bob Diachenko found “a dashboard for one of its databases exposed to the internet without a password, allowing anyone to read, browse and search the call logs and transcriptions of calls between inmates and their friends and family members.”
The same database also contained transcripts of calls between inmates and their attorneys that were supposed to be protected by attorney-client privilege.
HomeWAV shut down the system hours after the news site alerted it to the security lapse. CEO John Best told the news outlet that one of its third-party vendors was to blame, adding that the company will inform inmates, families and attorneys of the incident.
Two attorneys reached by TechCrunch reportedly “expressed alarm that their calls had been recorded.”
Yet, according to HomeWAV’s website, “unless a visitor has been previously registered as a clergy member, or a legal representative with whom the inmate is entitled to privileged communication, the visitor is advised that visits may be recorded, and can be monitored.”
It is unclear if HomeWAV broke the law by recording conversations between inmates and their lawyers, but it risks finding itself in hot water. It is also unclear whether any of the exposed data was stolen before HomeWAV shut down the service to secure it. After all, Diachenko is one of several white-hat researchers purposefully seeking to uncover exposed databases on the web and alert their owners of their lapses. Alas, there are also black hat hackers out there, equally skilled in finding unsecured databases.
In fact, the same researcher made an almost identical finding earlier this year when Telmate, another company that facilitates monitored inmate communications with the outside world, had exposed a large database containing tens of millions of call logs, private messages, and personal information about inmates and their contacts.