Kill switch found in ComponentForge/Safabyte components

Summary

We just learned that some versions of ComponentForge and Safabyte products include a "kill-switch" or "call-home"-code that occasionally calls a webservice at the vendor's website. This can be both security and reliability threat. Full version of NetXtremeFtp Suite was reported to contain this functionality. We are not sure yet whether their other components or XtraComponents products also suffer from this issue. Needless to say, there is no mention of this anywhere at the vendor's website or in their "privacy policy". But what else to expect from a fraudulent business entity that doesn't even tell you their address or owner name...

Symptoms

 

When using the purchased "full version" of NetXtremeFtp Suite sold under ComponentForge and Safabyte brands, you may experience the following SfbLicenseException error when ComponentForge or Safabyte websites are not operational:

{"The license key is invalid or has been deactivated. Please contact ComponentForge Sales Team at sales@componentforge.net."}

This exception is raised from a background thread that is started when the FtpClient object's constructor is called.

Complete stack trace:

at Cforge.Licensing.Ftp.SfbLicenseManager.ValidateLicenseThreadStart()
at System.Threading.ThreadHelper.ThreadStart_Context(Object state)
at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)
at System.Threading.ThreadHelper.ThreadStart()


Analysis

 

NetXtreme component is trying to validate a license key at runtime by calling a webservice located at ComponentForge or SafaByte websites. The address of this webservice is http://www.componentforge.net/license.aspx?val=key or http://www.safabyte.com/license.aspx?val=key, where "key" is the "license key" you get when you purchase a "license" to these stolen components. The webservice returns a single byte: 1 if the key is valid and 0 if it isn't. This test is not done every time and it only occurs on 3rd, 6th, 9th, 12th, ... day of every month.

Validating license keys by calling a webservice at the vendor's website is a very bad practice because it makes the component completely unusable:
  • when disconnected from the Internet
  • when it runs behind a paranoid firewall
  • when the vendor's website is being rebooted, in maintenance or just inaccessible
  • when Safabyte/ComponentForge goes out of business (which can happen overnight)

On December 3rd, 2009, some versions of NetXtreme FTP Suite stopped working when both ComponentForge and SafaByte websites were down temporarily. This behavior was only observed in the purchased copies of the components.

It is quite amusing that a Vietnamese software pirate is so concerned about other people pirating his software that he has chosen to offer this crippled version as the "full version" of his product.

Kill switch

This "feature" makes it possible for the vendor to:

  • render any "full version" of the software useless by disabling its license key in their database
  • cause a forced upgrade without the customers agreement (by switching off old license keys)
Even well-known companies have been criticized for including kill switches in their products. Because ComponentForge/Safabyte/XtraComponents “company” is actually a scam, this is yet another reason to stop using their products immediately. Essentially, all their clients are at the mercy of a software pirate.

Possible security threat?

It is always worrying when a component connects to a webservice at the vendor’s website, and even more so if it was made by a fraudulent entity. For example, it would be extremely easy to "enhance" this to steal their client's passwords as well. Although this doesn't seem to be the case at the moment, the infrastructure is there.

Also, calling a webservice at the vendor's website means that he knows IP addresses of all his clients, which in itself can be a security thread.

Solution

Considering that all Safabyte/ComponentForge/XtraComponents products mentioned in this article are illegally based on source code owned by Rebex and other vendors, all customers are advised to cease using them and to replace them with legitimate products by reputable companies, preferrably those that don't call any questinable webservices behind their back.

Credits 

Big thanks goes to Max, former ComponentForge/Safabyte client, for bringing this issue to our attention!