What is SafeConnect? Is it spyware? Why is It Used At My School?
SafeConnect is a solution from Impulse Point, LLC. which serves to help network administrators manage BYOD (bring your own device) hardware on their networks. It is a network access control solution commonly used at schools / universities. In layman's terms, the solution consists of software which installs itself, for example, on a student's laptop when they connect to a school's WiFi network to obtain network or internet access. The software runs invisibly, gathers data, and reports information, such as whether certain programs are running on a user's machine, back to the rest of the solution (hardware and software) on the school's network. With that information, combined with the rules of the network administrator, a user may be denied access to the network / internet. Since the software runs without the user's awareness, and discloses nothing on the screen about what information is being transmitted, people may wonder if this is spyware. In fact, the software even continues to run silently when the user leaves the network and travels to another location, making questions about its activity quite understandable. This study serves to provide such answers. Disclaimer: I have no affiliation with Safe Connect and Impulse Point, LLC. The information presented herein is my opinion, based upon my observations, and while I believe the information presented in this study is accurate, you should evaluate the software and ask the manufacturer questions directly to ensure you have reliable information.
My Encounter with SafeConnect
I first learned of SafeConnect when I was on a school campus, needed internet access, and attempted to connect to the school's wireless network. Often, when one joins a wireless network, they see a network welcome message, and then they can proceed to connect to the public internet. On this day, I was prompted to install a "SafeConnect Policy Key" in order to use the network. As I soon discovered when I continued, this so-called "key" was actually an executable software program.
Most of us who use the internet know not to install executable software unless we specifically were searching for online software, such as when looking for an app, or a utility, or a game recommended by a friend. When we see dialog boxes encouraging us to install software we weren't intending to find, common sense and security best-practices advise us to run in the other direction. But, here, I was prompted by the network of an educational institution, the name of this installable software included the term "SafeConnect" and it was labled as a "key." How could I go wrong? In any event, the sensible side of me felt a red flag had been raised, and I decided to study the SafeConnect system. This whitepaper serves to share my personal findings and beliefs.
Most of us who use the internet know not to install executable software unless we specifically were searching for online software, such as when looking for an app, or a utility, or a game recommended by a friend. When we see dialog boxes encouraging us to install software we weren't intending to find, common sense and security best-practices advise us to run in the other direction. But, here, I was prompted by the network of an educational institution, the name of this installable software included the term "SafeConnect" and it was labled as a "key." How could I go wrong? In any event, the sensible side of me felt a red flag had been raised, and I decided to study the SafeConnect system. This whitepaper serves to share my personal findings and beliefs.
Users Are Prompted To Install Software to Use The Network / Internet
SafeConnect is a term used by a company called Impulse Point. When I was prompted to install a "policy key" to use the internet, I was actually directed to run an executable file. Again, for me, this was a red flag. The term "key" is not usually used to describe executable software. On a Windows-based computer, users are prompted to install "ServiceInstaller.exe" as shown below:
You will notice that the download location is not a domain name. It is an IP address. This, too, was a red flag that caught my attention. Often, when you download or install software, you see a fully-qualified domain name (e.g. microsoft.com). Seeing an IP address is certainly more worrisome to me, personally, when I am prompted to download or install software. One could possibly believe that this IP address is one from the school itself, such as an address of the WiFi hardware, but it is not. When I did an IP lookup on this address, it came back as an IP address in Florida, which I presume is a server managed by Impulse Point, since they have an office in Florida.
Had this solution thus far not referred to software as a key or used server IP addresses in lieu of domain names, perhaps I wouldn't have been as concerned.
I downloaded, but did not execute, the file. On the positive side, the file's properties contained a digital signature from Impulse Point, LLC, as seen below:
I downloaded, but did not execute, the file. On the positive side, the file's properties contained a digital signature from Impulse Point, LLC, as seen below:
What does The Software Actually Do?
In reading about the company and its products on various websites, it appears that the software is a governor and a monitor, which interacts with a hardware appliance located at the school. The software runs invisibly (without a user interface) on a user's machine, collects information and then seemingly forwards this information to the hardware appliance on the network, from which the appliance's software and the network administrator can determine if the user can use the network.
What Information Does It Collection & Transmit?
- Username (the name you use to log into your machine)
- MAC Address (every computer's network chipset has a unique identifying address)
- Existence of Antivirus Software (and version)
- Programs Running (true/false for any program added to a watch list by the network administrator)
The company's website seems to confirm reports of the above. It states: "Any data stored in the SafeConnect Policy Enforcer is either requested for business purposes (userid/network username) or can be easily obtainable from the network itself. (Mac Address, IP address, Windows Machine Name, etc)."
The company also claims to be able to export historical information, including (the below list was copied from the manufacturer's website):
According to the product page on the manufacturer's website (http://www.impulse.com/safeconnect/) , "Impulse’s Contextual Intelligence™ technology delivers real-time device information that correlates identity/role, device type, and location (along with other attributes such as ownership and compliance status) over time to power its SafeConnect solution."
For those using mobile phones, the company claims "Not only real-time monitoring for security assessment but real-time identity for mobile devices! SafeConnect is designed to deliver the real-time identity-to-device association required to support the BYOD mobile device explosion."
At http://www.impulse.com/safeconnect_nac/ , Impulse Point also states "The biggest challenge managing network performance and security today is the dramatic increase in the number of mobile devices connecting to the network. SafeConnect can keep you one step ahead by being able to identify, authenticate, on-board and monitor these devices..."
The company addresses some of these concerns at http://www.impulse.com/safeconnect/privacy-policy/ . Here, they explain that "SafeConnect does not gather any information, or perform any checks, that are not configured by a policy administrator" and "The software installed as part of the SafeConnect NAC Solution (i.e., the Policy Key) does not report or log any activity other than what is required to ensure end user compliance with the endpoint security policies set forth by the organization." The "other than" wording at the end of the preceding sentence seems rather vague and unclear to me.
The company also claims to be able to export historical information, including (the below list was copied from the manufacturer's website):
- Individual user name
- IP address
- MAC address
- Last contact/log in (date/time)
- Type of device
- Group or role
- Specific compliant policies
- Specific non-compliant or failed policies
According to the product page on the manufacturer's website (http://www.impulse.com/safeconnect/) , "Impulse’s Contextual Intelligence™ technology delivers real-time device information that correlates identity/role, device type, and location (along with other attributes such as ownership and compliance status) over time to power its SafeConnect solution."
For those using mobile phones, the company claims "Not only real-time monitoring for security assessment but real-time identity for mobile devices! SafeConnect is designed to deliver the real-time identity-to-device association required to support the BYOD mobile device explosion."
At http://www.impulse.com/safeconnect_nac/ , Impulse Point also states "The biggest challenge managing network performance and security today is the dramatic increase in the number of mobile devices connecting to the network. SafeConnect can keep you one step ahead by being able to identify, authenticate, on-board and monitor these devices..."
The company addresses some of these concerns at http://www.impulse.com/safeconnect/privacy-policy/ . Here, they explain that "SafeConnect does not gather any information, or perform any checks, that are not configured by a policy administrator" and "The software installed as part of the SafeConnect NAC Solution (i.e., the Policy Key) does not report or log any activity other than what is required to ensure end user compliance with the endpoint security policies set forth by the organization." The "other than" wording at the end of the preceding sentence seems rather vague and unclear to me.
Why Would My Network Administrator Need My Name And Running Programs?
I wondered why any network administrator needs to know this information. When I stay at a hotel, I can connect to the internet without installing software that watches over my machine. Must I really have software divulging to my network administrator what programs I have open on my computer? In reading the company's website and other information online, it seems that network administrators might want to block certain activity. For example, if a user is running a file-sharing program, and sharing music illegally, the network administrator can reportedly define rules to block that user from accessing the internet. That sounds like a good idea, however, the user might be sharing files legally. The software also identifies the user, which seems to put the user in a position where now the administrator might be able to identify them and their activity by their username or a registered computer MAC address. I can imagine a whole slew of legal questions that could arise if a student was deemed to be using a program which they shouldn't, to put it mildly. This practice was concerning to me, personally, since merely running a program doesn't mean that one has committed a crime and some programs that have been used for unlawful purposes have also been used for ordinary, legitimate purposes. Should the administrator really know what programs I am running? Now, in fairness, it doesn't report every program running on a machine unless the network administrator has identified the details of those programs in a list of watched programs. The company's website (http://www.impulse.com/safeconnect/) states that "It can only return a true/false check on the presence (or absence) of a file, provided the complete path is given." But, on the flip side, an administrator could presumably add 100 commonly-used programs to a list, and then check on the status (running or not) of a large list of programs, and have a pretty good idea what common programs [username] is running at every moment when on the network. That, too, concerned me.
The software also purports to ensure users are using anti-virus software, and perhaps even a current version. This seemed like a good idea to me, however, I know that I have anti-virus software on my machine, and I would rather not trade my machine's activity in exchange for a possibly-safer network. Of course, if I don't choose that trade-off, I am denied access to the school's network.
The software also purports to ensure users are using anti-virus software, and perhaps even a current version. This seemed like a good idea to me, however, I know that I have anti-virus software on my machine, and I would rather not trade my machine's activity in exchange for a possibly-safer network. Of course, if I don't choose that trade-off, I am denied access to the school's network.
Monitoring the Monitor...
I thought it would be interesting to run a process monitor that watches over the SafeConnect software and shows what actions it is performing. I installed the software and watched over the watcher. It installed 2 processes on my machine, a Windows Service "scManager.sys" and an executable "SCClient.exe," both of which have no user interface. Again, these programs run silently. My process monitor, however, saw them busy at work:
As expected, I saw it accessing my system registry, my computer's file system, and transmitting apparently-encrypted data back to the network. In less than 2 minutes after I had connected to the internet, my process monitor had logged 46,995 events for just these 2 SafeConnect processes! Below, for example, you can see a small sample of the many events I recorded where the software was checking for anti-malware software...
Does It Shut Down When You leave the Network? (Answer: No)
One of the things that surprised me the most was that the 2 SafeConnect processes continued to run and monitor my activity even when I had disconnected from the network and driven to another location many miles away. I was outdoors, using my computer, without any network connection, roughly 10 miles from the school, and I decided to run my process monitor to see whether SafeConnect was inactive. I was shocked to log over 11,000 events from these 2 busy processes in a mere 1 minute, 50 second period of time, as seen below:
That's roughly 100 events per second! To put this into perspective, this is what happened in just a fraction of a second (see the timestamp on the left):
What really concerned me was the load on my hard drive. If I filtered the off-campus events to just those that read/write against my computer's hard drive, even then there were multiple read/writes EVERY SECOND. Mostly, it was repetitive nonsense and none of it needed to occur when I was not even connected to the school's network. In just a 5 second period of time, while I was not even on campus, I recorded 42 file-system events against my hard drive:
SafeConnect Performs Between 725,000 - 3 million+ Hard Drive Read/Writes Per Day?
I did not record the activity for a 24 hour period, but if you extrapolate from the above data, SafeConnect would read/write against your hard drive 504 times per minute, or 30,240 times per hour, or 725,760 times per day... while not even connected to the network. If you leave your computer on, it seems to me that SafeConnect's churning of a computer hard drive for an extra 725,760 read/writes per day could contribute to an early death of your hard drive. And, again, this calculation was from a period of time when the computer was not even connected to any network and the computer was 10 miles away from the school's campus. From my observation, the churn would be even worse when connected because more file system operations are in progress while on the network. In one such 2 minute "on the network" test, I recorded 4,397 file read/writes. That equates with 2,198 read/writes per minutes, which is roughly 4.5 times more than the 504 times (per minute) when I was off the network. At that rate, in one "on the network" day it would use my hard drive 131,880 times per hour or 3,165,120 times over the course of that 24 hours! Admittedly, I didn't actually log the data for 24 hours straight, but I also saw no slowdown in the activity when I did perform my testing.
While I could understand, technically, the SafeConnect system checking my hard drive while I was on the network, I could think of no reason for the software processes to be churning my hard drive when I was off the network. In my opinion, this is a development mistake. I believe the program should slow down to an "asleep" state when one is not on the network, but unfortunately it doesn't operate this way. In fact, I would also argue that developers should have placed small delays between each cycle of activity while on the network. I don't believe the software needs to check my hard drive, or even my system registry, countless times per second when arguably the same checks could be slowed down and performed less times each minute.
While I could understand, technically, the SafeConnect system checking my hard drive while I was on the network, I could think of no reason for the software processes to be churning my hard drive when I was off the network. In my opinion, this is a development mistake. I believe the program should slow down to an "asleep" state when one is not on the network, but unfortunately it doesn't operate this way. In fact, I would also argue that developers should have placed small delays between each cycle of activity while on the network. I don't believe the software needs to check my hard drive, or even my system registry, countless times per second when arguably the same checks could be slowed down and performed less times each minute.
Can it Be Paused / Stopped / Uninstalled?
Naturally, after performing tests, and seeing that the software took a toll on my system, I wanted to stop it. The software, again, offers no user interface. There is no icon in the bottom-right of your computer, near the clock. There is no desktop icon, or any icon for that matter, that allows you to pause the SafeConnect software. There is no desktop icon that allows you to uninstall it, although one is hidden if you know where to look. When I originally couldn't find an uninstaller, I had to click CTRL-ALT-DEL, enter Task Manager, click on the Processes tab, and kill the two SafeConnect processes. That wasn't exactly a user-friendly approach to stopping the service. I wondered if the program would eventually stop and so I did some research.
At http://www.impulse.com/safeconnect/privacy-policy/ , the company states "The SafeConnect Policy Key automatically dissolves (uninstalls itself) after a pre-determined time of inactivity. Users can also uninstall the policy key themselves if they choose." But, from my research, it seems the software only uninstalls itself after 60 days, and how would the user know to uninstall the software ("policy key") prior to that time?
It seems to me that a casual user could walk on campus with a notebook computer, see a WiFi network, click to join the internet, accept the installation of the so-called "policy key" (the software), use the internet for a few minutes, leave campus back to their home, plug in the computer, and the SafeConnect software would continue to run silently and cause 43,500,000 read/writes to the user's hard drive, along with other activity, over the next 60 days before the software uninstalls itself. All that for a few minutes of internet usage while on school campus? Maybe I am wrong, as I haven't tried monitoring it for 60 days. My research and observations suggests this to be correct.
They claim the software can be uninstalled. But, how would a user even know they should want to uninstall software when A) they didn't realize they were installing monitoring software and B) they didn't realize the software would continue to monitor the system even when disconnecting from the network?
I did continue to check the system to figure out how to uninstall the software, and I found their uninstaller located at:
"C:\Program Files (x86)\SafeConnect\Uninstall.exe"
If you have the software installed on a Windows PC, and you wish to remove it, navigate to this folder, and double-click the uninstall icon. A process monitor check thereafter did indeed show no more activity from either of the 2 SafeConnect processes. You could also use the Uninstall Program option located within the Windows Control Panel, which seems to access the same uninstall executable file as I have referenced above.
At http://www.impulse.com/safeconnect/privacy-policy/ , the company states "The SafeConnect Policy Key automatically dissolves (uninstalls itself) after a pre-determined time of inactivity. Users can also uninstall the policy key themselves if they choose." But, from my research, it seems the software only uninstalls itself after 60 days, and how would the user know to uninstall the software ("policy key") prior to that time?
It seems to me that a casual user could walk on campus with a notebook computer, see a WiFi network, click to join the internet, accept the installation of the so-called "policy key" (the software), use the internet for a few minutes, leave campus back to their home, plug in the computer, and the SafeConnect software would continue to run silently and cause 43,500,000 read/writes to the user's hard drive, along with other activity, over the next 60 days before the software uninstalls itself. All that for a few minutes of internet usage while on school campus? Maybe I am wrong, as I haven't tried monitoring it for 60 days. My research and observations suggests this to be correct.
They claim the software can be uninstalled. But, how would a user even know they should want to uninstall software when A) they didn't realize they were installing monitoring software and B) they didn't realize the software would continue to monitor the system even when disconnecting from the network?
I did continue to check the system to figure out how to uninstall the software, and I found their uninstaller located at:
"C:\Program Files (x86)\SafeConnect\Uninstall.exe"
If you have the software installed on a Windows PC, and you wish to remove it, navigate to this folder, and double-click the uninstall icon. A process monitor check thereafter did indeed show no more activity from either of the 2 SafeConnect processes. You could also use the Uninstall Program option located within the Windows Control Panel, which seems to access the same uninstall executable file as I have referenced above.
Is It Worth It? Why are schools Debating Discontinuance of SafeConnect?
The decision to use or not to to use must be considered by both the facility (e.g. the school) and the user. The user software admittedly takes an unnecessarily-heavy toll on the machine, and exposes user information to the network administrator. In fact, it appears an earlier and vulnerable version of the software may have even exposed user information to others on the network, but this was since resolved. Some schools have debated ending their relationship with SafeConnect, and others have questioned the use of the software, as mentioned at:
http://www.newschoolfreepress.com/2012/03/29/how-safe-is-safeconnect/
http://www.newschoolfreepress.com/2012/04/12/are-safeconnects-days-numbered/
http://tcnjperspective.com/2010/11/01/safeconnect-security-or-spyware/
http://www.newschoolfreepress.com/2012/03/29/how-safe-is-safeconnect/
http://www.newschoolfreepress.com/2012/04/12/are-safeconnects-days-numbered/
http://tcnjperspective.com/2010/11/01/safeconnect-security-or-spyware/
Alternative
Keep in mind that when you join a WiFi network at a hotel or a coffee shop, you are not prompted to install a "policy key" (SafeConnect's term for monitoring software). It is indeed possible to provide network access without employing the use of monitoring software. If a network administrator wants to block certain websites, they can do so from a regular firewall. They would arguably still have trouble blocking certain file-sharing programs that use peer-to-peer methodology, and they couldn't enforce users having current virus definitions, but there is such an alternative to network access control that has worked well in hotels and coffee shops for years.
Conclusion
From a technical ability, I think the folks at Impulse Point have created an interesting system. It is innovative and I applaud innovation. However, the constant cycling against the registry and hard drive, and the fact that the system still operates while away from the underlying network (e.g. the school's WiFi network), appear to be very problematic.
From an ethical standpoint, I believe users should be clearly informed that the software will perform the functions I have highlighted in this study. It does not do so. The system also refers to the installation of software as installation of a "policy key". I believe the use of the term "key" is misleading. "Keys" sit passively and have other meanings in the world of tech. This is not a key. SafeConnect software actively monitors the user's machine and passes user data to the network administrator. It should be described in that manner. People should have the right to make an informed choice with sufficient detail, and currently -- at least per my observation -- this doesn't happen to the degree that I find to be reasonable.
From a practical standpoint, I also believe the manufacturer should disclose the functionality on-screen during a quick user-guided (not silent) installation process, place a secondary Uninstall icon on the desktop, allow users to choose during installation the desired lifetime of the installation (e.g. 1 hour, 1 day, 1 week, etc.), and allow users to pause the service at their discretion.
Until such time as these issues are resolved, I find the SafeConnect software to be interesting but understandably worrisome to many in the educational community. We should also recognize that many in the education community, where SafeConnect is largely used, are minors, or young adults, and those who work with this audience should hold themselves accountable to providing an even-greater level of disclosure than in the standard business community.
From an ethical standpoint, I believe users should be clearly informed that the software will perform the functions I have highlighted in this study. It does not do so. The system also refers to the installation of software as installation of a "policy key". I believe the use of the term "key" is misleading. "Keys" sit passively and have other meanings in the world of tech. This is not a key. SafeConnect software actively monitors the user's machine and passes user data to the network administrator. It should be described in that manner. People should have the right to make an informed choice with sufficient detail, and currently -- at least per my observation -- this doesn't happen to the degree that I find to be reasonable.
From a practical standpoint, I also believe the manufacturer should disclose the functionality on-screen during a quick user-guided (not silent) installation process, place a secondary Uninstall icon on the desktop, allow users to choose during installation the desired lifetime of the installation (e.g. 1 hour, 1 day, 1 week, etc.), and allow users to pause the service at their discretion.
Until such time as these issues are resolved, I find the SafeConnect software to be interesting but understandably worrisome to many in the educational community. We should also recognize that many in the education community, where SafeConnect is largely used, are minors, or young adults, and those who work with this audience should hold themselves accountable to providing an even-greater level of disclosure than in the standard business community.