April 23, 2023

Statement regarding a Quad Cortex security vulnerability

On Friday April 21st we were alerted to an unsuccessful login to the email account we use to collect reports and logs sent from Quad Cortex. This turned our attention to a security vulnerability on Quad Cortex that granted exploiters temporary access to the aforementioned email account.

This exploit was immediately fixed internally, meaning no further access is possible. However, this has resulted in Quad Cortex being unable to send new reports or logs until CorOS 2.0.2 has been installed.

We are beta testing CorOS 2.0.2 internally and intend to release it this week. 

Unfortunately, due to the exploit, approximately 3300 names and email addresses were viewable by a small number of individuals who are attempting to expose security vulnerabilities on Quad Cortex. This does not mean the exploiters were able to log in to the email accounts - they could only see the names and email addresses in a list.

While the exploiters were able to access the inbox of the email account containing the reports and logs, they did not, to the best of our knowledge, exploit this breach with malicious intent to gain access to customer data.

Quad Cortex also records the names and passwords of all the WiFi networks it has connected to since the last factory reset. Unfortunately this data was not encrypted.

The WiFi passwords for any user who sent a crash log to us (after a system failure, not by sending a log via Settings > Contact Us > Send Report) were also accessible to the exploiters.

We identified approximately 430 users affected by this. This issue has been fixed in CorOS 2.0.2, and Quad Cortex will no longer record the passwords of WiFi networks in the crash logs.

No further personal information or sensitive data is collected by Quad Cortex and, therefore, nothing else has been exposed.

We have emailed the users who have been affected by this breach. If you have ever sent a Quad Cortex report or a crash log, the above applies to you. If you have not sent a Quad Cortex report or a crash log, your name, email address, or WiFi password has not been exposed.

I apologize deeply for this inconvenience and our oversight. We value our users’ privacy above anything else and we were devastated to learn of this vulnerability being exploited. We will be doing everything possible to deeply evaluate our systems and Quad Cortex to ensure nothing like this can happen again.

If you have any questions, please do not hesitate to contact support@neuraldsp.com

Best wishes,

Douglas Castro (CEO)