Cyberlock Lawyers Threaten Security Researcher Over Vulnerability Disclosure

qubezz writes: Security researcher Phar (Mike Davis/IOActive) gave his 30 days of disclosure notice to Cyberlock (apparently a company that makes electronic lock cylinders) that he would release a public advisory on vulnerabilities he found with the company's security devices. On day 29, their lawyers responded with a request to refrain, feigning ignorance of the previous notice, and invoking mention of the DMCA (this is not actually a DMCA takedown notice, as the law firm is attempting to suppress initial disclosure through legal wrangling). Mike's blog states: "The previous DMCA threats are from a company called Cyberlock, I had planned to do a fun little blog post (cause i ... hate blog posts) on the fun of how I obtained one, extracted the firmware bypassing the code protection and figured out its "encryption" and did various other fun things a lock shouldn't do for what its marketed as.. But before I could write that post I needed to let them know what issues we have deemed weaknesses in their gear.. the below axe grinderery is the results. (sic)" What should researchers do when companies make baseless legal threats to maintain their security-through-obscurity? Related: Bitcoin exchange company Coinbase has been accused of spying on a dark net researcher.

Re:Wah, "threatened"

[Fallen+Kell]

1. I send you a letter saying I'm going to release security vulnerabilities about your house to your neighborhood residents and the internet in general in 30 days.

2. On day 29 with no previous contact or attempted contact, you send me a letter asking for time to fix your house's security problems, since, naturally, as a so-called "researcher" that's of equivalent interest with respect correcting future known-bad designs. You note that telling people in the neighborhood how to break into your house might have legal implications.

3. I say "fuck you, wrong law, noob" and publish because you obviously had plenty of time to contact me to discuss before and chose to not do so and instead decided best to threaten me on day 29 hoping to stall and did a poor job of threatening using laws that have nothing to do with the matter at hand trying to make your position look strong and scary when all you had to do was contact me earlier than the 29th day asking for more information on the vulnerabilities, and/or offer to hire my services as a consultant to help fix the issues your security product obviously has in place.

Fixed that for you...

Re:Deny them the pleasure of security by obscurity

[Darinbob]

This is not really the problem. These locks can not be upgraded over the network, there is no Tuesday patch day for them. It is not feasable to replace all locks from all customers within 30 days. Only a complete ass clown would post these details. It's like finding a bug that allows you to bypass security to get customer credit card numbers, then threatening to release all those numbers within 30 days.

You can not possibly assume that every company that makes a physical device needs to have a 100% perfect device for their first version, and yet that's what is sort of implied here, either have a perfect device or any bug will screw you over and all of your customers. Either that or all physical devices need to be on the internet for remote control upgrades, which sounds like an even worse scenario.

No, instead: find the bugs, report the bugs, and don't be a whale's tool by screwing them over.