Slashdot Mirror
Cyberlock Lawyers Threaten Security Researcher Over Vulnerability Disclosure
qubezz writes: Security researcher Phar (Mike Davis/IOActive) gave his 30 days of disclosure notice to Cyberlock (apparently a company that makes electronic lock cylinders) that he would release a public advisory on vulnerabilities he found with the company's security devices. On day 29, their lawyers responded with a request to refrain, feigning ignorance of the previous notice, and invoking mention of the DMCA (this is not actually a DMCA takedown notice, as the law firm is attempting to suppress initial disclosure through legal wrangling). Mike's blog states: "The previous DMCA threats are from a company called Cyberlock, I had planned to do a fun little blog post (cause i ... hate blog posts) on the fun of how I obtained one, extracted the firmware bypassing the code protection and figured out its "encryption" and did various other fun things a lock shouldn't do for what its marketed as.. But before I could write that post I needed to let them know what issues we have deemed weaknesses in their gear.. the below axe grinderery is the results. (sic)" What should researchers do when companies make baseless legal threats to maintain their security-through-obscurity?
Related: Bitcoin exchange company Coinbase has been accused of spying on a dark net researcher.
So, instead of a minor blip of a story that some piece of gear has a vulnerability, that then gets patched and largely ignored amid the chorus of other similar stories, you've now elevated the tale of your gear's vulnerability to the front page of various tech sites, not because it's a vulnerability, but because you threatened legal action to prevent disclosure of the vulnerability.
That's some great work at shooting yourselves in the foot. I would have thought more people get that by this point in the internet age, but apparently not.
How is a bitcoin exchange supposedly spying on someone related to a vulnerability disclosure for a digital lock?!
1. I send you a letter saying I'm going to release security vulnerabilities about your house to your neighborhood residents and the internet in general in 30 days.
2. On day 29 with no previous contact or attempted contact, you send me a letter asking for time to fix your house's security problems, since, naturally, as a so-called "researcher" that's of equivalent interest with respect correcting future known-bad designs. You note that telling people in the neighborhood how to break into your house might have legal implications.
3. I say "fuck you, wrong law, noob" and publish because you obviously had plenty of time to contact me to discuss before and chose to not do so and instead decided best to threaten me on day 29 hoping to stall and did a poor job of threatening using laws that have nothing to do with the matter at hand trying to make your position look strong and scary when all you had to do was contact me earlier than the 29th day asking for more information on the vulnerabilities, and/or offer to hire my services as a consultant to help fix the issues your security product obviously has in place.
Fixed that for you...
We were all warned a long time ago that MS products sucked, remember the Magic 8 Ball said, "Outlook not so good"
This little circus shows security-conscious potential customers something very important about Cyberlock: their first response to an issue affecting the customer's security is to attempt to punish the person who found it.
Seriously...who wants a company like that in charge of security? I'd like to see some lawsuits from existing clients over false advertising and failure to act as one would reasonably expect a security company to act.
I've calculated my velocity with such exquisite precision that I have no idea where I am.
This is not really the problem. These locks can not be upgraded over the network, there is no Tuesday patch day for them. It is not feasable to replace all locks from all customers within 30 days. Only a complete ass clown would post these details. It's like finding a bug that allows you to bypass security to get customer credit card numbers, then threatening to release all those numbers within 30 days.
You can not possibly assume that every company that makes a physical device needs to have a 100% perfect device for their first version, and yet that's what is sort of implied here, either have a perfect device or any bug will screw you over and all of your customers. Either that or all physical devices need to be on the internet for remote control upgrades, which sounds like an even worse scenario.
No, instead: find the bugs, report the bugs, and don't be a whale's tool by screwing them over.
In other words, if one party sucks, the other party can break federal and state laws on extortion? I'm sorry if I can't find this reasoning listed in the ethical hacker handbook.
It wasn't a dreadfully threatening letter, no, but the mere fact that they called in their lawyer rather than getting one of their engineers to contact him is both bizarre and disturbing.
The lawyer claims to have wanted to discuss the technical details of the vulnerability. It doesn't seem likely that that would be a productive conversation.
He's actually helping their customers, because their customers have bought a flawed product that isn't fit for purpose. By disclosing the vulnerabilities, these customers are now aware and can demand a fix or switch to an alternative product.
If they sweep these vulnerabilities under the rug that doesn't mean they go away or that noone knows about them, it just means that the customers don't know about them. Others with more nefarious goals may still be aware of the issues and decide to exploit them, an attack that will be completely unexpected because the customers have false faith in the product. Infact, false faith in a security product often leads victims of exploitation to blame something else (often the staff) when a breach happens because they refuse to accept that their expensive security product is flawed.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
Lawyers don't care if they lose the case or not, they just care that they get paid which happens either way. As with most legal actions, both sides lose and only the lawyers benefit in any way.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
Parent is correct - disclosure is only responsible when something can be done to fix the vulnerability. If nothing can be done, find some other way to disclose.
I'm a minority race. Save your vitriol for white people.
In this case, something can be done: the company can stop selling the lock as "secure" (or "a lock"), and then put out a new one that is actually secure. Maybe do a product recall so people know about it.
You know, it's possible to disclose that a vulnerability exists without disclosing how to exploit it. The letter from the lawyer also states that the firm is interested in discussing this further but was rebuffed by the "researcher". How are they supposed to know if the exploit is real or not if the "researcher" in question refuses to disclose the PoC to their lawyer. I'm pretty certain that a single phone call resolved the "are you working on their behalf" question. At that point (verification) he should have simply given the vendor the PoC and a few more days before putting people at risk.
What did they do instead? Start threatening the guy who told them about the vulnerabilities.
(How do you know they weren't going to contact their customers after the PoC was verified? You have a time machine?)
Anyway I dunno about the "threat" - I read that letter from them that he published; I don't get any impression of threats, implicit or otherwise. I read the summary. He gave them 30 days to respond to him. They took 29 days. Now he feels that they took too long to get back to him... what a crybaby.
The problem here is not the vendor (yet). This is a physical item that may or may not need to be recalled. That is the problem. That, and the fact that reading the "researcher's" (I hate using this word to describe this guy) story from the link in TFS shows quite clearly that he's handling this in an irresponsible manner. Go ahead, click the link and read what he has to say - "Hey personally /i/ love the drama on this kind of stuff.. ".
I'm a minority race. Save your vitriol for white people.
Amazing how little has changed... you'd think with improved communication and mobility (of goods and people), attitutes would have shifted in favor of disclosure.
You know, it's possible to disclose that a vulnerability exists without disclosing how to exploit it. The letter from the lawyer also states that the firm is interested in discussing this further but was rebuffed by the "researcher". How are they supposed to know if the exploit is real or not if the "researcher" in question refuses to disclose the PoC to their lawyer. I'm pretty certain that a single phone call resolved the "are you working on their behalf" question. At that point (verification) he should have simply given the vendor the PoC and a few more days before putting people at risk.
Had the vendor shown any actual interest in addressing the issue rather than burying it, they probably could have gotten an extension. Instead, they chose to squash any inclination to good will by prattling on with vague DMCA threats.
If the nature of the attack isn't released in detail, how does anyone learn from the mistake? As for the details, what good does it do to tell the lawyers? Might as well tell the mailroom guy. If they were serious about learning from their mistake, they would want him to discuss it with an engineer. Perhaps if the disclosure is public, one of the engineers might hear about it in a coherent enough form to actually fix something.
They made specific claims about their security product that have been determined to be untrue, what's your solution? Let them keep selling weak security to high security facilities?