Life and Limb Exception: Researchers OK Outing Dangerous IoT Holes

Security researchers surveyed at the Black Hat Conference said it was OK to circumvent vendors who were not responding to vulnerabilities in their products - especially when public safety was at risk.
Security researchers surveyed at the Black Hat Conference said it was OK to circumvent vendors who were not responding to vulnerabilities in their products – especially when public safety was at risk. (Image courtesy of UBM.)

In-brief: a survey of security professionals finds they are willing to circumvent vendors who do not respond to reports of security holes in their products. 

Security researchers who merely dish the details of serious software holes to the public without first trying to work cooperatively with the software vendor are likely to encounter a lot of wagging fingers. While unencumbered “full disclosure” may have been flag that security folk rallied to 10 or 15 years ago, these days the mantra is “coordinated disclosure” in which a security researcher works cooperatively with a vendor to get the security holes fixed prior to publishing details about the holes in question.

But in the case of security holes in “connected devices” that are a part of the Internet of Things, the attitude is a bit different, with security researchers far more willing to do an end-run around uncooperative vendors rather than allow an insecure device to threaten life and limb. That, according to a recent survey of security researchers by the firm Alien Vault.

There, security researchers say that the risk to life and limb make it incumbent on the researcher to raise alarm about the danger even if that means going around the manufacturer by staging a private – or even public demonstration of the security hole.

[Read more about security issues related to Internet of Things products here.]

Asked how security researchers should respond when a life threatening vulnerability has been discovered on a connected device such as a plan or car, but disclosure to the manufacturer “hasn’t worked,”  a plurality – 36% – believed that the vulnerability should be disclosed to willing participants in a private setting. But support for more ‘in your face’ approaches was strong. Thirty two percent of those surveyed thought demonstrating the vulnerability on a “live system” or with willing participants in a public space was the right approach. Nineteen percent said that full disclosure to the media was the best course of action, while roughly the same percent thought disclosure in a conference setting such as Black Hat was the way to go.

A plurality of researchers backed private disclosure of information on vulnerabilities. But many backed more confrontational approaches to informing vendors and the public, the AlienVault survey showed.
A plurality of researchers backed private disclosure of information on vulnerabilities. But many backed more confrontational approaches to informing vendors and the public, the AlienVault survey showed.

The AlienVault survey collected information from 651 Black Hat attendees – hardly definitive, but still a good measure of attitudes within the information security community. It comes on the heels of prominent demonstrations of security weaknesses in high-profile, connected products. Among those: a demonstration of wireless, software based attacks on a Jeep Cherokee by researchers Charlie Miller and Chris Valasek. Their demonstration of a software-based takeover of the Jeep’s entertainment system, transmission and other critical functions prompted Fiat Chrysler to recall 1.4 million vehicles to address the problem.

However, the researchers demonstration of the attack on a vehicle driven by Wired reporter Andy Greenberg on a public highway prompted charges that Valasek and Miller had endangered public safety to make a point. The incident followed an April incident in which FBI agents boarded a plane in Syracuse, New York, and arrested researcher Chris Roberts after he tweeted messages suggesting that he could interfere with the plane’s EICAS (Engine Indicating and Crew Alerting System). A subsequent affidavit for a search warrant filed by the FBI alleged that Roberts tampered with in-flight systems aboard a commercial flight from Denver to Chicago on April 15.

Other researchers have demonstrated security and privacy holes in products ranging from drug infusion pumps to baby monitors.

Efforts in Washington D.C. and elsewhere to address pressing public safety issues engendered by new “smart” products have proven thorny. For example, legislation to force automakers to shore up the security of connected vehicles has stalled in Congress and there is confusion about the best lever to use to force improvements in connected device security.

Even then, makers of complex devices such as cars are exposed to vulnerabilities throughout their long supply chain. Chris Valasek, of Uber’s Advanced Technologies Group told attendees at the Security of Things Forum in Cambridge on September 10 that security issues with connected cars can emerge from any point in the auto maker’s supply chain, complicating efforts to secure vehicles. The responsibility to patch holes or responding to attacks falls across a much broader ecosystem of companies – from component makers to wireless carriers.

Within the software industry, many leading firms have turned to official “bug bounty” programs to provide financial incentives to independent researchers to look for holes in their products, and to formalize the process for disclosing the information on those holes.

To help codify that process, the firm HackerOne, which facilitates bounty programs on behalf of software firms, published a Vulnerability Coordination Maturity Model earlier this month to help organizations assess their preparedness to respond to vulnerability reports and act on them and begin moving towards coordinated vulnerability disclosure.

Comments are closed.