More evidence of the potential chilling effect the Wassenaar Arrangement could have on security research surfaced this week when it was revealed HP has decided not to take part in November’s Mobile Pwn2Own hacking contest in Japan.
Dragos Ruiu, who organizes the CanSecWest and PacSecWest conferences that include the Pwn2Own contests, told Threatpost that HP and its Zero Day Initiative had declined to participate in this year’s event and cited Japan’s implementation of Wassenaar as the reason. HP ZDI did sponsor Pwn2Own this spring in Vancouver during CanSecWest; Mobile Pwn2Own will go on, with Ruiu actively seeking a new sponsor, he said.
HP senior manager for threat research Jewel Timpe said the decision was made a couple of months ago after a period of consultation with internal legal and compliance experts. The root of HP’s decision, she said, was the real-time transfer of research from the researcher to HP ZDI and then to the affected vendor.
“It’s due to difficulty in handling, defining and getting the licensing in real time that the contest demands,” Timpe said. “On the ground running the contest, how does one effect transfers and not run afoul of the arrangement? There was no clear path to do that easily and quickly.”
The company reportedly spent upwards of a million dollars in legal fees looking into Wassenaar and its affects; Timpe would not confirm that figure. Through HP’s sponsorship of Pwn2Own, ZDI buys all the bugs demoed during the contest and immediately shares vulnerability details with the affected vendors. With Wassenaar, exploits require export licenses before they can be moved internationally, adding an additional cost overhead for compliance, not only to HP, but also to participating researchers.
Timpe said ZDI would still participate in Pwn2Own next spring in Vancouver, unless the climate drastically changes in the interim. In the U.S., researchers await a second draft of the proposed Wassenaaar implementation after comments on the initial draft were harsh in calling the rules vague and dangerous to security research, innovation, and online security and privacy.
“Our decision came about really as a business and legal risk decision,” Timpe said. “We felt it was the right business decision given the information we had at the time.”
Last December, changes were made to the Wassenaar rules that put zero days and other vulnerability exploits under its thumb. Research and vulnerability disclosure were not exempt from the U.S. rules, which were written from the December changes yet were scrapped in July after a 60-day comment period produced hundreds of submissions from researchers and technology companies worried about the language and its impact on many aspects of computer security and privacy.
The intent of the rules is to prevent not only the sale, but also support of, so-called intrusion software developed by companies such as Gamma International (FinFisher) or Hacking Team (Remote Control System). Intrusion software is used by law enforcement agencies and government agencies, including those in sanctioned nations, to monitor the activities of citizens, not only introducing computer security and privacy concerns, but also human rights issues as the personal safety of some individuals could be put at risk through the use of these tools. Some experts said that vague language in the rules’ first draft demonstrated a lack of understanding of computer security, in particular of how terms such as zero-day apply in this context.
“Wassenaar is a piece of junk as far as computer security goes,” Ruiu said. “It stops the good guys and doesn’t do diddly to the bad guys.”
Pwn2Own has for close to a decade been one of the premier hacking contests with researchers turning over critical bugs in software from major technology companies including Microsoft, Adobe and Apple, as well as in all the major browsers.
Ruiu and Timpe said that dealing with Canada’s implementation of Wassenaar was much clearer than Japan’s and that made it much easier to transfer exploits.
“That million-dollar figure is not a joke. That’s the kind of overhead Wassenaar is placing on companies now,” Ruiu said. “That million dollars should have gone toward fixing bugs and more research.”
Ruiu said HP’s participation is not precluded in the future and that the company is watching to see how things shake out before moving forward, in particular with the possibility of exemptions for legitimate research. For now, Ruiu said HP ZDI’s decision not to participate could open new opportunities for the contest to expand to other products and open the rules up as to what types of bugs would be eligible.
“I was hoping everybody would have the clear idea that this is research; we’re talking about bugs, not exploits,” he said. “This stuff is marginally weaponized, not many of these [bugs] you’d say would be ready to use to exploit someone.”