With apologies to George R. R. Martin, the drama around legitimate security research is starting to rival anything the Starks, Lannisters and Targaryens could muster.
Hardly a month goes by without some white-hat bug hunter wedged between a vendor or government threatening legal or regulatory action against disclosures that would serve only to make something more secure. Clearly some points on this vendor-researcher-policymaker triangle just don’t get that subtlety.
Instead, some vendors are threatened by bug reports and conference talks that expose weaknesses in software and devices. Sometimes private disclosures are ignored, and rather than take action to secure their heavily marketed software, connected automobiles or other Internet-enabled things, some vendors lash out at researchers. And lawmakers and policymakers, rather than listen to influential hackers, tend to dismiss them as basement-dwelling, Red Bull-drinking introverts with too much time on their hands. Or they endorse such things as the Wassenaar Arrangement.
The latest casualty was an upcoming Hack-in-the-Box GSEC Singapore talk scheduled to be given by Gianni Gnesa, a researcher with Swiss security company Ptrace Security. Citing vendor pressure, Gnesa pulled his talk despite the fact that he’d privately disclosed to the three affected vendors of IP-enabled surveillance cameras three months before the talk. Two of the vendors acknowledged Gnesa’s bug reports (one said they were working on a fix, and the other said they had no idea what to do with the information Gnesa had provided), while the third has yet to do so, he said.
Once Gnesa shared with the vendors that he was planning to do a talk at HITB Singapore about the vulnerabilities, the tone of the conversation changed, Gnesa said.
“In the e-mail, I asked them if they would like to review the content of the presentation and give me their feedback so that I can make the changes before I go to Singapore,” Gnesa said. “That clearly didn’t work as I expected.”
Gnesa will not publicly disclose the affected vendors, but said his talk was going to cover the components of IP surveillance cameras that would be relevant to a white-hat (Web interface, network services, signal processing and more). He was also going to share examples of attacks that could be used against the three popular cameras by exploiting one or more vulnerabilities. His proof-of-concept exploits, he said, were sent to the vendors in addition to the bug report.
Gnesa would not share details about the specific concerns the vendors in question had with the presentation.
“I will not say much about this because I do not want to make the situation worse,” Gnesa said. “I can tell you that from the moment I informed the vendors of my intention to present some of my findings at HITB GSEC Singapore, all my e-mails to the IT departments have been handled by legal representatives. Sadly, local laws and user agreements can easily be used to depict a security researchers as a criminal and they know that very well.”
The landscape has been harsh lately for security researchers. Just a few weeks ago, security company FireEye challenged ERNW, a German security consultancy that found a number of vulnerabilities in one of FireEye’s products. FireEye sought legal action to stop ERNW from disclosing the flaws after a 90-day disclosure period expired. FireEye eventually patched the issues.
The controversial U.S. and worldwide implementations of the Wassenaar Arrangement and its controls over so-called intrusion software were cited by HP in its decision to pull its sponsorship of the Mobile Pwn2Own hacking contest next month in Japan, and by a U.K. university student who decided to redact some parts of dissertation on working bypasses for Microsoft’s EMET attack-mitigation tool, citing legal concerns by his school.
Gnesa said he ran into a similar situation months ago when research into vulnerabilities in an APT detection solution was squashed after it was clear the vendor would pursue legal action. In the case of the IP-enabled surveillance cameras, Gnesa said he was not informed by the vendors of what the consequences could be if he went public.
“Again, I don’t want to make the situation worse, so I would just say that nowadays companies that go after security researchers do not explicitly promise any consequence, but they will make sure you understand that releasing that paper/poc/exploit/etc. may not be the best for your career,” Gnesa said. “It was definitely not an easy decision [to cancel the talk], because I felt the community needed to learn more about the security of IP surveillance cameras. But on the other side, some of my coworkers have families and career goals that would have been impacted by my decision to fly to Singapore, so I decided to cancel the talk.”
As for the vulnerabilities he disclosed, Gnesa said he’s unaware of whether the vendors have patched, or plan to do so in short order. He said he would eventually like to publish a paper and share the techniques he used to find the vulnerabilities.
“The feedback from the security community was incredible. I’ve received dozens of e-mails offering advice and support,” Gnesa said. “I am really proud of being part of this community that has so many good researchers and smart people who are working day and night to make sure our computers, mobile phones, and IoT devices are secure.”