With apologies to George R. R. Martin, the drama around legitimate security research is starting to rival anything the Starks, Lannisters and Targaryens could muster.

Hardly a month goes by without some white-hat bug hunter wedged between a vendor or government threatening legal or regulatory action against disclosures that would serve only to make something more secure. Clearly some points on this vendor-researcher-policymaker triangle just don’t get that subtlety.

Instead, some vendors are threatened by bug reports and conference talks that expose weaknesses in software and devices. Sometimes private disclosures are ignored, and rather than take action to secure their heavily marketed software, connected automobiles or other Internet-enabled things, some vendors lash out at researchers. And lawmakers and policymakers, rather than listen to influential hackers, tend to dismiss them as basement-dwelling, Red Bull-drinking introverts with too much time on their hands. Or they endorse such things as the Wassenaar Arrangement.

The latest casualty was an upcoming Hack-in-the-Box GSEC Singapore talk scheduled to be given by Gianni Gnesa, a researcher with Swiss security company Ptrace Security. Citing vendor pressure, Gnesa pulled his talk despite the fact that he’d privately disclosed to the three affected vendors of IP-enabled surveillance cameras three months before the talk. Two of the vendors acknowledged Gnesa’s bug reports (one said they were working on a fix, and the other said they had no idea what to do with the information Gnesa had provided), while the third has yet to do so, he said.

Once Gnesa shared with the vendors that he was planning to do a talk at HITB Singapore about the vulnerabilities, the tone of the conversation changed, Gnesa said.

“In the e-mail, I asked them if they would like to review the content of the presentation and give me their feedback so that I can make the changes before I go to Singapore,” Gnesa said. “That clearly didn’t work as I expected.”

Gnesa will not publicly disclose the affected vendors, but said his talk was going to cover the components of IP surveillance cameras that would be relevant to a white-hat (Web interface, network services, signal processing and more). He was also going to share examples of attacks that could be used against the three popular cameras by exploiting one or more vulnerabilities. His proof-of-concept exploits, he said, were sent to the vendors in addition to the bug report.

Gnesa would not share details about the specific concerns the vendors in question had with the presentation.

“I will not say much about this because I do not want to make the situation worse,” Gnesa said. “I can tell you that from the moment I informed the vendors of my intention to present some of my findings at HITB GSEC Singapore, all my e-mails to the IT departments have been handled by legal representatives. Sadly, local laws and user agreements can easily be used to depict a security researchers as a criminal and they know that very well.”

The landscape has been harsh lately for security researchers. Just a few weeks ago, security company FireEye challenged ERNW, a German security consultancy that found a number of vulnerabilities in one of FireEye’s products. FireEye sought legal action to stop ERNW from disclosing the flaws after a 90-day disclosure period expired. FireEye eventually patched the issues.

The controversial U.S. and worldwide implementations of the Wassenaar Arrangement and its controls over so-called intrusion software were cited by HP in its decision to pull its sponsorship of the Mobile Pwn2Own hacking contest next month in Japan, and by a U.K. university student who decided to redact some parts of dissertation on working bypasses for Microsoft’s EMET attack-mitigation tool, citing legal concerns by his school.

Gnesa said he ran into a similar situation months ago when research into vulnerabilities in an APT detection solution was squashed after it was clear the vendor would pursue legal action. In the case of the IP-enabled surveillance cameras, Gnesa said he was not informed by the vendors of what the consequences could be if he went public.

“Again, I don’t want to make the situation worse, so I would just say that nowadays companies that go after security researchers do not explicitly promise any consequence, but they will make sure you understand that releasing that paper/poc/exploit/etc. may not be the best for your career,” Gnesa said. “It was definitely not an easy decision [to cancel the talk], because I felt the community needed to learn more about the security of IP surveillance cameras. But on the other side, some of my coworkers have families and career goals that would have been impacted by my decision to fly to Singapore, so I decided to cancel the talk.”

As for the vulnerabilities he disclosed, Gnesa said he’s unaware of whether the vendors have patched, or plan to do so in short order. He said he would eventually like to publish a paper and share the techniques he used to find the vulnerabilities.

“The feedback from the security community was incredible. I’ve received dozens of e-mails offering advice and support,” Gnesa said. “I am really proud of being part of this community that has so many good researchers and smart people who are working day and night to make sure our computers, mobile phones, and IoT devices are secure.”

Categories: Government, Vulnerabilities, Web Security

Comments (3)

  1. notapplicable
    1

    F’ these a–holes. Stop giving notice. Full disclose anonymously somewhere people know to look and let the chips fall where they may. That is where it will end up. That is how it should end up.

    • Kyle
      2

      I agree: there’s too much crap about not hurting people’s feelings by leaving them in the dark. But I would’ve hoped we as a human race, even security researchers in specific, have learned not to tell those who are known to bring down an iron hammer, of our plans, regardless of intent. Once the vulnerability is out in the open, they can sue all they want but it won’t take it back. And let’s face it, without intellectual property being revealed, what precisely is illegal that they can charge him? Suing, perhaps? But then he also presumably lives in Switzerland, which I doubt would comply to such cronyism…and even if they did: so what? Giving in only makes the companies MORE audacious and willing to do it again!

  2. Barry Greene
    3

    I’m doing a keynote at HITB. I’ll add explicit examples for how someone can set up a testbed to look for vulnerability in “network surveillance” systems. The best way to solve this problem is to dive in and shine the light on the problem. Otherwise the bad guys win.

    For vendors who disagree, call me or read my “tutorials” for how to set up a proper vulnerability response system. Start with these mini-whitepapers:

    5 Principles to Vulnerability Disclosure
    https://www.linkedin.com/pulse/5-principles-vulnerability-disclosure-barry-greene

    How to prevent a “security embarrassment?”
    https://www.linkedin.com/pulse/20141028094659-7430592-how-to-prevent-a-security-embarrassment

    Questions to ask vendors to gauge their commitment to “secure products”
    https://www.linkedin.com/pulse/20140727141634-7430592-questions-to-ask-vendors-to-gauge-their-commitment-to-secure-products

Comments are closed.