Another Company Thinks The Best Way To Handle A Security Hole Is To Send A Lawyer After The Person Who Discovered It
from the Firmware-Patch-1.3.5,-Esq. dept
Security researcher finds security hole; attempts to report it through proper channels and is ignored/rebuffed/threatened with arrest/lawsuits. Film at 11.
Apparently, handling these sorts of situations in the worst way possible is never not going to be an option.
Security researcher Mike Davis, along with colleagues at IOActive, found a number of security issues with electronic locks made by the Oregon-based firm CyberLock. But after several failed attempts over the last month to disclose the findings to CyberLock and its parent company Videx, they received a letter from CyberLock’s outside law firm, Jones Day, on April 29, a day before they planned to publicly publish their findings.
So, a security researcher did what he was supposed to -- research security -- and tried to inform the company affected. And now the United State's largest law firm (a trademark bully with inordinately thin skin) has responded with threats of the mostly-veiled variety. Davis posted this letter to his Google+ account and let his opinion of the legal threats be known through the editorialized file name (asshat0.png).
And, as if to assure everyone that Jones Days' grasp on intellectual property laws remains less than firm, attorney Jeff Rabkin invokes two very questionable avenues of attack: violation of CyberLock's licensing agreements and the anti-circumvention statues built into the DMCA. As for the first part, Davis purchased the lock secondhand, which means he's not subject to CyberLock's licensing agreements, seeing as he never entered into one by purchasing direct. Secondly, the DMCA contains circumvention exemptions for encryption research and security research, both of which cover Davis' activities.
This security hole Davis found could be a big problem. The electronic locks the firm manufactures secure all sorts of critical structures.
The systems are used in metro stations in Amsterdam and Cleveland, in water treatment facilities in Seattle and Atlanta, Georgia and at the Temple Terrace Police Department in Florida, among other places. The company’s marketing literature also promotes use of the locks in data centers and airports.CyberLock pretty much claims its locks are ultra-secure. Davis' research proves otherwise. According to what he found, the keys are stored in plaintext in the lock's firmware and this information is transmitted to the key from the lock during the authentication process. This transmission is encrypted, but the encryption used is weak.
With this knowledge in hand, Davis began attempting to contact CyberLock on March 31st. Five more attempts followed but no response was received until the letter from the law firm arrived on April 29th. A second, more aggressive letter followed on May 4th.
Among the things Jones Day attorney Jeff Rabkin took issue with was Davis' "aggressiveness" in demanding that he only discuss the vulnerability with CyberLock's technical staff. Rabkin has actually issued a statement on the incident -- somewhat of a rarity in litigious situations like these -- in which he argues the hole Davis found isn't a big deal because it would take tools and skill to exploit it.
[company name redacted] does not claim, and never has, that a door protected by one of its products is impregnable. It is simply common sense that anyone with the time, sophistication and resources to engage in IOActive's methodology could more simply defeat a [company name redacted] product by drilling the lock off the door, or for that matter chopping the door down with an axe. To suggest, as your report does, that [company name redacted]'s products suffer from "severe" vulnerabilities simply because you were able to develop a bypass in your lab ignores the fact that the exploit in question was not possible without the use of costly and sophisticated lab equipment and highly skiled technicians—not exactly a real-world scenario for the intended use of [company name redacted] products.While there's a certain amount of truth to his assertions (faster, less-work-intensive "workarounds" will always be preferred by the majority of criminals), it's not exactly as impossible as Rabkin makes it appear. While most criminals will not have access to lab technicians and equipment, some will. And the fact that these are being used to secure sensitive targets means the flaw is far more likely to draw the attention of technically-adept criminals. And the argument itself is somewhat self-defeating. If the hole is so impossible to exploit effectively, it would follow that CyberLock would have had no issue with Davis releasing his findings. The summoning of its legal representation suggests it thinks otherwise.
While CyberLock and its representation may feel exploitation of this security flaw is unlikely, that's no excuse for handling it the way they did. Davis made several attempts to give CyberLock a chance to respond before taking the flaw public, but the company did nothing more than tell him to shut up using its Jones Day proxy.
With few exceptions (companies who participate in bug bounty programs, mostly), it's become hazardous to your freedom and financial security to inform companies of security flaws.