Cyberlock Lawyers Threaten Security Researcher Over Vulnerability Disclosure 87
qubezz writes: Security researcher Phar (Mike Davis/IOActive) gave his 30 days of disclosure notice to Cyberlock (apparently a company that makes electronic lock cylinders) that he would release a public advisory on vulnerabilities he found with the company's security devices. On day 29, their lawyers responded with a request to refrain, feigning ignorance of the previous notice, and invoking mention of the DMCA (this is not actually a DMCA takedown notice, as the law firm is attempting to suppress initial disclosure through legal wrangling). Mike's blog states: "The previous DMCA threats are from a company called Cyberlock, I had planned to do a fun little blog post (cause i ... hate blog posts) on the fun of how I obtained one, extracted the firmware bypassing the code protection and figured out its "encryption" and did various other fun things a lock shouldn't do for what its marketed as.. But before I could write that post I needed to let them know what issues we have deemed weaknesses in their gear.. the below axe grinderery is the results. (sic)" What should researchers do when companies make baseless legal threats to maintain their security-through-obscurity?
Related: Bitcoin exchange company Coinbase has been accused of spying on a dark net researcher.
"Related"??? (Score:3)
How is a bitcoin exchange supposedly spying on someone related to a vulnerability disclosure for a digital lock?!
Re:"Related"??? (Score:5, Funny)
Because they both use electricity.
i did this and i did that (Score:2)
What a breathless load of nonsense. (Score:1)
Nobody threatened anybody. There was no saber rattling.
Whoever posted this article is a moron.
Re:What a breathless load of nonsense. (Score:4, Insightful)
It wasn't a dreadfully threatening letter, no, but the mere fact that they called in their lawyer rather than getting one of their engineers to contact him is both bizarre and disturbing.
The lawyer claims to have wanted to discuss the technical details of the vulnerability. It doesn't seem likely that that would be a productive conversation.
Re: (Score:2)
Getting one of their engineers to contact him would have been bizarre.
It's what most companies do. All the vaguely reputable ones, at any rate, even Microsoft and Apple.
Screw 'em (Score:2)
Re: (Score:2)
Perhaps, but realistically we now know two things:
Thing the first: there is a vulnerability to these locks, and we should be using something else. This goes double since the company has demonstrated that they are more interested in hushing it up than fixing it.
Thing the second: there is a vulnerability to these locks, and it would be interesting to try to find it. In essence, this event has enabled those amongst us who like to tinker with such things to narrow the search.
Streisand Effect (Score:5, Insightful)
That's some great work at shooting yourselves in the foot. I would have thought more people get that by this point in the internet age, but apparently not.
Re: (Score:1)
interestingly enough there is a texas lawyer who calls himself "the texas hammer". bonus points for guessing his specialty.
Re:Streisand Effect (Score:5, Insightful)
Never forget lawyers. Lawyers first advice, you need us to advise you, so that you can pay us for each and every phone call, for each and every letter read and response written, for each and every email read and response written and, for researching your problem (you pay them to learn how to solve the problems they create for you). The problem here is reaching for the lawyers, the advice they give you and that you pay for, usually will be to pay them more and they will wrap that up in some sell able story. Once you reach for the lawyers, you have already lost. So they did not shoot themselves in the foot, their lawyers tricked them into paying the lawyers to shoot them in both feet.
Re: (Score:2)
One point the researcher tried to make is that there will not be any patches. The locks have no ability to be updated short of replacement.
Re:Deny them the pleasure of security by obscurity (Score:5, Informative)
This is not really the problem. These locks can not be upgraded over the network, there is no Tuesday patch day for them. It is not feasable to replace all locks from all customers within 30 days. Only a complete ass clown would post these details. It's like finding a bug that allows you to bypass security to get customer credit card numbers, then threatening to release all those numbers within 30 days.
You can not possibly assume that every company that makes a physical device needs to have a 100% perfect device for their first version, and yet that's what is sort of implied here, either have a perfect device or any bug will screw you over and all of your customers. Either that or all physical devices need to be on the internet for remote control upgrades, which sounds like an even worse scenario.
No, instead: find the bugs, report the bugs, and don't be a whale's tool by screwing them over.
Re: (Score:3)
Re: (Score:2)
In this case, something can be done: the company can stop selling the lock as "secure" (or "a lock"), and then put out a new one that is actually secure. Maybe do a product recall so people know about it.
What did they do instead? Start threatening the guy who told them about the vulnerabilities. When a company does that, the only responsible thing to do is to publish, because you know the company won't ever fix the problems otherwise.
(I do think 30 days is a bit on the short side... but I don't think giving
Re: (Score:3)
In this case, something can be done: the company can stop selling the lock as "secure" (or "a lock"), and then put out a new one that is actually secure. Maybe do a product recall so people know about it.
You know, it's possible to disclose that a vulnerability exists without disclosing how to exploit it. The letter from the lawyer also states that the firm is interested in discussing this further but was rebuffed by the "researcher". How are they supposed to know if the exploit is real or not if the "researcher" in question refuses to disclose the PoC to their lawyer. I'm pretty certain that a single phone call resolved the "are you working on their behalf" question. At that point (verification) he should h
Re: (Score:3)
You know, it's possible to disclose that a vulnerability exists without disclosing how to exploit it. The letter from the lawyer also states that the firm is interested in discussing this further but was rebuffed by the "researcher". How are they supposed to know if the exploit is real or not if the "researcher" in question refuses to disclose the PoC to their lawyer. I'm pretty certain that a single phone call resolved the "are you working on their behalf" question. At that point (verification) he should have simply given the vendor the PoC and a few more days before putting people at risk.
Had the vendor shown any actual interest in addressing the issue rather than burying it, they probably could have gotten an extension. Instead, they chose to squash any inclination to good will by prattling on with vague DMCA threats.
If the nature of the attack isn't released in detail, how does anyone learn from the mistake? As for the details, what good does it do to tell the lawyers? Might as well tell the mailroom guy. If they were serious about learning from their mistake, they would want him to discus
Re: (Score:2)
You know, it's possible to disclose that a vulnerability exists without disclosing how to exploit it. The letter from the lawyer also states that the firm is interested in discussing this further but was rebuffed by the "researcher".
No, they weren't. If an engineer from the company had made contact, the researcher would have been happy to discuss the technical details. Instead they sent a lawyer.
What is the point of discussing technical details with a lawyer?
Anyway I dunno about the "threat" - I read that letter from them that he published; I don't get any impression of threats, implicit or otherwise.
The fact that they got their lawyer rather than an engineer to contact him is in itself an implicit threat.
Re: (Score:1)
But something can be done to fix the vulnerability - stop using Cyberlock locks. A disclosure of the problem is the most responsible thing that can be done for the CONSUMERS. The Cyberlock is not the potential victim of any exploits here.
Re: (Score:2)
Of you don't disclose every user is vulnerable and doesn't know it, so can't take steps to protect themselves. This has happened multiple times before with locks. First lock bumping, and prior getting screwed by insurance companies saying they must have left the door unlocked or investigated by the police for fraud. Then with electronic hotel room locks that lead to a spate of thefts, again with the hotel owners and insurance companies denying it. To be fair the hotel owners didn't know either.
I'd say even
Re: (Score:2)
disclosure is only responsible when something can be done to fix the vulnerability. If nothing can be done, find some other way to disclose.
Of you don't disclose every user is vulnerable and doesn't know it, so can't take steps to protect themselves.
I never proposed non-disclosure, so I'm not sure why you're replying to me.
Re: (Score:2)
What if the company sends your report to /dev/null ? If this guy figured it out, so can someone who is less concerned with ethics.
Re: (Score:2)
It is not feasable to replace all locks from all customers within 30 days.
Who said anything about replacing them? The company needs to have a program, together with their distributors/sales network, of updating the firmware on such devices. If they don't, they've already lost, and their customers are crazy for buying such devices.
Re: (Score:2)
Well, I don't have one of these devices or the manual, but when I started my first comment my assumption was that these were entirely stand alone devices. They look just like padlocks. Apparently the keys can be updated, where all the logic is, but they're not always connected to the internet. Thus the company still has to notify all customers, the customers have to get new keys (though anyone using such a secure type of lock is used to key management), and so forth.
Plus of course, that 30 days includes
Re:Wah, "threatened" (Score:5, Informative)
2. On day 29 with no previous contact or attempted contact, you send me a letter asking for time to fix your house's security problems, since, naturally, as a so-called "researcher" that's of equivalent interest with respect correcting future known-bad designs. You note that telling people in the neighborhood how to break into your house might have legal implications.
3. I say "fuck you, wrong law, noob" and publish because you obviously had plenty of time to contact me to discuss before and chose to not do so and instead decided best to threaten me on day 29 hoping to stall and did a poor job of threatening using laws that have nothing to do with the matter at hand trying to make your position look strong and scary when all you had to do was contact me earlier than the 29th day asking for more information on the vulnerabilities, and/or offer to hire my services as a consultant to help fix the issues your security product obviously has in place.
Fixed that for you...
Re: (Score:1)
Oh, I didn't realize we were talking about straight-up extortion here.
And yeah, I'd easily be taking 29 days to think through carefully -all- my options. Some of which involving a shovel.
Re: (Score:2)
Because extortion generally begins with an offer from the to-be-extorted party.... sure.
Re: (Score:2)
Never do this. It could be misinterpreted as blackmail and/or extortion.
Re: (Score:3)
In other words, if one party sucks, the other party can break federal and state laws on extortion? I'm sorry if I can't find this reasoning listed in the ethical hacker handbook.
Re: (Score:1)
0. You sell a home security product that is not secure and does not provide the security you advertise
1. I send you a letter warning you of the flaws in your product and the obligation I feel to advise others who may be relying on the security you advertise that isn't actually there.
FTFY...carry on.
Re: (Score:2)
"Researcher" is just like "journalist". Give yourself that title on the internet and plenty of fools will believe you.
Re: (Score:1)
You think they can recall and replace all these locks in thirty days?
Ethics does suggest that you should notify the company if you find flaws. But there are no morals or ethics that require you to tell everyone in the world how to exploit these flaws, but that does actually fall very deeply into illegal territory instead. There's a huge difference between telling people that a device is not 100% secure versus telling them how to break in.
This is sort of like a bomb threat. You tell them about the bomb, g
Re: (Score:2)
The people who use the locks have a right to know that their locks aren't fit for purpose and why.
We'll see what they say when they find out some asshat posted instructions for bypassing the lock on the internet. You can inform the world that $X isn't fit, you don't have to be an asshole and give instructions on how to break it. The owners aren't on your side here.
Re: (Score:2)
No. But before they even think of selling such a product, they must have a plan for customer disclosure and field updates in place, as otherwise offering such product becomes a big liability once the first vulnerability disclosure gets into the open. Here at least they were informed about it in advance, someone else could have simply leaked the disclosure anonymously.
The company in question have set themselves up for failure, and I'm not very sympathetic to their plight. If you distribute shit with firmware
Re: (Score:2)
Why would the EFF get involved in unethical and probably illegal schemes?
The letter essentially states, paraphrased: "I'm going to write details on how to crack your locks and post it to the world in 30 days, do you have any comments before all your customers get screwed?" The blogger is going to be sued into ashes.
This is NOT security through obscurity, what a moronic idea. It is impossible to get a fix or replacements out to all of these locks in such a short time frame.
Re: (Score:2)
Re: (Score:2)
You will piss of a lot of people though. "Zero day" is an amorphous term, and probably doesn't apply here anyway. This was an existing product already in use. And it's not a software product, you can't fix it by releasing patches. Doesn't matter if he's asking for money or not, he's threatening, indirectly, to damage their company and cause widespread damage to their customers. All so he can get a blog entry and impress some friends, not so that he can fix a bug.
Re:Contact the EFF (Score:4, Interesting)
He's actually helping their customers, because their customers have bought a flawed product that isn't fit for purpose. By disclosing the vulnerabilities, these customers are now aware and can demand a fix or switch to an alternative product.
If they sweep these vulnerabilities under the rug that doesn't mean they go away or that noone knows about them, it just means that the customers don't know about them. Others with more nefarious goals may still be aware of the issues and decide to exploit them, an attack that will be completely unexpected because the customers have false faith in the product. Infact, false faith in a security product often leads victims of exploitation to blame something else (often the staff) when a breach happens because they refuse to accept that their expensive security product is flawed.
Re: (Score:2)
But as soon as you disclose any vulnerabilities, burglars can bypass the lock before there is a chance to buy a replacement.
No one is sweeping this under the rug. However the blogger seems to think they should work under his own self imposed time table. He's not doing anyone any favor by releasing the info.
Re: (Score:2)
If they needed more than 30 days, they could have said so quite amicably without lawyers (or with them, but in a friendly request manner) within a week, and asked the researcher to withhold release until they were ready. Instead they barge in, lawyers blazing, trying to suppress any and all information release.
That is an attempt to sweep the whole thing under the rug, and deserves only information release and the Streisand effect as a response.
Re: (Score:1)
Or burglars may already know about the vulnerability and are happily bypassing the locks. Releasing the information tells the users they should stop relying on the lock.
Re: (Score:2)
He's actually helping their customers, because their customers have bought a flawed product that isn't fit for purpose. By disclosing the vulnerabilities, these customers are now aware and can demand a fix or switch to an alternative product.
You would surely love to be helped if I posted how anyone could crack the locks of your car and drive away with it.
Re: (Score:2)
Funny you choose that analogy. Pretty much everyone who wants to already knows how to crack the locks of any car and drive away with it. It's a good thing we know about that so we can make sure to be insured and take precautions.
Re: (Score:2)
I can see how this would damage the company, but won't this actually help the customers? Right now they are relying on the locks to be secure. We do not know how many other people have discovered the flaw that makes them insecure. So is it better to leave the customers in the dark, or should they be notified so they can switch to a different lock supplier?
Re: (Score:2)
How do we know the manufacturer is not contacting them privately, or is working on a fix, preparing a recall, etc? All we know is that they're not working under the same time line as the blogger.
Re: (Score:2)
Re: (Score:2)
But the researcher is not an employee. Just because this random stranger, self proclaimed "researcher", finds some flaws does not create any obligation whatsoever to respond to this guy. The blogger is issuing dire threats, even if he doesn't see it that way. The only reason they company cares about him is because of the threat he represents and the damage that could result to their financials and customer base. Sure, it's smart to negotiate with those threatening harm, but failing to do so does not abs
Re: (Score:2)
They have no legal obligation to respond. They do, however, have an ethical obligation to do so. Nor are they automatically excused of responsibility for the foreseeable consequences of their failure to do so.
I suppose you could consider the researcher advising the company of his discovery, and of the planned release date, to be a "threat", although it seems a bit of a stretch. But that would leave researchers with no alternative but to release the information publicly *without* warning the affected comp
Re: (Score:2)
"It's not a software product"
So the code in question does not exist?
Re: (Score:2)
It's a device that includes software. "Zero day" usually means bugs that are present and known about before release of a software version, usually a standalone software version rather than a hardware+software bundle. It's a blurry line though; I'd consider a smart phone to be a computer plus software, whereas a lock like this I'd normally consider to be a device (software is not readily upgradeable by the consumer).
Re: (Score:2)
It's a remotely configurable internet connected device.
What does it matter if the vendor doesn't make it easy to upgrade the software?
Re: (Score:2)
Is it such a device? The picture seems to show a normal padlock type of device with some electronics inside. There's no sign of an internet port or radio. The company has no possible way to upgrade this remoately, and no time was given for them to recall all the devices before the bomb goes off in 30 days.
Sure, some people may claim it's the company's own fault for having a security flaw in the first place, since of course perfection is easy to comply with. Others may claim it's their own fault for crea
Re: (Score:2)
The smarts are stored on the key.
smarts like the time a user is allowed to use the key and if it has expired or not.
They also read in the logs from the lock and update it's key black-list.
The key gets sync'd to control software, which can go over the internet.
The integrity of the entire system is reliant on the keys, that they can't be modified or copied.
Re: (Score:2)
If the lock depends on software, and does not provide any mechanism to update said software, that in itself is a serious design fault.
What should you do? (Score:1)
Probably about the same as James Bailey did in response to Dale Cox on behalf of the Cleveland Browns:
http://www.lettersofnote.com/2... [lettersofnote.com]
Resources not generally (Score:2)
>IOActive's reverse engineering process required the use of skilled technicians, sophisticated lab equipment, and other costly resources not generally available to the public.
Since when have the bad guys limited themselves to what was available to the general public? Or even limited themselves to what one person could do?
I take it that the Cyberlock is effective, only when the attack is carried out by somebody like my next door neighbor. He is a very nice person, but due to Alzheimer's, people in the ne
Re: (Score:2)
Exactly. These locks are supposed to be used in very high security areas. You know, protecting stuff with lots of value. If the stuff inside is worth $10M, would $1M in equipment be expensive? Not really (especially if you know of another site with another $10M of stuff and can re-use your purchases).
Even the mechanical destruction is a concern - unless the lock
Unintentional disclosure (Score:5, Insightful)
This little circus shows security-conscious potential customers something very important about Cyberlock: their first response to an issue affecting the customer's security is to attempt to punish the person who found it.
Seriously...who wants a company like that in charge of security? I'd like to see some lawsuits from existing clients over false advertising and failure to act as one would reasonably expect a security company to act.
Without Legal Mumbo Jumbo (Score:1)
These Lawyers would be hard pressed in any case to prove malicious intent, given that the disclosure was made and was ignored.
As a lot of posts here have commented on, the root of the problem is abuse of the legal system for monetary profit and to strong arm people into accepting the whims of "Idiots with money" or IWM in this case. The pervasive view that the purpose of the legal system is to use the law to to do anything but enforce the law, uphold fair-play in the society given these laws and ensure that
Re: (Score:2)
It's worse than that. If they were ACTUALLY interested in fixing the problem, they would want to have someone who would actually understand the disclosure. At least the lawyer would ask if there was a technical write-up he could pass on to an engineer. However, the correspondence published showed no interest in the technical information whatsoever except for making a vague threat should it be released.
Their intentions are quite clear.
Re:How many thousands of copies are there now? (Score:4, Insightful)
Lawyers don't care if they lose the case or not, they just care that they get paid which happens either way. As with most legal actions, both sides lose and only the lawyers benefit in any way.
Streisand Effect. (Score:2)
Now there are headlines about how shit Cyberlock products are, instead of a single blog post.
Evven in 1850 (Score:5, Interesting)
Amazing how little has changed... you'd think with improved communication and mobility (of goods and people), attitutes would have shifted in favor of disclosure.