Ethical disclosure and the Internet of Things
I’ve recently been trying to work with manufacturers to disclose a number of pretty nasty security bugs in various ‘Internet of Things’ devices.
The past few weeks are beginning to make me wish I hadn’t bothered though.
What do we mean by Ethical Disclosure?
Ethical disclosure processes are becoming fairly standard and have been debated for years. Essentially:
- Security researcher finds a security bug
- They report privately to the vendor using channels the vendors publishes for this purpose
- Vendor acknowledges, investigates and provides a timeline for a patch
- Researcher agrees to keep quiet until the patch is published
- Vendor releases the patch, researcher is credited
…or something along those lines. There are pros and cons of disclosure, but broadly the idea is to
prevent script kiddies & others latching on to the issue and using it to exploit unaware, unpatched customers.
Of course, if someone less ethical also finds the bug before it’s patched, all bets are off.
The frustrations with disclosing IoT issues
My experience of trying to disclose issues relating to IoT devices is more like the following:
- Security researcher buys device, finds the most ridiculously easy vulnerability within 5 minutes of turning it on
- Sends email to support mail address on IoT manufacturer web site
- Nothing happens for days
- Sends email to every other mail address they can find
- Nothing continues to happen
- Phone support line
- Support rings out to voicemail, voice mail box full
- Tweets them
- Has a response, turns out it’s managed by a social media agency
- ‘Will pass on message’
- Nothing keeps on happening
- And so on…
The various products involved continue to be sold in large numbers by well known retailers. More and more consumers are being exposed to trivial compromise.
These vulnerabilities do not take geniuses to find. Some of them are really quite simple. That said, some are much more interesting and take some real work to uncover.
Manufacturers of IoT devices, particularly in the retail space, are often very small, fast-moving operations with outsourced manufacturing, mobile app development, marketing and hosting. They simply don’t ‘get’ security and have little understanding of it. They just want to sell a smart new product that one can control using a mobile app.
What can we do?
First, a CERT for Internet of Things devices would be wise, perhaps with specialisation for key sectors (e.g. domestic, automotive, medical etc.).
Next, some basic standards, perhaps taking some of the great work that OWASP have done and adding some hardware-specific issues.
Some guidance on applicable legislation. I’m talking to law firms currently about how UK law might be applied to encourage firms that won’t take action after they’ve been informed.
IoT vendors need to wake up and respond to security researchers, ideally publishing their preferred route to be contacted and their desired disclosure process.
And at some point, when every other route has failed to get a response or action, one has to go public. Not ideal, but then neither is Joe Public continuing to purchase and install really insecure IoT devices.