Security suppliers need to interact with community, says researcher
Security suppliers need to interact with the community to get feedback on their products before launch to ensure they have not missed any vulnerabilities, a security researchers advises
Security suppliers should avoid making unsubstantiated bold claims about their products, especially if they have not had them reviewed by the community, according to security researcher Scott Helme.
“While some of the larger security suppliers are interacting with the security research community through bug bounty programmes, many remain hostile to reports of vulnerabilities in their products by security researchers,” he told Computer Weekly.
A classic example of this is when Helme was invited by the BBC to review a communication protocol alongside cryptography expert Alan Woodward, a professor in the computer science department at Surrey University.
The protocol is used with an appliance to provide email services, which its suppliers said was the “most secure in the world” and that it ensured “absolute security and privacy” when communicating online with anyone else with the same appliance.
“We were asked to demonstrate how secure it was, but we found several vulnerabilities and were able to read emails that we weren’t supposed to read. We were even able to take full control of the device remotely and reconfigure it,” said Helme.
“Claiming something is ‘unhackable’ is a recipe for disaster, particularly if you have not engaged with the security community to get some feedback,” he said. “It only took us a few days to find the vulnerabilities, and some were so obvious that it was difficult to believe the product had been properly tested before being made commercially available.”
According to the second principle for military ciphers by cryptographer Auguste Kerckhoffs, any system should not require secrecy, and it should not be a problem if it falls into enemy hands.
“So technically, I should have been able to shred the device, look at every aspect of its operation and every function that it has, but not be able to break the system as a result,” said Helme.
“It is like a safe. I can give you the blueprints to my safe and tell you every single way that it works, but as long as I don’t give you the key, you can’t get in the safe, and it should be the same for encryption systems. By ripping the device apart, I should have found that it was secure, but instead I found vulnerabilities that could be exploited,” he said.
Nomx unreceptive to expert feedback
As ethical hackers, Helme and Woodward contacted the supplier, Nomx, for the purposes of making a responsible disclosure of the security vulnerabilities they had discovered, but found that the supplier was not at all receptive.
“I appreciate it is not good news to hear that your security product is not secure, but we were offering to give them the information they needed to fix the vulnerabilities we had found, but as far as we can tell, that has never happened,” said Helme.
At the time, Nomx said the devices could not be updated because they were built securely and did not need updating. “To the best of my knowledge, they can’t update the devices that exist in the wild that were produced prior to our vulnerability disclosure,” he said.
Helme said he and Woodward have been unable to look at any of the devices the company is now shipping because it is refusing to supply any for testing.
After the time given to the suppliers to fix the issues identified had elapsed, the researchers decided to publish their findings as an advisory.
Subsequently, Nomx published a response, listing reasons why Helme’s proof of concept attack “could not occur in a real-world situation” outside a test laboratory.
“Nomx believes based on the actions of the blogger [Helme], his rooting of the device and specific code used that the threat was non-existent for our users,” the company said.
The response goes on to state: “No Nomx devices, accounts or data was ever compromised and the blogger could not show any evidence of such actions” and that “while Nomx is no longer based on Raspberry [Pi] devices, we still maintain that the users’ data is secured”.
However, as Helme points out, he never said that any Nomx devices had been accessed, only that someone could access them.
“The whole point in our attack was that it was a PoC – a proof-of-concept. Of course we didn’t go out there and actually hack people, because we’re ethical researchers. We simply proved that it could be done and that there was a problem that needed to be fixed,” he said.
Nomx claims not to have any access to the devices it supplies, so according to Helme there is no way for the company to back up its claim that none have been accessed by unauthorised third parties without recalling all of the devices and performing an analysis on each one of them.
If we are going to make any real progress, we have got to change the way technology producers respond to vulnerability disclosure reports from security researchers
Scott Helme, security researcher
“If we are going to make any real progress, we have got to change the way technology producers respond to vulnerability disclosure reports from security researchers,” said Helme.
“Ideally, technology producers should engage with the security community before commercial release, although I understand that some suppliers may find that daunting. But if the security community engages with them in an open and helpful way to volunteer information freely and privately, suppliers should not be hostile and accept the offer of help to improve the security of their product,” he said.
According to Helme, it should not be difficult for organisations to determine whether someone’s intentions are good or bad based on how they provide the information. “It is usually really easy to identify a legitimate security researcher who is just trying to help, and suppliers should respond accordingly,” he said.
Helme believes that while the security industry is making outstanding progress, there is a growing need for independent security research to ensure that companies deliver on promises of security and privacy because many of the problems that are emerging could have been uncovered by independent research.
Nomx failed to respond to Computer Weekly’s questions about whether in the past year the company has fixed the vulnerabilities reported by Helme and Woodward, and about whether the company has introduced a vulnerability reporting process or taken any other steps to engage with the security research community.
“The security ecosystem needs ethical hackers and refusing to engage with them – or worse, attempting to silence them when they are following a standard disclosure process – can only backfire in the long run,” said Woodward.
“Too many fail to distinguish between ethical hackers or researchers and criminal hackers. Like lying, hiding the truth never works and will only come back to bite you in the end,” he said.
Security researchers have praised Facebook’s WhatsApp cross-platform messenger service for its quick response to a vulnerability disclosure.
Microsoft says it continues to support responsible disclosure of security vulnerabilities after a researcher went public with a zero-day vulnerability.
Is 90 days enough time for software suppliers to address vulnerabilities?
