When flaws are found in software systems, to disclose or not to disclose is the question that needs to be answered says Ken Munro from Partner at Pen Test Partners.

Ethical disclosure is an issue that security researchers have been struggling with for years. Say you find a new vulnerability in a certain vendor’s software. What do you do next?

Do you:

  • Post it to a forum for verification?
  • Report it to the vendor yourself?
  • Sell it in a vulnerability market; an outlet amusingly referred to as an ‘0-bay’?
  • Sit on it, write a zero day, and go hack other companies with the same software?

Most software vendors have improved their response to researchers reporting vulnerabilities, but it’s still a long way from perfect. Consider the following:

You report the vulnerability, the vendor acknowledges your finding, verifies it, then explains that it’s going to take 12 months to issue a fix. They ask you to keep quiet about it in the meantime. So what if someone else finds the same bug in the meantime? What if someone has known about it for years, and has been quietly exploiting businesses?

Not very ethical, is it? What’s the alternative? Well, how about posting it publicly at the same time as posting to the vendor, or maybe giving them a couple of weeks to get a patch out. The vendor goes nuts, companies complain that there’s no patch available, the exploit is quickly picked up by Metasploit and every script kiddie under the sun now knows about it.

However, the usual reaction from the vendor in this scenario is to get a workaround published quickly, and a patch out much faster than otherwise.

I had a similar problem myself a few years back - I found a set of really significant vulnerabilities in a building management controller.

One could unlock doors, set of fire alarms, turn the heating on, pretty much anything. I rang the company, emailed them, wrote to them, called support, you name it. However, their business was about physical security, not IT security. They didn’t have anyone that dealt with securing the systems they sold to clients.

I drew a blank; all I could do was brief a government agency and a couple of relevant security associations. Putting my research out in to the public domain would have been irresponsible, as I had no faith in the vendor’s ability to do something about it.

PS3 hacking

Which leads me on to some of the high profile ‘hacks’ of games consoles and other systems. Probably the most significant case is the recent publication of the master keys to Sony’s crypto protecting their PlayStation 3.

The firmware allowed anyone to install other operating systems on the PS3. This option made installing homebrew operating systems easier, and no doubt also facilitated the use of cracked content.

Hence, Sony updated the firmware to prevent this. However, this move really annoyed many users, and set parts of the community on a path to target the console. A team known as fail0verflow presented a method to compromise the device master key, effectively opening the console up.

This research took considerable effort, and its open publication helped numerous legitimate researchers understand new routes to compromise systems. To their credit, the group did not publish either the key, or the exact details of the attack. Their intention seemed to be more about the concepts that their research opened up, rather than punishing Sony.

You might see this as ethical disclosure. Unfortunately, a second researcher then replicated the attack, and published the master key; unethical disclosure.

Very similar efforts went in to the crack of the TPM chip preventing the use of third party controllers with the PS3. A researcher (Chris Tarnovsky) appeared a little annoyed that non-OEM controllers couldn’t be used, so started working on the protection mechanisms.

After several months of work, he not only worked out how you would use other controllers, he also broke the protection that TPM offers to secret encryption keys on numerous other laptops, devices and systems.

Infineon, the vendor of TPM chips, was rather red faced, and implemented upgrades to its system. Doesn’t do much to help the enormous existing population of TPM equipped devices though.

Phillips Mifare, the technology behind the Oyster card, was compromised some years ago also. Again, a fascinating physical attack against the chip itself revealed issues with the cryptography that permitted cloning in some circumstances.

Does this research benefit us? I believe it does, as if there are more ethical researchers out there are doing this, then those with criminal intent will be at it too. Further, particularly in the case of cryptography protecting state secrets, there are bound to be foreign powers at work in this space also.

Would we be better off with Pandora’s Box kept firmly shut, so that only those ‘in the know’ can attack critical infrastructures and businesses? I don’t think so.

DRM circumvention

Then we have the Digital Millennium Copyright Act and EU Copyright Directive, which were supposed to keep a lid on DRM circumvention.

Wonderful in theory, but my personal view is that the criminal underground will carry on as before, and all you really achieve is restricting the activity of the semi-ethical researcher. The result is that research is driven underground and we all lose out.

Yes, disclosure causes problems for us all, but I believe that we would be suffering far worse problems if we didn’t have disclosure. It’s time for vendors and manufacturers to step up, and deal with the challenge of disclosure, rather than trying to keep a lid on it by threatening legal action.

Why not pay a significant sum to a researcher that finds a bug in a system, on condition that they keep quiet for an agreed period of time? It’ll be a whole lot cheaper than the legal fees they would incur trying to gag them otherwise.

So, my conclusion is that the most sensible route for any console vendor is probably to let the hacking community do their ‘homebrew’ things if they want to. Implement security controls to distract the casual hacker and accept that a portion of the customer base is going to pirate games and content, whatever you do about it.

If you up the stakes, as in Sony’s case by removing the ability to install homebrew operating systems on the PS3, then the hacking community will make that device a target for their considerable research efforts.

What was the result of their efforts to lock down the device? Sony’s master keys were published. Who lost out, in my opinion? Sony.