The whole Internet of Things (IoT) phenomenon has really gained momentum amongst security professionals as a hot topic of discussion. More than a few people are calling for self-examination, including ethics discussions around testing procedures and public disclosure; questions about our need to push forward aggressively; the impact of long-term consequences in exchange for short-term gains, and so on.
There are a few things we can take from our past that can help, but we as security professionals have to remember that this is a somewhat unique bit of territory and many arguments - pro and con - from the past simply no longer apply.
Media-Ready Stunt Hacking
One of the bigger discussion points involves "stunt hacking." This is hacking that uses some dramatic elements to "make it real" and camera-ready for a media outlet eager to drive ad revenue. Where does this whole stunt hacking thing come from? From our hacker past.
It’s one thing for a researcher to show step-by-step how product X is vulnerable to a particular flaw, but it was simply more fun for a hacker to pop up a dialog box with their name (and a shout-out to hacker buddies) than to launch calc.exe. Launching calc.exe in itself is a little over the top. Some would argue that showing you overwrote EIP should have been enough.
Did Barnaby Jack need to bring an ATM machine onstage and have it spit out cash? Of course not. But it is a nice wink to other security pros watching by doing something with a little flash, and it does actually serve a purpose - it uses a real-world example that non-technical people can understand and relate to.
And this level of consumer and widespread attention can force vendors to act.
As techie nerds, most of what we do appears as magic to non-technical people. For example, the printer isn't working and they've tried everything, but the IT admin comes in, and a few minutes later, the printer is working again.
On a scale of 1 to 10 in the computer difficulty scale, it might have ranked a 3 in the mind of the IT admin, but in the mind of the end user, anything above a 2 is essentially magic. The IT admin just opened dialog boxes out of thin air that had never been seen before or since, a few keys tapped and a couple of clicks, the whole time on a cell phone arguing with the another geek about whether Han shot first (spoiler, Han did shoot first).
A smile and a thumbs up while walking away, gone from the cubicle farm and into the bowels of the server room before the first page finished printing - this is the essence of what we call on a larger scale "stunt hacking," or performing techno-magic for mere mortals.
Showing Real World Implications for Results
The issue with IoT is that to get hacking results - sometimes ANY results - one must perform attacks that create real world output. In the IoT world, you don't just attach a debugger, set a breakpoint, or launch the fuzzer. You are often creating conditions, actions, cascading failures and who knows what else to trigger an unknown flaw that allows you to do something unintended.
Sometimes, the only way to tell if you are getting any reaction from your Smart Toaster 5000 is to try various steps during normal use and look for abnormal signs, like making all the lights turn on or burning the toast.
In the past, security researchers learned the most effective method in dealing with issues is a real world demonstration. A whole "thing" rose up from this process where many researchers had to go public with their research just to get a vendor to even acknowledge a problem exists, a longtime struggle we’ve documented in our timeline on the history of the vulnerability disclosure debate. Eventually, security researchers and software vendors found common ground, worked out a rough protocol, and now work together to secure things.
Car Hacking: Ethical?
Knowing this from their pasts, Charlie Miller and Chris Valasek pushed forward with their car hacking research - they did their hacking as thoroughly as they could, contacted the manufacturers with the results, informed them they were going to publish the results, and encouraged the manufacturers to take steps to improve the car's security.
To demonstrate, they showed very dramatically they could have a real-world impact on a car, with video cameras rolling and a reporter (Hi, Andy!) behind the wheel. The arguments immediately started about an unethical approach since they "tested" it on a reporter on the open highway and not a test track, even though they knew exactly what they were doing and this was the second article the reporter had done with Charlie and Chris, so he knew weird things were going to happen.
Samy Kamkar did something similar with his “OwnStar” car-stealing hack. This was a man-in-the-middle attack against OnStar that allowed for him to remotely locate, unlock, and start a victim’s car. Samy had stated that the vulnerability had been widely known about for years, but it only gained real attention after he had made a small electronic tool that actually demonstrated the flaw “in the wild.”
But here are the areas surrounding this that have me concerned.
Reactiveness. A congressperson that is looking to please a lobbyist group or deep-pocketed constituents is going to use the whole "hackers killing us with their evil hacking" angle to turn a simple IoT hack into a circus. As a result, he or she may get overly-broad legislation passed that will restrict and potentially criminalize portions of the research that myself and my fellow researchers perform.
Shortcuts. I am concerned with researchers that push too hard and fast to make things happen, and potentially endanger people’s lives with reckless abandon. Charlie and Chris do play up their child-like wonderment and enthusiasm, but a peek under the hood (sorry for that pun) shows that they spent months meticulously looking at levels of complexity and detail that very few people have the stomach for. And, again, they also shared their findings with the manufacturers, giving them ample time to work with them to mitigate risks and patch these security holes. Not a weekend hack, this is stuff that literally took years to do.
IoT devices in general are a nightmare for many researchers to pick apart since this isn't code examination nor fuzzing with the debugger running, this is trial and error at its most basic level, and one can encounter many, many obstacles. An attempt to "cheat" the process and jump ahead leads to serious mistakes.
Old paradigms that do not work. Software vendors are different from car manufacturers. Or toaster or any other manufacturers. Software vendors have mechanisms to update their product remotely, they'll often have email addresses (like security@duosecurity.com) as a primary contact if you are reporting a bug, and many are so used to working with security researchers that they will actually reward them for their efforts.
Most current IoT manufacturers aren’t used to dealing with this world at all, their number one concern is pushing product out the door and getting that new Smart Toaster 5000 on the shelves at Target and Sears before the holiday season. They don’t care that you've figured out how to remotely burn toast, they'll respond with statements like, "Who in their right mind would want to attack toast?" and when asked by a reporter about the vulnerability, they’ll claim that there are no reported instances of toast burnings in the wild. They don't seem to care about a couple of nerds giggling over burnt toast in a lab somewhere, not fully understanding that, with a little finesse, this toaster exploit in the hands of a malicious person could remotely and untraceably start a house fire
I've personally seen this from my own reporting of flaws to software vendors in the past, and some vendors cannot understand why in the name of all the gods someone would want to do that horrid thing you just did to their software. A researcher’s job also includes explaining real-world implications in non-technical terms, including the impact to customers and the vendor’s reputation as well. Often this requires a gentle hand that must guide the vendor to fix the flaw without appearing to threaten them.
Knowing how to play the stunt card effectively. At its very core, when you have a group of security researchers doing research, they are typically doing this with some type of agenda. Yes, a part of that agenda is to bring attention to the security researcher's employer (or book, or consulting business), but there is another part to this that is just as important.
There needs to be a push to help makes things secure. Making things better for the world at large. If that balance is maintained, stunt hacking as it has been named can actually provide benefits. Burning "666" into the toast with your Smart Toaster 5000 and calling your hack "The Devil's Breakfast" is hilarious, publicly releasing a tool to remotely set Smart Toaster 5000s on fire is not.
Test your work responsibly, know how far you can push that toaster, but don't burn down houses.
At Duo, we feel there needs to be something that truly shows a playful approach to the work - there’s a spirit of fun and excitement in hacking and we want to share that with the community and with kids who may want to go into security research as young adults.
Searching for security flaws is a lot like looking for that tiny signal within a vast sea of noise. Once found, that signal needs to be strong to be effective - it needs to be highlighted and lifted above the noise, with all of its implications exposed so that everyone, including the non-technical, can understand it and know why it is important.
But a part of nurturing that signal is to keep in mind that IoT vendors are often just like those users in the cube farm watching the IT admin fix the printer - you are bringing them magic in the form of some weird flaw. They might not see the beautiful unicorn you discovered, they may see a big dangerous one-horned animal hell-bent on destroying their company. Part of our jobs as researchers is to explain why those flaws are an issue and help them understand how to fix them in order to make the product safer for consumers.
We would hope when dealing with the public, reporters, and vendors that researchers continue to try and show strong signal within the noise.