As you know we (as in ERNW) are quite involved when it comes to vulnerability disclosure and we’ve tried to contribute to a discussion at several occasions, such as Reflections on Vulnerability Disclosure and ERNW Newsletter 50 Vulnerability Disclosure Reflections Case Study.
In this post I want to add (yet) another perspective, motivated by a disclosure procedure which just happened recently.
todb’s article, R7-2015-23: Comcast XFINITY Home Security System Insecure Fail Open is a well planned public forum vulnerability disclosure. The article itself is very well done: It gives credit to the researcher who discovered the vulnerability and it shows a vulnerability disclosure timeline where Rapid7 reached out to Comcast (the vendor). They even go a step further and publish the link showing the process for discovered vulnerabilities in a Rapid7 product as well as how Rapid7 handles disclosing those vulnerabilities they find in external products. For their internal disclosure process, they make sure to release a patch before “publicly announcing the vulnerability in the release notes of the update”(rapid7 disclosure).
This is where I see the conflict. Rapid7 disclosed an external particular vulnerability to the public at large without an expected patch-release date from the vendor. The exploit can, most likely unknown to the homeowners, allow for the home security system to show “Armed” while actually changing it to an open state that can last up to hours. As Kim Zetter from “Wired” pointed out in her article Xfinity’s Security System Flaws Open Homes to Thieves, “Homeowners can’t take any practical measures to mitigate their risk of an attack. But the vendor could easily fix the problem with a firmware patch that would instruct the system to send alerts when something is not okay with it.” The vendor is clearly the responsible party, but what happens when a researcher cannot get a hold of them?
Should a researcher be expected to be their brother and sister’s keeper? I mean they found a critical vulnerability, did the proper disclosure to the vendor (who did not respond right away), and CERT, used the article to educate the InfoSec community, but without the patch to fix it, doesn’t this article educate only those who have the necessary means to potentially exploit it? It does nothing to protect the non-technical homeowner that purchased this product to make their home safe and secure. Another way to look at this would be with medical devices. If a researcher reaches out to a vendor because they have found a flaw in an insulin pump, and the vendor does not respond, should the research then go on to publically publish an exploit that, in the wrong hands, could literally kill someone?
I know I am putting a lot of pressure on the researcher, when the largest problem is a lack of communication from the vendors who are the responsible party here and need to patch their faulty products, but the moral compass of this situation belongs to everyone. I am not an IT person. Just like I consult a doctor when I am sick or have a teacher guide me when I am lacking, I trust that the researchers in the world, making it possible for me to have a smart house or a robot that can perform surgery, will have my safety at heart as they continue to launch us full speed into the future. I cannot protect the technology I use from exploits and vulnerabilities, but you as a researcher can by responsible public disclosure.
As for the vendors and their sometimes lack of help, commitment, or caring I suggest Grassroots style organizing. Take a stance to educate the public on which vendors are not putting their customers first. They should be held accountable, but not the people who use their faulty systems/products, and cannot fix them on their own.