A Vulnerability Disclosure Tale: Handcuffs or a Hug?Sydney Researcher Sees Both Ends of Spectrum
Edward Farrell was investigating building management systems when he came across two separate but concerning issues. The responses he received from the vendors demonstrate how security researchers tread a fine line even when responsibly reporting problems.
One vendor threatened to sue him. The other supplied a demonstration copy of its building management control software for him to check for vulnerabilities. The ABC first reported the story over the weekend.
Farrell says that only way to identify the vendor was to probe further into the vulnerable system. That irritated the vendor, which subsequently threated to sue him.
Farrell is director and principal consultant of Mercury Information Security Services, a Sydney-based security consultancy. Around December 2015, he came across a string of access control bugs in one vendor's building management software.
Building management software is increasingly being used to more intelligently manage HVAC systems and save on electricity bills. But this software is vulnerable to takeover if not configured properly and could be used by attackers as a stepping stone to other networked systems deep within an organization.
Farrell says that only way to identify the vendor was to probe further into the vulnerable system. That irritated the vendor, which subsequently threatened to sue him.
How Far to Push?
How far to push what's intended as responsible security research is a touchy area. Accessing another company's systems could in the eyes of the law be considered unlawful access. Depending on the jurisdiction, computer crime laws may apply.
Companies that have not had much contact with the computer security community may initially turn to law enforcement, a move that dismays those trying to improve the state of information security.
In Farrell's experience, the vendor initially claimed that its system was not vulnerable and that his findings were false. Later, the U.S. company published Farrell's vulnerability disclosure word-for-word, forgetting to change the Australian spelling of the word "authorise" to the U.S. spelling of "authorize."
But in the face of the legal threat, Farrell says he backed down.
"We have a legal détente provided I don't disclose either customers or any information captured during my research or that vendor's name," Farrell tells me.
Defying the vendor would have likely meant years in court and perhaps devastating legal fees, which Farrell says would have been untenable for a small business owner.
During the process of finding the first vulnerability, Farrell stumbled upon a second issue. A Royal Australian Air Force Base and a government research agency, the Australian Nuclear Science and Technology Organisation, both had internet-facing login portals for their building management software.
Both organizations were notified in January. The Defence Department tells ISMG that as soon as it was notified, the system was removed from the internet. ANTSO took the same action. An ANTSO spokesman says that the system regulated air conditioning and lighting. It was segregated from other networks and systems related to nuclear reactor operations, he says.
The fear with integrating suppliers and third parties into an organization's network is that poor security on the part of one means poor security for all.
That's what happened to Target when 40 million payment card details and 70 million customer details were stolen in November 2013. The retailer's systems were reached via a subcontractor in the refrigeration and HVAC services field that maintained a data link with Target to submit bills and project management material (see Target Vendor Acknowledges Breach).
Farrell says organizations are often unaware of what risks lie in these ancillary systems that may not be directly managed by a security team.
"The reality is it's a weakness most defensive security teams have: understanding where their assets lie," Farrell says. "Because this isn't necessarily an IT asset and more of an operational asset, for a security team to know where it is and what it is doing is kind of difficult."
The vendor of the software used by ANTSO and the Defence Department had a much different reaction to Farrell's findings. The company, which Farrell declined to name, granted him access to a demonstration system in order to look for software flaws.
He found a bug in the demo system, which involved executing a single "GET" request without authentication. The vendor is developing a patch. And it's not threatening to sue Farrell, much to his relief.