Behind The Firewall: ARLINGTON, Va. -- The completely bizarre yet sadly familiar series of events that led to a security researcher canceling and then later delivering a modified version of a talk on RFID security at the Black Hat DC conference Tuesday provided clear evidence that many vendors are still entirely clueless about security and their responsibility to customers.
The controversy erupted earlier this week when it came to light that HID Global Corp., a maker of proximity cards, sent a letter to Chris Paget demanding that he not deliver a talk at the conference in which he planned to discuss well-known security problems with the RFID implementations in such cards. The company claimed that a portion of the talk infringed on HID's patents and threatened to sue Paget and his employer, IOActive, if he proceeded.
"[We] hereby demand that you refrain from publishing any information at any public forum including the upcoming Black Hat convention," the letter reads in part.
As a result, Paget excised the HID-specific portions from his talk and instead discussed RFID in general and the inherent security problems with it. The session later morphed into a panel discussion, which included an ACLU attorney, two well-known security researchers and a representative from US-CERT.
This is all eerily reminiscent of the goings on at the Black Hat USA conference in Las Vegas in 2005. In an incident that has now become part of the lore of the security industry, Cisco Systems demanded that a presentation by a researcher at Internet Security Systems on flaws in Cisco's IOS software be canceled and the slides removed from the conference proceedings. ISS caved and the researcher, Mike Lynn, quit ISS on the spot and delivered his talk anyway.
How on earth did it get to this point? The simple answer is that with very few exceptions, many vendors still believe that security by obscurity is still the best policy. Software and hardware companies in many cases adhere to the old CIA axiom: deny, deny, deny. And when they're confronted with indisputable proof of a security problem, they threaten, dissemble and threaten some more until they get their way. And in the end, they usually do get their way.
Security researchers for the most part are either working independently or are employed by a small company. In either case, they usually can't afford to wage a legal battle with a multinational corporation that has lawyered up like a Mafia boss. "IOActive has very few options here unless we receive some indemnity from HID," Paget said. "The defense costs alone could easily put us out of business."
This mentality pervades the vendor community and it has created a situation in which researchers are afraid to publish vulnerability details without the express written consent of the vendor, and then only after a patch has been published, regardless of how long that process takes. This, in turn, puts customers in a position of unknowingly using unsecure products. Sure, it's a safe bet to assume that just about every software or hardware product you're using is unsecure on some level. But vendors shouldn't be in the business of using the court system to prevent their customers from learning the specifics of those vulnerabilities.
Nicole Ozer, an attorney with the American Civil Liberties Union of Northern California, put it even more bluntly. "This leaves all of us unsafe because the government and the industry don't have the information we need to make this secure," she said. "If we didn't have the important information from security researchers on [vulnerabilities] in the Dutch e-passport and the VeriChip, we wouldn't have the evidence that these problems exist."
For further evidence of the problem, consider this absurdity: Because of the threats of legal action from HID, IOActive has decided not to share the details of its presentation with US-CERT, the arm of the Department of Homeland Security responsible for gathering, analyzing and publishing vulnerability data. And US-CERT is in the business of working with vendors to develop patches and timely schedules for publishing vulnerability details and fixes. Insane, isn't it?
None of this is new, of course. These threats and lawsuits have been part of the vulnerability disclosure process from time immemorial. "The technology is different, but a lot of the problems are the same. I'm a designer and I break things. It's just really frustrating to see this, because I see both sides," said Joe Grand, a former member of the L0pht who know runs a device design firm in San Diego. And, given the level of acrimony on display at Black Hat between an HID representative and Paget and his IOActive colleagues, it's difficult to see how this particular case and others like it will be resolved.