Security flaws with life-threatening implications require alternative disclosure, says survey
If security researchers get no response from manufacturers when disclosing vulnerabilities with life-threatening implications, the majority of IT security professionals (64%) believe that the information should then be made public.
This is the verdict of new research conducted by Unified Security Management™ provider AlienVault™. More than 650 IT security professionals were surveyed at the Black Hat 2015 Conference in Las Vegas, USA and asked what was the best course of action when a vulnerability is found on an internet-connected device that has potentially life-threatening implications (e.g. vulnerabilities on cars or planes), but disclosure to the manufacturer hasn’t worked.
In all, 64% of the respondents supported different methods of making the research public, including proving the vulnerability with willing participants in a public space (19%), fully disclosing details to the media (19%), disclosing details in a talk at a public conference (13%), and proving the vulnerability on a live system (13%). By contrast 36% of respondents felt that the vulnerability should only be demonstrated in a private space with willing participants.
The traditional process for responsible disclosure when a hacker finds a vulnerability is to allow all stakeholders to agree to a period of time for the vulnerability to be patched before details are published. But when the vulnerability has life-threatening implications, such as the potential to assume control of a moving vehicle such as a car or a plane, attitudes appear to be changing.
The survey follows the public hacking of a Jeep by security researchers earlier this summer, which resulted in an immediate software fix and 1.4million vehicles being recalled by Chrysler. But when a different group of security researchers from the University of California and University of Washington privately informed General Motors of a similar flaw on a Chevy Impala in 2010, GM took nearly five years to fully protect its vehicles from the technique – meaning that drivers of that model of car were unknowingly vulnerable to being hacked during that period.
Javvad Malik, security advocate at AlienVault, said: “Rightly or wrongly, there seems to be a race by manufacturers of nearly every kind of device to include the ability to connect to the internet. As history has proved, the security of such devices is more often than not a low priority, which has resulted in these devices being exploitable. This becomes particularly concerning in cases where the exploitation of an internet connected device can result in life-threatening situations such as an external entity being able to tamper with, for example, auto-targeting functions or sniper rifles, or the operational features of cars and even airplanes.”
Other approaches to threat sharing
The survey also examined other attitudes towards aspects of threat sharing, including opinions about the use of data that has been dumped by hackers into the public domain after a company has been breached. When asked how data should be treated, the largest number of respondents (23%) said that this data should be considered stolen property and no one should be entitled to utilise it. By contrast 18% of respondents believed that everyone should be able to access and use such data, once it has been placed in the public domain. An additional 22% opted for the middle course – saying that the data was not for general public use but could be used by security professionals for research purposes.
Javvad Malik continues: “The recent Ashley Madison breach has made us all consider the use of stolen data once it is placed in the public domain. Making such data available for security research might seem like having your cake and eating it, but it’s also vital that the security industry keeps up with criminals who have no qualms about harvesting and analysing such data.”
While most people agree in principle that sharing threat intelligence benefits everyone, the survey results showed that many organisations are still reluctant to share threats externally. Of those who do share threat data, the vast majority will only share with their trusted peers (49%), or only internally (34%).
Javvad Malik concludes: “Security vulnerabilities and their exploitation have evolved rapidly and become much more widespread over the last few years. Whilst exploits are having an impact on daily life, or have at least risen in profile amongst the general public, security professionals are still at odds as to the best way to collaborate to prevent breaches, and how to react in the aftermath of one.
“Threat intelligence is not a new discipline, and while virtually every company claims to utilise it to some degree, there is no uniformity yet in how it is gathered, shared or applied. By adopting a collaborative approach to threat intelligence and vulnerability disclosure, companies and professionals can take advantage of the many benefits that a combined security ecosystem can provide.”