Other issues in this category (35)
Searching for ethics in security research
Wednesday, November 9, 2016
The hunt for vulnerabilities is a business. Flaw finders are compensated monetarily so there isn’t a trace of altruism in what they are doing, and the money they’re earning is completely legitimate.
The more progress gives us newer and newer software and smarter and smarter things, the more vulnerabilities there will be, and, therefore, more money will be swirling around this market. Nothing personal—just business!
Security researchers—both legitimate companies and criminals—make their living by HACKING; it's their job. However, they go at their work with different goals in mind. Or at least this appeared to be the case until recently.
Some researchers collaborate with companies that hire them legally and are remunerated according to a contract. This means that the search for vulnerabilities commences only after the customer and employer have formalized their business relationship.
Some people search for loopholes on their own and then report their findings to the respective developers and manufacturers. Those often refuse to pay for the information or offer too little, so researchers can earn more by selling the information to hackers on the black market. If a researcher has found multiple vulnerabilities, but the manufacturer always refuses to pay, that’s good enough reason to take revenge, right?
New times bring new ways for professional hackers to earn money.
The quotation below shows that criminals can try to earn a profit by selling information about vulnerabilities to a third party (not the developer or the manufacturer) or make it available on the black market.
A group of MedSec security researchers found a way to hack into St. Jude Medical's pacemakers and defibrillators. However, instead of notifying the company about the vulnerabilities, MedSec turned to Carson Block, the founder of the investment firm Muddy Waters Capital. They proposed that the short-seller reveal that St. Jude Medical devices posed a threat to patient lives. According to MedSec's plan, Block had to make a short sale. If the negative information damaged St. Jude Medical's reputation and made its shares go down, Block would profit from it. The father the stock would fall, the more the researchers would earn.
The revelation could also disrupt St. Jude Medical's takeover by healthcare giant Abbott Laboratories. In an interview with Bloomberg, Carson Block said that in addition to the short position regarding St. Jude Medical, he had a long position for Abbott Laboratories. This would allow him to win regardless of the outcome.
But MedSec CEO Justine Bone stated that she would not give St. Jude Medical time to fix the problems because previously in similar situations the company had ignored similar warnings. It’s also likely the company will prosecute the researchers to silence them. According to Bone, MedSec turned to Muddy Waters because the investment company already had experience in holding corporations accountable.
MedSec is deliberately violating basic security research ethics and is doing so in an industry where human lives are at stake.
We see the following ethical issues in this story:
- Should a researcher remain silent about a critical vulnerability? And what if he/she has a security research contract with the manufacturer? And what if the manufacturer refuses to close the vulnerability?
- Can only the manufacturer assess the feasibility and necessity of closing vulnerabilities (including in devices already on the market)? But, as far as hardware issues are concerned, most users are unlikely to update their devices even if a security patch is available. Imagine that you've been using a pacemaker for quite a while and suddenly you are offered the chance to have its firmware upgraded. Are you certain that no issues will arise after the update? And many devices aren't even supposed to require updates!
The Anti-virus Times recommends
Alas, vulnerabilities are everywhere. They also exist in systems where an anti-virus can't be installed. As a rule, equipment of this kind works in isolation, away from the manufacturer, and the manufacturer can't monitor the security status of this equipment in real time and release updates to close loopholes. Customers use such gadgets at their own risk. Therefore, staying quiet about a vulnerability benefits manufacturers as well as consumers—even though this affects the latter’s security. In other words, everyone benefits from this except hackers.
MedSec was founded in 2015 by Robert Bryan, a former portfolio manager at the Metaval Capital hedge fund which has also collaborated with Cyrus Capital and Goldman Sachs. MedSec is based in Miami and offers testing and security research services for healthcare companies. Looking for flaws in equipment of this kind has never generated much profit because the research results can't even be sold to anti-virus vendors.
Naturally, anti-viruses are to blame for everything. Indeed, who else could be?
- If you choose a device, make sure that an update feature is available.
- Read about the update procedure and make sure you understand how it works. You don't want to end up studying the manual in an emergency situation.
- Install updates that have already been released before you start using a device.
- Find out the phone number and address of the manufacturer's technical support. If an emergency situation occurs, every second may count.