When Hackers Test For Flaws, They Might Earn Cash — Or Threats
To hack or not to hack? That's a hot question in Las Vegas this week. Many attendees at the two conferences in town, Black Hat and Def Con, are security researchers: people who poke at websites, smartphones and other wireless devices to look for gaping security holes that companies should fix. But even when they're hacking with good intent, they can get into big trouble.
Take security researcher Logan Lamb. He was supposed to be on stage giving a presentation. Instead he's standing in a corner, literally trembling as he talks.
"I was going to be presenting," he says. "Because of these pressures put on me, I can't now."
Lamb won't spell out the pressures. But it's a well-known fact in these hallways that companies threaten people who find weaknesses in their software.
Lamb, based in Knoxville, Tenn., tested three popular home alarm systems to see if they're easy to hack. He says he did this in his own apartment and at two friends' houses. "I just pushed the cats off the kitchen table, threw all my gear on the table, and walk[ed] around, trying to set things off and suppress them."
Lamb found he could break the communication between the alarm sensors that monitor movement and the keypad that tells the corporate network when an intruder has broken in. He could also fake an intruder to set off a false alarm.
He says it was fairly easy because the makers of these wireless devices left them unencrypted.
"So some guy with the right hardware could sit out in front of someone's home and listen in. That's pretty disconcerting," Lamb says.
But he won't name the home security systems he hacked. When asked, he stutters: "I — I can't go into that."
Security firms Honeywell, ADT Corp. and Vivint were all named in an online summary of his research, which was later pulled from the Black Hat website. None of the companies responded immediately to NPR's inquiry. The official word from the conference organizer is that Lamb pulled his own talk.
Security researcher Jesus Molina did give his talk. He gives a quick recap: "At a hotel, which is a five-star luxury hotel, I was able to control every device in every room."
Molina, based in San Francisco, says he checked into a Starwood-owned hotel as a guest. The rooms were high-tech, with an iPad that acted as a remote control for the TV, lights, blinds and other appliances.
Molina noticed that the iPad in his room was on the open guest network. So from his computer, he could see and record transmissions, figure out the protocol and spoof the iPad.
He suspected this was a systemic flaw across the hotel. To really nail this theory, he had to try it out. So he called the front desk and said, "I don't want this suite. I want another room." And after a few transfers to new rooms, he cracked the pattern and created a dictionary of every device.
Under U.S. law, security researchers are obligated to tell companies about the holes they find. And Molina did that — after he was safely back in the U.S.
There is one more key detail: The luxury hotel Molina hacked is in China.
He poses the rhetorical question, "It would be very sad for me to end up in a Chinese jail just because I was trying to prove a point, right?"
Kurt Opsahl, a lawyer with the Electronic Frontier Foundation, doubts that Molina could pull off that security research on domestic soil. "I don't know what Chinese wiretap laws [are], but if you wanted to try to replicate that research here, it probably would be a good idea to speak to a lawyer first."
Opsahl is not giving legal advice about this case or the many others he hears in Las Vegas. The laws that govern computer crimes, which were passed back in the 1980s, are just too complex.
But he does share this rule of thumb: "One of the things that people need to be cautious of is accessing things without authorization, accessing packets without the consent of the parties involved."
"Parties involved" could include the company that makes the faulty product. And it can feel like a Catch-22. Researchers might think they're being helpful. But the companies may want to suppress information about their security weaknesses, sometimes through threats.
Attorney Marcia Hofmann says companies threaten civil lawsuits regularly. Say a well-intentioned hacker discovers a bug and reports it. "If the company wants to turn around and sue," she said during a Black Hat panel, "they could say the cost of fixing the vulnerability perhaps might be loss."
The high-tech companies of Silicon Valley have set a new precedent. Their so-called "bug bounty programs" reward security researchers who find and properly report software vulnerabilities. Alex Stamos, the chief security officer at Yahoo, says his company is inundated with reports of bugs — many of which are poorly written and hard to comprehend.
A handful of groups are cropping up now to replicate and improve the bug bounty system across other sectors. Casey Ellis, CEO of Bugcrowd, says, "Companies are starting to wake up and realize they need the help." His startup manages that process, by vetting security researchers for identity and quality of work.
Updated on Friday, August 8 at 4:58p.m. ET:
Honeywell, a maker of Internet of Things appliances, had this to say about potential security threats to its home alarm products:
"Honeywell takes any reports of possible vulnerabilities very seriously and we are aggressively investigating this issue. Our policy is to work collaboratively with researchers and others to strengthen cyber security in a constructive, timely and responsible manner that protects end-users."
Copyright 2020 NPR. To see more, visit https://www.npr.org.