
Lawyers threaten researcher over key-cloning bug in high-security lock - wglb
http://arstechnica.com/security/2015/05/05/lawyers-threaten-researcher-over-key-cloning-bug-in-high-security-lock/
======
jonathanmayer
(Background: I'm a computer security researcher and lawyer at Stanford.)

When a security researcher gets threatened, there's a tendency to lambast the
lawyers. I think that's unfortunate.

It is, very often, the client that demands an aggressive response. A lawyer
should counsel against, since nastygrams to researchers tend to summon
negative attention. Not being a jerk is also a plus.

That said, if a client insists--and they often do--the lawyers have little
choice. Professional ethics generally require following the client's
direction, and there isn't sufficient time to withdraw as counsel.

So, for the most part: Don't blame the lawyers, blame the DMCA. It's the law
that's broken.

~~~
madez
You have responsability for your actions even if you're legaly forced to them.
This sane principle was officialized in the Nuremberg trials [1].

Edit0: In fact, the principles were more specific to international law vs
national law and orders. However, the idea behind is still sane even if you
don't violate international law.

Edit1: It's about recognizing personal responsibility.

Edit2: Those who disagree, why?

[1]
[http://en.m.wikipedia.org/wiki/Nuremberg_principles](http://en.m.wikipedia.org/wiki/Nuremberg_principles)

~~~
brownbat
> Those who disagree, why?

They probably feel that the Nuremberg trials are a hyperbolic example here,
and worry that line of argument brushes a little too close to Godwin's Law.

Upshot, we probably all agree with you that everyone has personal
responsibility for their actions. There are still situations where we want
attorneys to listen to their clients though.

~~~
Lawtonfogle
Godwin's law is a overused to shut down legitimate topics. And while the point
may be the most extreme, it is still a very valid point. If one wants to say
it is different, one needs to articulate why.

~~~
madez
Thank you for bringing sense into this discussion.

I wouldn't say extreme, but fundamental. I referenced the Nuremberg Principles
because they are so fundamental and I genuinely don't know a better example.

Several people in the community misuse down-votes. They down-vote on-topic,
constructive and serious discussions which disagree with their opinion instead
of simply articulating their criticism.

------
PhasmaFelis
> _The advisory went on to say that "site keys" are stored in unencrypted,
> "cleartext" form that can be recovered from the lock cylinders._

Why do developers keep doing this? As a programmer, I've never worked with
crypto implementation and I don't really know much about it on a practical
level, but the one thing I do know is that you never store _anything_
sensitive in plaintext. Ever! So how do so many devs who have, at the very
least, spent far more time than I have Googling about crypto implementation,
keep missing this?

It's as if there was an epidemic of wet kitchen floors sweeping the nation
because thousands of plumbers, working independently, all repeatedly forgot to
install traps under their sinks. Why does this one rank-amateur mistake keep
happening?

~~~
Pyxl101
I don't see how this is an amateur mistake. Presumably the key material on the
device needs to be available to its onboard computer. So, the computer needs
to load it or work with it. You could encrypt it, sure, but with what key?
Another key stored locally in plaintext?

Could you explain what alternative should be used in this case?

~~~
poizan42
Use a salted hash like everybody else does with passwords?

~~~
cheald
You can't decrypt information or validate a public key's signature with the
hash of a private key. You need the actual private key unencrypted at some
point; we solve this in most of our certs by encrypting them with a password
that the user has to enter to decrypt, but access to the unencrypted private
key is absolutely required at some point.

Hashing is for passwords, not for keys.

------
javajosh
IOActive's findings enable a very difficult but devastating man-in-the-middle
attack against anyone buying or storing these locks. It's really hard to clone
a key to these locks, but once that's done the lock can be reassembled, and
the attacker can use the copy to open it.

It's NOT like you can walk up to one with a thumb drive and pwn it.

~~~
copsarebastards
IOActive's findings allow an attack where you can obtain one sample of the
lock and gain the master key for the entire lock system.

So you walk up to the unguarded bike shed, take your time chopping off the
lock with a hacksaw, and now you have access to the storage area. Normally the
guard would come around before you'd be able to cut off _that_ lock, but since
you now have a key it's much quicker, and you wouldn't look suspicious to the
guard anyway.

------
wglb
Unclear on the concept: _Moreover, IOActive 's reverse engineering process
required the use of skilled technicians, sophisticated lab equipment, and
other costly resources not generally available to the public_

This works so long as attackers have no more resources than the average guy in
the street.

------
istvan__
I am wondering how can you dodge this if you are a security researcher in the
US.

~~~
smoyer
Publish the fact that it can be done without publishing how to do it (yes, you
have to be reputable). I think it's interesting that the lawyer focused on the
fact that they depackaged the chip when the (in my mind) bigger
vulnerabilities don't require that.

I think it would be interesting to sue a company like CyberLock for false
advertising ... "impossible to clone keys" is clearly false.

~~~
ceejayoz
> Publish the fact that it can be done without publishing how to do it (yes,
> you have to be reputable).

Chances are that just changes the lawsuits to defamation ones.

~~~
gameshot911
Truth is an absolute defense to defamation.

~~~
ceejayoz
Expensive lawyers and extended litigation are a non-absolute but often
_effective_ defense to truth.

~~~
dmix
Indeed, if you do so you must word your blog post very carefully not to make
any claims you can't fully back-up with a PoC. Such as being very specific
about what versions/configurations are vulnerable.

------
matheist
So, like level 2 of microcorruption?

~~~
makomk
Not really. Despite the name and theme, Microcorruption was about the kinds of
vulnerabilities that exist in desktop and server systems; actual embedded
exploration is very different. Typically there's a site key sent from the lock
to the key, which authenticates itself with a second site key - often all in
plaintext, on the more insecure systems. So you just sniff the communications.

------
meowface
Were these vulnerabilities disclosed to CyberLock at all before the results
were published? If not, I can't blame them for being angry. Not saying they
shouldn't be publicly disclosed in addition to private disclosure, but you
have to give a company a fair chance to review the vulnerabilities and at
least respond to you before you publish.

~~~
AngrySkillzz
They told the company at least a day beforehand:
[https://t.co/dnvq8F3Ad0](https://t.co/dnvq8F3Ad0)

~~~
themartorana
That's a significantly short amount of time to be able to address an issue
before knowledge of the vulnerability becomes public knowledge.

I'm all for releasing a vulnerability after it a) is mitigated or b) becomes
clear the responsible party has no plans to address the vulnerability in a
timely fashion.

One day is in no way responsible unless the researchers were told pointedly
that there was no plan to address the issues.

IMHO.

~~~
masklinn
They (claim they) gave the company 30 days, and assert they could have
extended it if it seemed a fix was upcoming and a few more days were
necessary, but they only ever got ignored or lawyer-threatened over it.

------
swamp40
_> > An IOActive spokesman said the company has no indication CyberLock will
take any legal action._

Well, IANAL, but I can pretty much guarantee they _are_ going to get sued.

As many people say, you only get one reputation, and you must defend it
vigorously.

And as many other people say, don't piss into the wind and expect not to get
wet...

~~~
tehwalrus
Slander/Libel, in the UK where this isn't, has to contain falsehoods.

Can people in the US really sue each other for reputational damage even for
saying only _true_ things? If so, that is bizarre IMO.

~~~
JupiterMoon
> Slander/Libel, in the UK where this isn't, has to contain falsehoods.

Be careful this is a dangerous interpretation of UK law. Slander/Libel must
contain some element that the person doing the saying/publishing cannot prove
in court. Note the burden of proof lies on the person saying/writing rather
than the person sueing.

(I am not a lawyer and this post does not constitute legal advice.)

~~~
tehwalrus
sorry, yes, I am aware that the burden of proof is on the accused slanderer,
since these are civil rather than criminal cases. I appreciate that that
wasn't clear from my original comment.

------
dzhiurgis
Wouldn't it be easier to just cut off the lock and replace with fake imitation
that accept any key?

~~~
Sanddancer
That'll just get you unrestricted access to that one area. This flaw lets you
get the master key, and with that, you have unrestricted access to every
locked room in the facility.

------
blueskin_
>'Cyber'

Literally laughed out loud. It's just become too much of a joke now.

