Technology
4:39 am
Fri August 8, 2014

When Hackers Test For Flaws, They Might Earn Cash — Or Threats

Originally published on Sat August 9, 2014 3:19 pm

To hack or not to hack? That's a hot question in Las Vegas this week. Many attendees at the two conferences in town, Black Hat and Def Con, are security researchers: people who poke at websites, smartphones and other wireless devices to look for gaping security holes that companies should fix. But even when they're hacking with good intent, they can get into big trouble.

Take security researcher Logan Lamb. He was supposed to be on stage giving a presentation. Instead he's standing in a corner, literally trembling as he talks.

"I was going to be presenting," he says. "Because of these pressures put on me, I can't now."

Lamb won't spell out the pressures. But it's a well-known fact in these hallways that companies threaten people who find weaknesses in their software.

Lamb, based in Knoxville, Tenn., tested three popular home alarm systems to see if they're easy to hack. He says he did this in his own apartment and at two friends' houses. "I just pushed the cats off the kitchen table, threw all my gear on the table, and walk[ed] around, trying to set things off and suppress them."

Lamb found he could break the communication between the alarm sensors that monitor movement and the keypad that tells the corporate network when an intruder has broken in. He could also fake an intruder to set off a false alarm.

He says it was fairly easy because the makers of these wireless devices left them unencrypted.

"So some guy with the right hardware could sit out in front of someone's home and listen in. That's pretty disconcerting," Lamb says.

But he won't name the home security systems he hacked. When asked, he stutters: "I — I can't go into that."

Security firms Honeywell, ADT Corp. and Vivint were all named in an online summary of his research, which was later pulled from the Black Hat website. None of the companies responded immediately to NPR's inquiry. The official word from the conference organizer is that Lamb pulled his own talk.

Security researcher Jesus Molina did give his talk. He gives a quick recap: "At a hotel, which is a five-star luxury hotel, I was able to control every device in every room."

Molina, based in San Francisco, says he checked into a Starwood-owned hotel as a guest. The rooms were high-tech, with an iPad that acted as a remote control for the TV, lights, blinds and other appliances.

Molina noticed that the iPad in his room was on the open guest network. So from his computer, he could see and record transmissions, figure out the protocol and spoof the iPad.

He suspected this was a systemic flaw across the hotel. To really nail this theory, he had to try it out. So he called the front desk and said, "I don't want this suite. I want another room." And after a few transfers to new rooms, he cracked the pattern and created a dictionary of every device.

Under U.S. law, security researchers are obligated to tell companies about the holes they find. And Molina did that — after he was safely back in the U.S.

There is one more key detail: The luxury hotel Molina hacked is in China.

He poses the rhetorical question, "It would be very sad for me to end up in a Chinese jail just because I was trying to prove a point, right?"

Kurt Opsahl, a lawyer with the Electronic Frontier Foundation, doubts that Molina could pull off that security research on domestic soil. "I don't know what Chinese wiretap laws [are], but if you wanted to try to replicate that research here, it probably would be a good idea to speak to a lawyer first."

Opsahl is not giving legal advice about this case or the many others he hears in Las Vegas. The laws that govern computer crimes, which were passed back in the 1980s, are just too complex.

But he does share this rule of thumb: "One of the things that people need to be cautious of is accessing things without authorization, accessing packets without the consent of the parties involved."

"Parties involved" could include the company that makes the faulty product. And it can feel like a Catch-22. Researchers might think they're being helpful. But the companies may want to suppress information about their security weaknesses, sometimes through threats.

Attorney Marcia Hofmann says companies threaten civil lawsuits regularly. Say a well-intentioned hacker discovers a bug and reports it. "If the company wants to turn around and sue," she said during a Black Hat panel, "they could say the cost of fixing the vulnerability perhaps might be loss."

The high-tech companies of Silicon Valley have set a new precedent. Their so-called "bug bounty programs" reward security researchers who find and properly report software vulnerabilities. Alex Stamos, the chief security officer at Yahoo, says his company is inundated with reports of bugs — many of which are poorly written and hard to comprehend.

A handful of groups are cropping up now to replicate and improve the bug bounty system across other sectors. Casey Ellis, CEO of Bugcrowd, says, "Companies are starting to wake up and realize they need the help." His startup manages that process, by vetting security researchers for identity and quality of work.

Updated on Friday, August 8 at 4:58p.m. ET:

Honeywell, a maker of Internet of Things appliances, had this to say about potential security threats to its home alarm products:

"Honeywell takes any reports of possible vulnerabilities very seriously and we are aggressively investigating this issue. Our policy is to work collaboratively with researchers and others to strengthen cyber security in a constructive, timely and responsible manner that protects end-users."

Copyright 2014 NPR. To see more, visit http://www.npr.org/.

Transcript

DAVID GREENE, HOST:

To hack or not to hack - that is the question in Las Vegas this week at two conferences. One's called Black Hat, the other, Defcon. Many of the attendees are people who poke at websites, smart phones and other wireless devices looking for security gaps that companies should fix. But even when they're hacking with good intentions, they can get into big trouble. NPR's Aarti Shahani reports.

AARTI SHAHANI, BYLINE: Security researcher Logan Lamb was supposed to be on stage giving a presentation. Instead, he's standing in a corner literally trembling as he talks to me.

LOGAN LAMB: Well, I was going to be presenting - right? - and because of these pressures put on me, I can't now.

SHAHANI: Lamb won't spell out the pressures, but it's a well-known fact in these hallways that companies threaten people who find weaknesses in their software. Lamb, who's based in Knoxville, Tennessee, tested three well-known home alarm systems to see if they're easy to hack. He says he did this in his own apartment and at two friend's houses.

LAMB: I just, you know, push the cats off the kitchen table, throw all my gear on the table and walk around trying to set things off and suppress them.

SHAHANI: Lamb found that inside a home, he could break the communication between the sensors that monitor movements and the keypad that tells the corporate network when an intruder has broken in. He could also fake an intruder to set off a false alarm. He says it was fairly easy because the makers of these wireless devices left them unencrypted.

LAMB: So some guy with the right hardware can sit out in front of someone's home and listen in. That's pretty disconcerting, I think.

SHAHANI: And which home security systems - by who?

LAMB: I can't go into that.

SHAHANI: The companies Honeywell, ADT Corp and Vivint were all named in the online summary of his research. None responded immediately to NPR's inquiry. Security researcher Jesus Molina did give his talk. And it went something like this...

JESUS MOLINA: At the hotel, which is a five-star luxury hotel, I was able to control every device in every room.

SHAHANI: Molina, based in San Francisco, says he checked into a Starwood-owned hotel as a guest. The rooms were high tech, with an iPad that acted as a remote control for the appliances.

MOLINA: The TVs, the lights, the blinds...

SHAHANI: And Molina noticed the iPad in his room was on the open guest network. So from his computer, he could see and record transmissions, figure out the protocol and spoof the iPad. He suspected this was a systemic flaw across all rooms. And to really nail it, he kept telling the front desk he needed a new room.

MOLINA: I went to three or four rooms. I changed rooms continuously which ended me in a suite. And then I had to say I don't want this suite. I want another room.

SHAHANI: He cracked the pattern and created a dictionary of every device. Now under U.S. law, security researchers are obliged to tell companies about the holes they find. And Molina did that after he was safely back in the U.S. You see, there is one more key detail. Molina's luxury hotel is in China.

MOLINA: It would be very sad for me to end up in a Chinese jail just because I was trying to prove a point, right?

KURT OPSAHL: I mean, I don't know about Chinese wiretap laws, but if you wanted to try and replicate that research here, it probably would be a good idea to speak to a lawyer first.

SHAHANI: Kurt Opsahl is a lawyer with the nonprofit Electronic Frontier Foundation. He's not giving legal advice about this case or the many others he hears in Las Vegas. But he does share this rule of thumb.

OPSAHL: One of the things that people need to be cautious of is accessing things without authorization, accessing packets without the consent of the parties involved.

SHAHANI: Parties involved could include the company that makes the faulty product. A handful of groups are cropping up now, trying to convince companies that hackers who find and report bugs can be great for business, and should get paid a bug bounty for all their hard work. Aarti Shahani, NPR News, Las Vegas. Transcript provided by NPR, Copyright NPR.