December 13, 2016
Damaging INFOSEC Credibility: News Articles and Researchers Overhyping Security Threats
Written by
David Kennedy
Leadership
Watching the election cycle has brought some interesting perspective to the term "fake news" and what the term really means. We struggle from a lot of the same issues in the security industry and unfortunately, for most of the average users, they cannot differentiate on whats real or not. The news wants to sensationalize things to a point of it being highly inaccurate and in the purpose of fear. I've been reading through a number of INFOSEC articles lately that claim the world is ending based on a specific bug. Going through the details, the steps to recreate and actively exploit most of these massive and most serious exploits turn out to be low risk and extremely low probability. I don't want to take away from the1 research being done in this industry, but there are some highly talented folks in this industry that are completely over exaggerating findings today and to the news media. We have to do better on explaining security flaws, and not attempt to get a front-page story because of our research.
A good example most recently was an article from securityledger.com (link to article). The article’s title: "Vulnerability Prompts Warning: Stop Using Netgear WiFi Routers". At first glance, especially being non-technical, I would freak out. Netgear currently owns a large percentage of the market share for home routers. To make a statement that all users should discontinue complete use, effectively crippling a large percentage of home users and wireless devices, this must be one of the largest home router bugs we have ever seen. For me, in order to make a statement like this the following criteria would need to be met (my own personal opinion):
1. Ability to take complete control of the router remotely. This would mean without the ability to perform phishing techniques, the ability to mass pwn anyone that has ever purchased a Netgear router.
2. It would need to affect all versions of Netgear as the title explains. Not just newer versions, specific router types, literally every single Netgear router.
3. The bug would need to be public and exploited in the wild, pwning all the home users and causing catastrophic loss of Xbox time at home. BF1 users will be sad pandas.
4. Total shellshocking abilities to totally Dan Kaminsky-DNS tackle all Netgear routers to epic proportions.
This is purely my opinion of what constitutes taking all specific brands of routers off the Internet. Your opinion may vary, but you get the gist. It would have to be so heinous (Bill and Ted would be proud) that it causes critical risk.
Diving into the details:
"A security hole could allow a remote attacker to take control of the router by convincing a user to visit a malicious web site"
We are looking at cross-site request forgery (CSRF) type attack. It requires the user to be phished or visit a malicious website. So, let me understand this: CERT is recommending to shut down any Netgear router based on the low probability that A. the exploit is being actively used in the wild (article states only in POC mode), and B. the user could be phished and the attacker would need to specifically target the Netgear device.
This is a direct exaggeration of the news, and highlights our responsibility as researchers to portray the right information. I don’t think any of the exposures talked about in these articles aren’t “exposures” – they are security issues and potential scenarios. Exaggerations on what can be performed, and the headlines are hurting the industry, the company, and are directly irresponsible. This article is hardly the only example. There is a recent article from NetworkWorld titled "Researchers exploit app flaw and steal Tesla Model S" (link to article), and, being a Tesla owner, I freaked out. I don't want anyone to be able to steal my car. That would suck. Like epic suck. I have to imagine every model S owner of Tesla was like, “WOAAAAAA Tesla, this is major. Someone can steal my car remotely?” In order to make a claim like this in the media, I would assume:
1. By downloading the Tesla app in the play store, an unauthenticated attacker could take control over any model S and steal that car and drive off using Ludicrous Mode in order to impress friends.
2. An API exposed on the outside allows an unauthenticated attacker to jack every Tesla on the market and have a crazy Tesla autopilot party at their house.
3. You can cause the car to drive off a cliff killing the Tesla-loving individual (probably sporting a Tesla t-shirt like me currently).
Let's go into some of the quotes in the article:
“Because of lack of security in the Tesla smartphone app,”
“cyber criminals could take control of the company’s vehicles, to the point where they can track and locate the car in real time, and unlock and drive the car away unhindered.”
I picture cyber thieves in black hoodies mass pwning all model S's and driving off. At this point as a Model S owner, I should be highly panicked.
Diving into the research technically and quoting the article directly:
"Steps to pull this off include social engineering a person to install a malware-tainted app, such as while the person is using free public Wi-Fi."
Uhhhhh.
So wait, first, the attacker needs to social engineer a victim to install a fake Tesla app . . . while using free public Wi-Fi?? . . . Next the article states:
"When the owner later signed into his Tesla app, the malware allowed the hacker to capture the owner’s username and password. "
Bruh. That's how computers work. If you download a RE app that captures usernames and passwords, you literally can login as that person. That's how technology works.
More on the article:
"The Promon hacker then tracked the Tesla to where it was parked, unlocked the doors, enabled keyless driving and drove off in the stolen Tesla."
Yeah... That's how the mobile app works. You need to have the mobile app, and a username and password. So. . . I need to phish someone who I know owns a model S, get them to install a malicious backdoored APP somehow, then track them to their location and steal their car. Sounds super scary with a high probability of occurring in the wild . You could argue Tesla should be using 2FA - okay that would be good.
In the security industry, we should be held accountable to the media and what we say. I ran into this multiple times when working with the media during the healthcare.gov issues. I was on a show and they had stated I hacked into hc.gov and extracted 5 million records. This was not in any stretch accurate or anything that was towards reality. I corrected them immediately, and continue to do so whenever that is brought up. I didn't hack anything, I didn't extract anything, I didn't have any access to people's information. This needed to be stated. When working with the news, they have a very myopic view on technology; it is up to us to clearly define what that means and why it’s important. Exaggerating news in order to make story does more harm than good.
I think we should also hold security researchers and organizations responsible for the information they present. If it's inaccurate they should be called out as inaccurate and that should be noted and documented. We all make mistakes, but some of these stories coming out now paint a bleak picture on a number of companies which may or may not have good security. They are just inaccurate. As an industry, we need to push researchers out of the focus on fame versus the legitimate nature of security exposures. Unfortunately, stunt hacking is an actual thing, and something where researchers attempt to get their 1 or 2 days of fame in order to scare individuals into an action. Claiming a discontinue from CERT of all Netgear routers is disconcerting and over the top for any understanding of risk. Claiming that anyone can steal a model S remotely is some of the most ridiculous news I have seen in information security in a while.
I'm going to make a point to call out these news articles in the future as inaccurate and not within what should be reported within security. Researchers need to report factual information without exaggeration. We need to report those that do not. I hope you do too.
This article was written by David Kennedy, founder of TrustedSec.