A Different Perspective On The PTV Website Vulnerability Debacle

The story about Australian teenager Joshua Rogers who identified a vulnerability in the website of the Public Transport Victoria (PTV) and subsequently reported the vulnerability to PTV, and PTV’s now infamous response of reporting Joshua to the police has been well covered.

Critics of PTV’s reaction point out that their behavior is a continuation of the terrible idea of demonizing and criminalizing security research, similar to the story of First State Superannuation of course, Weev’s famous dust up with ATT, among other similar stories.

The common thinking, as is pointed out in a CSO article on the PTV situation, is that those people with the ability to hack are bad or dangerous, ignoring the fact that many are indeed good people who are trying to help out and earn an honest living.

I suspect that the security community expected PTV to not only fix the vulnerability, which they did, but also to thank Joshua, or even reward him; certainly not report him to the police. This seems sensible, but I’d like to offer a different perspective on how this may have come about.

First, though, I’d like to point out that I am not defending PTV’s actions. I generally find the behavior of companies who respond to above-board reports of vulnerabilities in their products with lawsuits and threats of legal action to be reprehensible and dangerous to society. However, in this case, I see some logic.

In this particular case, PTV was notified that someone found a vulnerability that allowed access to a database containing customer information, including credit card numbers. This is a serious problem for PTV. I am not aware of the nature of the conversation or communication between PTV and Joshua, but I would bet PTV asked if Joshua had accessed any records, made any copies of the data or communicated the vulnerability to anyone else. Assuming that did happen, I would assume that Joshua, who appears to be an upstanding person, said no to those questions, assuming the answer really was no.

Would PTV be performing proper due diligence by accept Joshua’s word? If you were a PTV customer whose information was exposed, or a bank who would have to eat the cost of resulting credit card fraud, or even PTV itself who might be sued for damages, would you find this to be acceptable? Or would you rather demonstrate to those stakeholders that you took all reasonable actions by fixing the problem promptly and asking the police to investigate if data may have been stole ? Wouldn’t it seem more acceptable to let Joshua convince the police that he did not do anything nefarious with the information he had access to?

There is not enough information to know if this is really what motivated PTV, or if it indeed was the normal knee-jerk reaction to dangerous hacker-types who defiled their reputation with his supposed misdeeds of observing and reporting a security flaw. Time will likely tell.

***Update Jan 13, 2014
Dave Lewis posted the transcript of his interview with Joshua Rogers. The interview sheds more light on the situation, and it’s still hard to tell what PTV’s motivation for involving the police is. What is interesting, though, is that PTV never acknowledged Joshua’s report.

Photo by Brian Searle

Waking Up To Hardware Threats

For many years, hardware-based attacks were the thing of hypothetical conversations and security conference presentations.  2013 changed the nature of the game and as an industry we are waking up to the real threats posed by hardware.

First, we learned about the ability to weaken the random number generators in Intel CPUs during the manufacturing process in a manner that is extremely difficult to detect.  Then, we had a report about a researcher creating malware resident on a video card – of course, the story there was that the researcher created a prototype anti-malware tool to detect malware-laden video cards.  While these were interesting stories, they were essentially more of the same – theoretical attacks.

Then later in the year, Dragos Ruiu began discussing what he believed to be a potent new piece of malware that he named “bad bios“.  This created a firestorm of speculation, both that Dragos is crazy and that some government has it out for him.  A lot was written about why this was and was not possible.   Bad bios seemed to represent the worst case scenario for malware – very hard to detect, persistent across operating system re-installations and able to communicate across air gaps.  All with no indication of what the intended purpose of the malware is, if the malware if even real.

Most recently, we learned from leaked NSA documents reported by Der Spiegel that the NSA will intercept shipments of computers destined for target individuals or organizations and “…often seek to place their malicious code in BIOS, software located directly on a computer’s motherboard…” and “… also attack firmware on computer hard drives…” with “…spyware capable of embedding itself unnoticed into hard drives…” We appear to have jumped from the realm of hypothetical and theoretical attacks involving hardware into a world where this is apparently a commonplace and well established practice.

At the same time, we have seen a hardware hacker take control of a Western Digital hard drive and essentially install Linux on the embedded controller, theorizing that such a strategy would work to hide persistent malware or even destroy data on a disk that is being copied, but otherwise allowing normal access to data contained on the drive.

As well, at the annual CCC in Germany, a presentation was delivered on the ability to take control of the embedded microcontroller of SD cards, similarly offering the ability to hide malware or data.

Defending against hardware based attacks is going to be very challenging.  I see a lot of opportunity for security companies to create strategies to attest to the integrity of attached devices, like hard drives, BIOS and SD cards – not just the contents, but the actual controllers, if such a thing is even realistic to accomplish.

This is an interesting new world that we are waking up to, and I look forward to seeing how our industry will take on the challenges it presents.