Nearly two-thirds of IT security professionals believe that potentially life-threatening vulnerabilities should be made public if disclosure to the manufacturer hasn’t worked, according to a new study.
Unified security management vendor AlienVault polled over 650 security professionals at Black Hat 2015 to gauge their views on what should be done if a serious flaw is found on a critical internet-connected device.
Although the majority agreed that the information should be made public if the manufacturer takes no action, they differed on how that could be done.
Some 19% said it should be tested with ‘willing participants’ in a public space, while the same percentage favored full disclosure to the media.
In addition, 13% said the best way to make the information public would be to reveal it during a presentation or talk at a conference, while the same number claimed proving the vulnerability on a live system would be best.
Just over one third (36%) argued that such a flaw would be best demonstrated at a private event with willing participants.
The question was precipitated by several presentations at Black Hat 2015 which revealed theoretical but potentially life threatening flaws in IoT-related products.
Most widely publicized was research by Charlie Miller and Chris Valasek which revealed how flaws in a 2014 Jeep Cherokee could be exploited by remote hackers to take control of the steering and brakes.
AlientVault security advocate, Javvad Malik, claimed that the question of what is “life threatening” is likely to be disputed by manufacturers in the IoT space trying to downplay any theoretical research.
“In my view, the starting point should be where the vulnerability is directly and immediately related to the threat. What I mean by this is, say I can get into a hospital and change the results of a test. It could or could not have a life-threatening impact depending on the patient, the type of change etc. and there could be other mitigating factors in place,” he told Infosecurity by email.
“So that’s probably not life-threatening with immediacy in this regard. Whereas, if I can access someone’s insulin pump and administer a lethal dose, that could threaten their life pretty quickly.”
In fact, the FDA was forced to issue an advisory in August warning hospitals against using a specific type of drug infusion pump manufactured by Hospira, after researcher Billy Rios demonstrated how it could be remotely hacked.
The AlienVault poll also found that there’s still widespread reluctance to share threat intelligence which could potentially benefit the security community. Of those that said they did share, around half (49%) only do so with trusted peers while 34% only do so internally.
Malik argued that the UK government should consider creating frameworks to enable the safe and secure sharing of threat information.
“Many companies need guidance as to what information would be useful to share and how to utilize threat data themselves,” he added. “To start with though, it would be useful for the government to just raise awareness and highlight the need for this.”