As businesses continue to thrive on technological advancements, finding and quickly patching security and privacy flaws in that technology may be the difference between a headline in The Wall Street Journal and a happy customer base. It’s true that building systems can be a difficult ordeal and that finding every vulnerability from the outset is next to impossible.
That’s why some companies actually hire White Hat hackers or sponsor hackathons to scour their systems and point out any vulnerabilities. But even so, with a generation of tech savvy users—many equipped with good intentions—it’s likely other flaws can and will be discovered.
So what do you do if one of your customers finds a flaw in one of your products?
Take this recent example involving GoPro’s camera WiFi reset protocol. Self-described security expert Ilya Chernyakov found a significant vulnerability while helping his friend connect to the camera’s app. The app allows users to access and control the camera through a WiFi connection. Of course, the engineers at GoPro designed a protocol to help users reset their lost passwords, which involves downloading a zip file from GoPro’s support page. The user then must copy the file to an SD card, place it in the camera and then reboot.
But here’s the rub: The link contained a set of numbers that stood out to Chernyakov.[quote]http://cbcdn2.gp-static.com/uploads/firmware-bundles/firmware_bundle/8605145/UPDATE.zip[/quote] Chernyakov explains:
[quote]Notice that there is a number in the link, which acts like a token to tell one file from another, I marked it in bold. All you need to do to access someone else’s WiFi settings is to change this number. I tried changing this number to +/- 1 and got other people's files. [/quote]
Chernyakov then wrote up some Python script and eventually compiled a list of 1,000 usernames and passwords.
Ooops. Luckily for those users and GoPro, Chernyakov had no intention of taking advantage of the exploitation. Apparently, Chernyakov's primary reason for playing nice was based on the difficulty of going around looking for snowboarders on a mountainside equipped with GoPros. Significantly, however, Chernyakov said that ethics played a role as well, noting “we are dealing with personal data, and some people may be insulted.”
So there are a couple of things to think about here. Could GoPro have done more to prevent this flaw? Perhaps, but updating things like firmware and devices that aren’t directly connected to the Internet is challenging. Plus, it’s an issue currently on the Federal Trade Commission’s radar. At the IAPP Global Privacy Summit in early March, Federal Trade Commissioner Julie Brill highlighted her concerns with updating and providing consumer patches for Internet-of-Things technology.
Last year, I wrote about privacy and security vulnerabilities found in Foscam cameras, an oversight that allowed adversaries to easily hack baby monitors, including live-streaming video feeds. In fact, just months later, a website published more than 73,000 different video feeds from an array of webcam manufacturers, exposing feeds from users who did not change default passwords. Based on the baby monitor incident, five takeaways became immediately apparent:
- Make your users change their passwords upon first use.
- Keep an eye on infosec forums and watch the hacking blogosphere.
- Keep an ear open to consumer complaints and concerns while having a way to communicate patches and updates.
- Rigorously test your devices before going to market.
- And, simply put, just assume people want to hack into your product.
These are still relevant lessons today.
To GoPro’s credit, it appears the company moved fast and corrected the flaw, but notice Chernyakov was not able to contact them directly about this. It was ultimately through Chernyakov’s report to US-CERT that the security engineers at GoPro were alerted to the flaw.
Does your organization have a consumer-facing contact point for these types of information security and privacy issues? If not, why not? If so, how are staff trained? Are they prepared to respond quickly to fix the problem and perhaps notify users the flaw has been fixed? Does your organization have a plan to nimbly get patches into the marketplace?
If not, these may be questions worth answering when something similar is discovered with your products or services.