Lack of Disclosure of Known Vulnerabilities is a Threat in Itself

2 min read

Imagine a world where you’re an auto-mechanic. One day, while working on a client's car, you discover the seat belt bolts are made of plastic. Shocked, you investigate further and find several other critical safety issues with the vehicle. The door locks don't actually lock the doors (visually, it looks like they're locked), the coolant isn't actually distributed throughout the engine and instead just sits in a container in the engine, and the mirrors have all been replaced with realistic photos.

To the everyday person, nothing appears to be wrong with the car. The engine turns on and transports them from one point to another without causing many problems. To a mechanic, the car is a disaster waiting to happen. Dangerous safety and reliability problems are present and it’s only a matter of time before a catastrophic failure results in serious injury, or worse.

Now imagine in this world, you can tell the owner and the manufacturer about the problems, but nobody else. In fact, just opening up the hood of the car possibly broke the law. Without looking under the hood, you would never have discovered. If your family member asked you which car to buy, or avoid, you are not allowed to use your new knowledge to advise them.

You advise the customer, who is rightly shocked and doesn't quite understand how this can happen, or how serious the problems are.

Then, you go on to advise the company. At first, they're not responsive. They don't believe you. When they finally do believe you, you're informed they're "working on a solution". Months go by. People continue to buy, and drive these unsafe cars. Frustrated, you again contact the manufacturer, who informs you that they don't think the problems are that serious. Now intensely concerned about others’ safety, you inform the company you will tell everyone about the false door locks. The company responds by threatening a law suit.

Meanwhile, news reports start trickling out about increased car thefts. To most people, this might sound like a random increase. To you, you know the increase means the criminals have figured out the doors don’t lock properly. People are already being affected, and you're still not allowed to share what you found. Finally, the car company comes out with a fix and a recall. They fix the door locks, they fix the seat belt bolt, but they omit the false mirrors and coolant problems.

That world exists today. The cars are software, and the mechanics are computer security researchers. Every day, researchers are finding vulnerabilities in common software and often are not allowed to talk or share their findings. Certainly, giving time for the manufacturer to fix the problem before publication is the responsible way to get it fixed. However, all too often companies are unresponsive or outright hostile to these findings.

Meanwhile, attackers are finding these same software flaws and exploiting them. These flaws exist in all manner of software and hardware devices. Everything from ubiquitous desktop software such as Adobe Flash, to less popular devices like Internet-connected cameras, radios, and industrial control devices.

Reporting these flaws is critically important. Failure do so gives our attackers the means and opportunity to hide and strike from the shadows. At Critical Insight, where our customers are primarily government organizations, we are focused on making the world a safer place. Very often, we discover these unknown vulnerabilities while performing client work. We need our clients’ insights to resolve these vulnerabilities with the vendor, and are always appreciative when we do get it.