In the information security industry’s latest attention-grabbing headline, we have the tale of Charlie Miller and Chris Valasek hacking a Jeep Cherokee and disabling it while driving down the highway. You can read about this hack here.
This is stunt hacking. That is, hacking for the sole purpose of getting attention and promoting oneself or employer.
The time has come for the information security profession to categorically reject stunt hacking. We have serious issues affecting the state of security. Stunt hacking is a massive distraction from those serious issues. It focuses on ramping up emotions and impotent outrage, not solving a real issue. Stunt hacking is not a legitimate form of security research. It is also not an acceptable form of marketing for your respective employers. It is misleading, dangerous, and narcissistic. We denounce Miller and Valasek’s stunt hacking and call upon other security professionals to do the same.
Now, let’s be clear here. These two guys probably have found a serious vulnerability. Auto companies (actually it is usually a third party supplier, not the actual auto company) need to fix this vulnerability. We know this because Anitian has been working to help auto industry suppliers to fix these kinds of vulnerabilities (for full disclosure, we do not work with Fiat Chrysler.) However, we do not have journalists following our penetration testers around waiting for a car to crash.
Which is exactly what these two guys did. They obviously set up this spectacle in advance. They had a journalist in a car and showed off their hacks in the most sensational way possible. They hacked the journalist’s car and then stalled it while driving on a highway. Moreover, when the story broke, they made sure to spread their antics as far and wide as they possibly could, whipping up indignation from as many people as possible. We do not find this respectable, we find this immature.
Now, some will argue that these kinds of hacks bring attention to a problem. However, as we explained in our previous blog entry on the Ethical Conundrums of Vulnerability Research, there is a clear line between altruistically testing the security of a system and legitimately shining a light on a serious issue, and stunt hacking. The primary difference is the intent of the researcher. Similar to Chris Robert’s intent when he executed his airplane hacks, this is not a diligent researching doing controlled experiments. It is self-promotion of the worst kind.
The simplest way to assess the intent of a researcher is to look at how their research was published. Putting out tweets or articles in for-profit magazines is not a legitimate media for publishing vulnerability research.
If this was legitimate research then there would be no journalist in the car. Scientists do not have journalists come into their lab and watch them while they carry out experiments, hoping for some spectacular flameout. They share their research with other scientists who peer review it. They collaborate with others to publish information in a responsible manner. Moreover, they do not get fame and attention until their research is proven to be real.
Likewise, vulnerability researchers need to follow similar protocols. Reporting their research through legitimate peer-reviewed process or directly to the relevant vendor. This is why many companies have bug bounties, to encourage and promote responsible vulnerability research.
Nevertheless, we understand the attraction of stunt hacking. Hacking is fun. In 1995 while working at Microsoft, I hacked an early e-commerce site with a SQL injection attack. It was exciting. However, I also knew I needed to get other people to validate my findings. In 1995, that was nearly impossible since the language did not exist to even describe these attacks.
We have secured businesses for 20 years at Anitian. In this time, we have protected billions in assets. Our intelligence analysts have stopped millions of attacks. Our people have helped build great security leaders for organizations everywhere. Our efforts, as well as the efforts of thousands of other diligent, compassionate, and hard-working security practitioners, have made the Internet a safer place. No journalist follows the system admin around when he/she diligent patches the servers. No social media guru tweets about the firewall rules that a responsible security engineer implements to defend his employers’ intellectual property. Wired magazine does not write stories about risk analysts who help define better controls to reduce the risk to a business. We are focusing on the wrong people when we focus on stunt hackers. We need to focus on the people who make security a reality, not the people who make security a game show.
If you are not part of the solution, then you are the problem. Vulnerability researchers need to stop being all about the problem, and more about the solutions. We have phenomenally advanced technologies that can defend networks, systems, and even car systems. Use those bug bounties to report your efforts diligently and responsibly. If you are resorting to Twitter or magazines to promote your research, then you are not doing legitimate research. You are just showing off. And we do not need any more show-offs. We do not anymore show-offs. We need real security professionals who have solutions.