Two years after a settlement with the FTC, has ASUS still not learned how to receive vulnerability reports from hackers? Last February, the Taiwanese hardware manufacturer, ASUS, and the Federal Trade Commission (FTC) settled charges that the manufacturer failed to protect consumers. These charges specifically cited a critical vulnerability in its home router equipment from 2014. The vulnerability exposed thousands of consumers’ personal data.
What makes this incident all the more relevant, is that last Monday this blog post made the rounds on Hacker News. In this blog post, security researcher Morgan Gangwere describes their experience of disclosing a vulnerability to ASUS. It’s a pretty high impact vulnerability in the ASUS LiveUpdater software that could lead to arbitrary code execution with admin privileges on affected systems. The most interesting part of the blog post is the disclosure timeline:
Timeline:
2016-04-27 Initial discovery
2016-04-28 Attempt to contact vendor (security@asus.com – bounce)
2016-04-28 Disclosure to Microsoft Security Response Center attempting vendor coordination
2016-05-09 Attempt to contact vendor (via phone; told to go away)
2016-05-10 Disclosure to CERT/CC (tracked as VU#215055)
2016-05-11 CERT/CC attempts to contact vendor
2016-05-24 CERT/CC: No response from vendor
2016-06-01 CERT/CC: Disclose at will
2016-06-03 Public disclosure
You can see Morgan has attempted numerous times to notify ASUS about this vulnerability since late April. Even CERT/CC attempted and was unsuccessful. The disclosure timeline looks frighteningly similar to the experience of the security researchers that tried to contact ASUS in 2014, and for which ASUS just settled with the FTC.
There is a lot the industry can learn from this. In response to the settlement with ASUS, the FTC wrote an excellent blog post with guidance for IoT vendors. Two important things stand out for us in this case:
“What’s more, security researchers had contacted ASUS to sound warnings, but it often took months – and sometimes over a year – for ASUS to respond.”
As vulnerability coordination junkies at HackerOne, we know all too well how important timely responses are. When an external party shares a potential security vulnerability, you must always take it seriously and investigate. Timely responses and regular communication, including status updates are key to successful vulnerability coordination or bug bounty programs.
“Even more troubling, alleges the FTC, is that when ASUS developed security patches, it didn’t notify consumers. […] According to the complaint, more than a year went by and consumers were still getting the message that their “router’s current firmware is the latest version” when newer firmware with critical security updates was available.”
The absence of a notification to customers has probably left users vulnerable much longer than necessary. Notifying your customers about a critical software update is an extremely important step of the vulnerability coordination process. The more transparent and swift your response is, the more respect you will get from your users.
This case clearly shows that not having a vulnerability disclosure and coordination process in place can have serious consequences and impact your customers greatly. The FTC actually expects businesses to publicize a channel for receiving security vulnerability reports, as documented in their Start with Security guide:
“Have an effective process in place to receive and address security vulnerability reports. Consider a clearly publicized and effective channel (for example, a dedicated email address like security@yourcompany.com) for receiving reports and flagging them for your security staff.”
All these practices that failed in ASUS’ case are considered security industry best practices and documented in ISO 29147 and ISO 30111. Yet they are ignored or overlooked by too many. In November, HackerOne research demonstrated that 94 percent of Forbes’ Global 2000 have no established channel for receiving external vulnerability reports. Of the top 100 publicly traded companies in the Global 2000, only 13 percent have disclosure programs.
Using HackerOne’s vulnerability coordination platform, companies gain access to an intuitive workflow and sophisticated feature set that is fully compliant with those industry standards. If you still haven’t established a clear vulnerability coordination process, you can try HackerOne for free!
Michiel Prins
Co-founder of HackerOne
HackerOne is the #1 hacker-powered security platform, helping organizations find and fix critical vulnerabilities before they can be criminally exploited. As the contemporary alternative to traditional penetration testing, our bug bounty program solutions encompass vulnerability assessment, crowdsourced testing and responsible disclosure management. Discover more about our security testing solutions or Contact Us today.