So, I'm annoyed.
An "independent security consulting firm" (referred to as "the Firm" from here on) recently published a report detailing security vulnerabilities in some "IoT" devices.
(IoT devices is quoted as I don't particularly think of NAS devices or routers as IoT devices, but I"m not gonna argue the point.)
One of the devices they tested happens to be one sold and supported by the company I work for. This is where I point out that ANY OPINION EXPRESSED OR IMPLIED here are SOLELY my own and said opinions are not necessarily shared, approved, or endorsed by the company I work for. And I'm gonna be purposefully vague about certain details for that reason.
I am not going to commend on the alleged vulnerability for a couple reasons: One, I haven't had the brainpower to test it's current applicability, and it's not my job. I am not a firmware developer for this organization, and any work I did would be on my own time, for my own dime, and would not be used, and I'm not in the mood to throw that kind of effort away.
I have a couple issues here, though:
The first, the alleged vulnerability was found in a firmware version which was released on 2018.1.11 and superseded 2018.3.28. The Firm specifically stated in their report that the device had "been updated to its latest firmware". Additionally, they claim they first attempted to "responsibly disclose" their findings 2018.6.22. On that date, the firmware version they tested was 2 versions behind, and the latest release had been made nearly a month earlier (2018.05.29). So, either they found this bug and sat on it for months before attempting to disclose, never bothering to see if there was an available firmware update which may have changed their findings, or they deliberately tested an out-of-date firmware. And, for those who will argue "maybe they didn't know there was a firmware update", I have 3 things to say: 1: they explicitly said they used the latest firmware, 2: a properly configured unit which has an outbound connection to the internet will notify you there is a firmware update available, and 3: They are a RESEARCH CONSULTING firm; they should know to check.
The second issue, which is in my opinion the more important issue: Their so-called "responsible disclosure" was anything but. This requires some background information.
The company I work for is a subsidiary of a subsidiary, and specifically handles all business in North America, and some of South America. We have sibling organisations covering various regions of the world (including the EU, which will be important later), and the parent and grandparent companies are based in Japan. All of this information is publicly available.
The Firm specifically cites the Americas subsidiary as the responsible party they were disclosing to. Which is fine, if a bit odd considering that all development for this product is handled by the JP Parent company. I mean, the Firm is in the US, the home office for the Americas division of the company is in the US, keep things close to home. All divisions operate as separate legal entities, and have their own websites on different domains, and their own support arms.
Now, admittedly, the company I work for is a LEETLE bit at fault here, because there is not an obviously documented security contact information available. Company's logic is that these things need to go through the support arm, and that the people who would be contacting us about an issue would be customers, so they would have that information available. It's naive, and silly, but it's how they think.
The problem is that the Firm decided to invent email addresses to send their "responsible disclosures" to. And instead of sending things to the Americas subsidiary, they sent it to the EU subsidiary's domain. Their report claims they attempted to contact us 4 times, but the only contact methods they offer are two email addresses, each to the EU subsidiary's domain name, and neither of which actually exist as mailboxes in their domain. (I had to check with one of my EU counterparts on this.) So, of course, their report says "[COMPANY] has not acknowledged receipt". Because we never got it. They never sent it to us.
The firm's report states their last 'contact' was 2018.8.22. They released this report publicly 2019.9.16. In that time, nobody bothered to ACTUALLY contact any arm of Company and actually inform us. We're also 5 firmware versions past where they found the vulnerability.
And they've made us out to be a company that ignores vulnerability reports.
Because they couldn't fucking bother to actually do their research.
![comment count unavailable]()
comments
An "independent security consulting firm" (referred to as "the Firm" from here on) recently published a report detailing security vulnerabilities in some "IoT" devices.
(IoT devices is quoted as I don't particularly think of NAS devices or routers as IoT devices, but I"m not gonna argue the point.)
One of the devices they tested happens to be one sold and supported by the company I work for. This is where I point out that ANY OPINION EXPRESSED OR IMPLIED here are SOLELY my own and said opinions are not necessarily shared, approved, or endorsed by the company I work for. And I'm gonna be purposefully vague about certain details for that reason.
I am not going to commend on the alleged vulnerability for a couple reasons: One, I haven't had the brainpower to test it's current applicability, and it's not my job. I am not a firmware developer for this organization, and any work I did would be on my own time, for my own dime, and would not be used, and I'm not in the mood to throw that kind of effort away.
I have a couple issues here, though:
The first, the alleged vulnerability was found in a firmware version which was released on 2018.1.11 and superseded 2018.3.28. The Firm specifically stated in their report that the device had "been updated to its latest firmware". Additionally, they claim they first attempted to "responsibly disclose" their findings 2018.6.22. On that date, the firmware version they tested was 2 versions behind, and the latest release had been made nearly a month earlier (2018.05.29). So, either they found this bug and sat on it for months before attempting to disclose, never bothering to see if there was an available firmware update which may have changed their findings, or they deliberately tested an out-of-date firmware. And, for those who will argue "maybe they didn't know there was a firmware update", I have 3 things to say: 1: they explicitly said they used the latest firmware, 2: a properly configured unit which has an outbound connection to the internet will notify you there is a firmware update available, and 3: They are a RESEARCH CONSULTING firm; they should know to check.
The second issue, which is in my opinion the more important issue: Their so-called "responsible disclosure" was anything but. This requires some background information.
The company I work for is a subsidiary of a subsidiary, and specifically handles all business in North America, and some of South America. We have sibling organisations covering various regions of the world (including the EU, which will be important later), and the parent and grandparent companies are based in Japan. All of this information is publicly available.
The Firm specifically cites the Americas subsidiary as the responsible party they were disclosing to. Which is fine, if a bit odd considering that all development for this product is handled by the JP Parent company. I mean, the Firm is in the US, the home office for the Americas division of the company is in the US, keep things close to home. All divisions operate as separate legal entities, and have their own websites on different domains, and their own support arms.
Now, admittedly, the company I work for is a LEETLE bit at fault here, because there is not an obviously documented security contact information available. Company's logic is that these things need to go through the support arm, and that the people who would be contacting us about an issue would be customers, so they would have that information available. It's naive, and silly, but it's how they think.
The problem is that the Firm decided to invent email addresses to send their "responsible disclosures" to. And instead of sending things to the Americas subsidiary, they sent it to the EU subsidiary's domain. Their report claims they attempted to contact us 4 times, but the only contact methods they offer are two email addresses, each to the EU subsidiary's domain name, and neither of which actually exist as mailboxes in their domain. (I had to check with one of my EU counterparts on this.) So, of course, their report says "[COMPANY] has not acknowledged receipt". Because we never got it. They never sent it to us.
The firm's report states their last 'contact' was 2018.8.22. They released this report publicly 2019.9.16. In that time, nobody bothered to ACTUALLY contact any arm of Company and actually inform us. We're also 5 firmware versions past where they found the vulnerability.
And they've made us out to be a company that ignores vulnerability reports.
Because they couldn't fucking bother to actually do their research.
