Thursday, October 27, 2016

Playing with fire and bug disclosure

A teen in Arizona has been arrested for hacking iOS devices to dial 911 repeatedly.  In one case, a 911 call center was reportedly so overwhelmed with calls that it "almost shut down."  The original press release is here.

But is this arrest warranted?  The teen wanted to display his elite hacking skills on iOS and claims to have accidentally pushed "the wrong link" to Twitter, where more than 1800 people clicked on it, congesting 911 centers.  The hacker known as "Meet" said that he intended to deploy a "lesser annoying bug that only caused pop ups, dialing to make peoples devices freeze up and reboot."

I think this admission is where Meet is in trouble.  He admits he intended to commit a crime by causing denial of service to devices he does not own.  If his statements are taken at face value, he did not mean to disable the 911 system.  But the fact is that he disabled the 911 system in the commission of another crime, the attempted DoS.

The denial of service is obviously concerning, but it raises several important questions, such as:
  • If Apple's bug bounty were open and available to all researchers, would Meet have tried to market his exploit there instead of this "prank" gone bad?
  • Should Meet be punished for the damage caused or the intent?
  • In a case like this where a cyber attack has a potential impact on life safety, do special circumstances apply to sentencing since lives may have been endangered?
  • If legal frameworks don't exist to do this today, should they?
I'm intentionally ignoring the potential for cell phones to take down 911 call centers here.  Plenty of news outlets are already doing a good job of sensationalizing that aspect.  They don't need my help.  I'm much more interested in the difference between the suspect's impact and intent.  We talk about that in the SANS cyber threat intelligence (CTI) class.  As CTI analysts we have to focus on the adversary intent since that tells us much more than the impact observed, especially when those things don't cleanly match.

What about Meet's friend?
According to the press release Meet was notified of the bug by his friend.  Does this make his friend an accomplice?  It may depend on his friend's intent in sharing the bug with him.  I think the fact that the Apple bug bounty is a closed ecosystem is significant here.  It seems especially likely that the friend might reasonably expect Meet to cause some sort of mischief with the bug - it couldn't have been reported to Apple under the bug bounty.

Thought Exercise
Suppose you plan to rob a convenience store, and I agree to be your getaway driver.  If during the robbery, you kill the clerk, I can be charged with murder.  This is true even if:
  • I never fired a shot
  • I never held the gun
  • I didn't know you brought a gun to the robbery at all
Applying this same standard to the cyber domain, a question of liability looms large.  What liability and culpability does Meet's friend have in this case?  Smarter people than me will definitely answer, but it's a question we should be thinking about now before we have an issue.  I share threat and vulnerability data all the time.  What happens if someone does something malicious with my vulnerability data?  Do I share in the liability?  

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.