Patent Application for Aurora Vulnerability Fix

How would you feel if Core Security, KF, Eyal, Neutralbit … or Digital Bond … found a vulnerability in an important critical infrastructure component; created a sensational video demonstration of the impact / consequences that was picked up by CNN and the rest of the media; and then patented and licensed what we claimed to be THE solution to the vulnerability?

A patent application for an Aurora vulnerability mitigation was published last week, originally filed on March 20, 2007. It was submitted by INL/Battelle Energy Alliance. It is reasonable to assume this was the technology licensed to Coopers and referenced in a few articles and significant scuttlebutt that claimed others were not adopting the ‘fix’.

This is not meant as a slam of the patent holders. Rather it is hopefully a realpolitik wake up call to the community that everyone involved in the vulnerability disclosure issue: researchers, vendors, asset owners, universities, national labs, congress, executive branch agencies, magazines/media and yes, even consultants address vulnerability disclosure at least partially through self interest. No one is pure.

Let’s wake up and realize that vulnerability disclosure is always going to be contentious and can’t be contained. Let’s place the emphasis on improving security engineering to reduce the number of vulns and the response to quickly and professionally address identified vulns. At least in this case a solution for the vuln, albeit hugely hyped and albeit for pay, was provided.

3 comments to Patent Application for Aurora Vulnerability Fix

  • It’s been a while since we resurrected this friendly argument, and I think it’s time to raise it again for all your readers.

    Concerning your statement “vulnerability disclosure…can’t be contained.” To that I’ll add one word: “indefinitely.”

    We need to recognize two facts on the ground:

    First, no matter how much everyone says that we should be able to patch the embedded systems in the field, almost nobody can presently do this in a timely fashion and without going through extensive validation.

    You can argue that it shouldn’t be that way, and I’ll even agree with you. Even though many are working on new designs which can be more secure, they’re still no easier to patch. The fact on the ground is that there are presently no answers that can make these devices easier to update.

    Second, we all need to realize that nobody can keep secrets indefinitely while benefiting from the information. I think, however, that we can keep the information mostly contained while the most critical parts of the process of embedded system patching and upgrading can take place. The fact on the ground is that while one might not be able to keep secrets from the whole world indefinitely, it may still be possible to keep those secrets contained long enough to stay ahead of a problem.

    You presented the issue of vulnerability disclosure as if only one answer can ever be appropriate. I don’t think the issue is that simple, and I disagree that one should automatically publish as soon as a patch is available. I think we have to take a very realistic view of what is at stake before going fully public with such things.

    We really need something like Australia’s TISN here in the US.

  • Hi Jake,

    I probably needed to use more words because you completely mistook my argument and conclusion with your statement “You presented the issue of vulnerability disclosure as if only one answer can ever be appropriate.”.

    My point is each party involved in the decision will act in their self interest, so trying to create some fair set of rules is doomed to failure.

    The Aurora vuln identification, video, patent and license for $$$ is just the latest example.

    Another is a vendor choosing not to disclose because it will cost money to develop a patch or result in a loss of reputation.

    Another is a researcher or consultant trying to build their reputation and market their name by finding and disclosing vulns.

    Another is an asset owner that doesn’t want to admit to management the system they bought two years ago has a huge security hole.

    Another is a security product vendor wanting to highlight the need for their product.

    Another is the media who wants to increase readership or site traffic with a hot story.

    And on and on and on

    Even the person who is purportedly taking the most selfless, ethical approach may be doing it to appear selfless and ethical to the community – - unlike those evil people who disclose.

    What the discoverer or discoverers consider “appropriate” will vary in many, if not most, cases based on one’s self interest. There is no one answer is my point, so let’s not waste time trying to agree on one.

  • rl

    I always get mixed feelings when somebody stresses ethics or when market dynamics are measured against ethical standards. To me, this (the patent issue) is just another indication how desperately some players are going after the buck. But then, SCADA security is a tough market. After having seen a trademark claim for “defense in depth” and some other bizarre attempts for creative marketing, we shouldn’t bother too much about the INL approach. The longer I work in this field, the less I see how ethics would be a driving force, regardless where you look.

Leave a Reply