Security firm IOActive has received a copyright takedown notice attempting to prevent it from publishing details about security flaws in an industrial electronic lock.
Security researchers are no strangers to legal threats attempting to suppress vulnerability disclosures and the latest example comes from US electronic lock maker CyberLock.
CyberLock didn’t want IOActive to reveal a handful of flaws in CyberLock’s CyberKey access control systems that would undermine its claims and has leaned on the Digital Millennium Copyright Act (DMCA) to block the report. CyberLock’s legal threat was made public by IOActive’s principal research scientist Mike Davis, the author of the report.
The legal notice, written by the company’s law firm, insinuates that IOActive may have breached the “anticircumvention provision” of the DMCA while reverse engineering and pulling apart CyberLock’s products and its extracting its firmware.
“Presumably, IOActive is also aligned with the ensuring responsible disclosure and compliance with the laws,” the letter reads.
IOActive had tried to contact CyberLock numerous times prior to it receiving the DMCA notice, according to Davis, which is in line with the company’s disclosure policy. He initially withheld the name of the company behind the legal threat but later clarified it was CyberLock.
“i tried to get a hold of the vendor they didn't respond.. the lawyer was a giant douche and they wont actually let us talk to anyone regarding the issues.. even now... just legal threats and intimidation,” Davis said in a Google-plus post.
The security vendor doesn’t appear to have taken the threat too seriously, publishing the report on April 29, a day after receiving the legal threat.
An IOActive spokesman confirmed to CSO Australia that the report was the one that drew CyberLock’s legal threat and it’s drafting a public response to it. We’ll update the story when we receive it.
The report details seven flaws that undermine CyberKey’s claim that the software-based key is “‘unclonable’ and suitable for use in money handling and critical infrastructure systems as a secure and auditable solution.”
Davis was able to extract the firmware of CyberKe yand discovered that, contrary to the firm’s marketing, a key can fairly easily be cloned, while soft keys were also stored in cleartext in CyberKey’s electronic version of a standard lock’s cylinder.
CyberLock lists a number of critical infrastructure and other clients on its website, including pubic transport authorities, schools, postal service providers, and an electricity transmission company.
The lock maker’s handling off the report has drawn sharp criticism from security researchers and others well-versed in the legal challenges security researchers face.
“Having a lawyer respond to security researchers is like asking your neighbor to turn down the music w/ a gun in your hand. It won't end well,” said ACLU technologist, Christopher Soghoian.
This article is brought to you by Enex TestLab, content directors for CSO Australia.