Cleverloop Security System Review – Update

Update: Cleverloop have responded to the criticisms in my review in a brilliant way.

They have:

  1. Rolled out a firmware update to the base station which disables the dynamic DNS feature of the IP cameras. This was my main concern, and with the fix it means that the cameras are not so easily exposed to the outside world.
  2. Fixed the issue with wireless configuration of the indoor camera – yay.

They’re also looking at the default password setting: “In terms of the default camera credentials, from within the app there has always been the option for users to change the username & password through the camera settings page. You’ve made a really good point though that this should be included as a step for people during the set up process. We are making this change and will include it in our next firmware update, which will go to the app stores next week (a few days later for iOS users).”

I’m extremely impressed by Cleverloop’s response to these issues: it gives me huge confidence in their ongoing support for the platform.

Read the original review here.

Responsible Disclosure

Forgive me father, for I have sinned.

Unless you’ve been living under an internet-shaped rock for the last few weeks, you would have seen a handful of security issues disclosed online in New Zealand. Wheedle, ListSellTrade, Geta, and more recently MSD. I joined the gleeful pile-on around the auction sites in particular, which was amplified by the apparent stupidity of trying to compete with Trade Me using a half-assed webite.

In retrospect, I should have been more circumspect (put your hands in the air and say yeah).

In case you didn’t know, there are protocols around responsible security disclosure. The OIS has a weighty tome on the matter, but here’s a simplified overview:

  1. Discover a flaw. Do not exploit it.
  2. Notify the owner of the flaw in private, giving them enough detail to find and resolve the flaw.
  3. Give the owner of the flaw enough time to reasonably notify their users and/or resolve the flaw.
  4. After waiting for the time above, disclose the flaw so that users can make themselves safe, and so that others can learn from it.

It’s pretty clear that in the case of the MSD flaw, both Keith Ng and Ira Bailey acted responsibly by notifying the MSD (step 2) and not going public until MSD had undertaken to close the kiosks (step 4). In fact, listening to Ira discuss the disclosure on Radio NZ (mp3 link), I’d like to apologise and withdraw my accusations of douchebaggery (thanks @rmi). But I still have questions about bug bounties, read on.

In the cases of Wheedle et al, exploits were being thrown around on Twitter with abandon (by myself and others), and this was wrong.

In our defense, the sites were all brand new and fundamentally flawed, so the voracious takedown was low-risk. But it was still wrong. I was aware of others notifying the site owners properly (@dylanreeve is a stand-up guy for example, trying harder than I would to get hold of people behind the scenes), so I didn’t bother to do so myself.

About those Bug Bounties

In some cases, companies provide a “bug bounty” for users that discover security flaws. This is for a couple of reasons: firstly because there is value in having these flaws discovered and resolved before they are made public; and secondly it acts as an incentive for “black hat” hackers to move from step one to step two above. Hackers can opt for a quick, legitimate pay-off, rather than exploiting the flaw for possible dubious gain.

In my opinion, it’s totally kosher to ask a private company for a bug bounty. It’s in their interest to close the hole, and most responsible companies should have a public bounty policy, because even the best operational security is not going to keep up with every single exploit.

But a government department? I’m not sure about this one. On the one hand I think it’s our social responsibility to help these guys out as much as we can. Maybe I’m a wet pinko liberal socialist, but we’re all in this shitfight called the Internet together, and I think it’s a bit much to ask for a bug bounty on an issue that affects the most vulnerable  in our society.

But then I read about $50k for a 2-week Delloite review and think that maybe a $2k reward per bug would go a long way to making that review irrelevant.

I dunno. What do you think?