In the latest sign that the war between security researchers and the companies they investigate is heating back up, researchers who uncovered vulnerabilities in a brand of high-security electronic locks marketed to airports, police departments and critical infrastructure facilities have been threatened with two aggressive legal letters from the maker of the locks. The letters arrived after the researchers attempted repeatedly to notify the company about problems with its product.
Security researcher Mike Davis, along with colleagues at IOActive, found a number of security issues with electronic locks made by the Oregon-based firm CyberLock. But after several failed attempts over the last month to disclose the findings to CyberLock and its parent company Videx, they received a letter from CyberLock's outside law firm, Jones Day, on April 29, a day before they planned to publicly publish their findings.
The letter, and a subsequent one sent from the law firm on May 4, contained aggressive language suggesting that IOActive may have broken the law in reverse-engineering CyberLock's system to uncover the vulnerabilities. The initial letter, from attorney Jeff Rabkin at Jones Day, invoked the Digital Millennium Copyright Act in asking Davis and IOActive to "refrain" from publicly reporting their findings until CyberLock could "identify these supposed security vulnerabilities, and, if appropriate, take any necessary remedial steps."
Davis published a 
partial copy of the letter to his Google Plus account on Monday with CyberLock's name redacted.
The DMCA, passed in 1998, has a provision that makes it illegal to circumvent digital rights technology designed to protect copyrighted work. Although Rabkin didn't accuse IOActive of breaking the law, he wrote that CyberLock wanted to "ensure" that no laws had been broken.
The letters have sparked outrage among some in the security community, which has long been at odds with companies that threaten legal action, often using the DMCA, to prevent researchers from publicly disclosing vulnerabilities. The letters come just weeks after another researcher was detained and interrogated by the FBI after publishing a Tweet related to security vulnerabilities in airplane WiFi networks. Together, the two incidents have reignited a decades-old battle between researchers and vendors that many thought had begun to fade in recent years after Microsoft and other companies launched bug bounty programs to reward researchers who find and disclose vulnerabilities to them.
X content
This content can also be viewed on the site it originates from.
But others in the community have accused IOActive of not being straight with CyberLock or giving the company enough time to respond to the vulnerability claims before going public.
X content
This content can also be viewed on the site it originates from.
CyberLock's wireless electromechanical lock cylinders use a programmable key called a CyberKey that purportedly offer more security than standard locks. The systems are used in metro stations in Amsterdam and Cleveland, in water treatment facilities in Seattle and Atlanta, Georgia and at the Temple Terrace Police Department in Florida, among other places. The company's marketing literature also promotes use of the locks in data centers and airports.
According to CyberLock, its smart keys "cannot be duplicated or copied, and can be deactivated if lost or stolen, reducing the risk of unauthorized entry." The locks also have a log file that stores information each time a digital key opens or attempts to open the lock "providing critical information when investigating a security breach," according to the company's web site. For added security, CyberLock users can disable lost or stolen keys and customize access privileges for each key to restrict when someone can use it to unlock a door, based on specific dates or times of day.
But according to an IOActive advisory (.pdf) the researchers published on Tuesday, someone can obtain the so-called "site key"—the key specific to a particular location or facility—to clone CyberKey. These keys are stored in cleartext in the lock cylinder and are also transmitted from the key to the lock during authentication, so an attacker can either obtain a site key by extracting the firmware from a chip in the lock cylinder or by sniffing communication between a key and lock.
Although the communication is encoded, Davis and his colleagues were able to decipher the encoding scheme to determine the keys.
"Once I have that location key I can generate any key I want," Davis told WIRED. He could theoretically use the data to clone a key not just for a particular lock, but for every CyberLock installed at a particular facility or location.
He could also modify a cloned key to alter the access restrictions, undermining the customized privilege control that is one of CyberLock's selling points. And, Davis said, he could corrupt a lock's audit log with bogus access entries by simply using various cloned keys assigned to different users to open a lock. Although such an attack would require physical access to locks that are presumably under the view of surveillance cameras, the latter would only help investigators recreate what occurred during a breach, not prevent it.
Davis and his colleagues first began to look at the CyberLock cylinders and keys after stumbling on information about them late last year. Davis said the research wasn't meant to be serious but simply done as a fun side project.
"I just thought it would make an interesting blog post," he told WIRED.
He found a CyberKey for sale on eBay and purchased it last October. Then he and colleagues purchased four cylinders and two more keys from an official CyberLock reseller. They began to examine the systems in January, after reviewing work conducted by other researchers who had previously examined CyberLock systems and found vulnerabilities in them.
"Someone else had done some electronic analysis of [CyberLocks] and had dumped the EEPROM and had written up some of the details," Davis told WIRED. "It was already known that the the CyberLock had electronic vulnerabilities, we just expanded on them."
Their novel contribution was to crack the encryption scheme the smart keys used to transmit the site key to the lock when they authenticate themselves to the lock.
The IOActive researchers had first extracted the firmware stored in a chip on the lock cylinders and discovered that the site keys are stored in the firmware in cleartext. But they soon realized that an attacker wouldn't need to extract the firmware to obtain the keys, because the encryption scheme used to encode the site keys during transmission from the key to the lock was weak.
Although the ability to sniff the site key data during this authentication sequence was already known to other researchers, the encryption had thwarted previous analysts.
"Before you couldn't sniff the communication between the key and the lock because that encryption was proprietary, but we extracted the firmware and figured out the encryption algorithm," he said.
With the algorithm cracked, an attacker could now decipher the site key as it got transmitted to the lock and not have to disassemble a lock and extract the key stored in its chip.
Davis says he and his colleagues made several attempts to contact CyberLock to disclose the vulnerabilities. The first contact was initiated March 31 in a message sent to a senior security engineer with CyberLock, via his LinkedIn profile. The researchers asked the engineer how to report vulnerabilities to the company but got no response. A second email was sent April 1 to support@cyberlock.com, followed by a third email sent April 9 to an address for CyberLock's sales team. Davis shared the correspondence with WIRED, and in each correspondence, the researchers identified their firm—IOActive is well-known in the security community—and indicated they had found serious vulnerabilities they wished to report. On April 11, they sent an email to a woman named Tammy on CyberLock's media relations team, followed by another email sent April 19 to the support email address. IOActive got no response to any of these inquiries until the letter arrived from Jones Day on April 29.
The IOActive researchers asked Jones Day to provide proof that it was representing CyberLock. What followed was a series of exchanges that only made matters worse. In one, Jones Day's Rabkin appeared to question the integrity of one of Davis's IOActive colleagues, referencing a federal investigation against him in 2010 for wire fraud. This made Davis and his colleagues angry.
Finally on May 4 Jones Day sent the second letter. In it, Rabkin wrote that CyberLock "values the security research community's thoughtful and responsible contributions."
But Rabkin also accused IOActive of an "aggressive stance," saying the researchers were making the disclosure process "difficult" by specifying that they would only discuss the vulnerabilities with CyberLock's technical staff, instead of with Jones Day, and accused IOActive of being vindictive.
"[I]t appears IOActive's treatment of [CyberLock] is driven at least in part by the fact that IoActive researcher Mike Davis was offended when I asked whether the company's [redacted] is the same individual who was prosecuted by federal authorities for wire fraud in 2010 as suggested by publicly-available news reports," Rabkin wrote.
One of Davis's colleagues was indicted in 2010 on claims that he falsified invoices during a time he worked for a different company that he cofounded. The charges stemmed in part from a bitter dispute with his former business partner.
Jones Day also accused IOActive of misrepresenting the security of CyberLock's products, claiming that IOACtive's methods of subverting the locks were impractical since they required forcible disassembly of the locks using "skilled technicians, sophisticated lab equipment, and other costly resources not generally available to the public" to extract the firmware and reverse engineer it.
But Davis notes that other researchers have examined the CyberLock systems before and found vulnerabilities with them, and that none of the methods they used are different from ones that thousands of other hackers around the world are capable of using.
Neither Rabkin, Jones Day nor CyberLock responded to requests from WIRED for comment.
One thing is clear from the incident—the battle between researchers and vendors is not over.
