Say the word hacker and a certain image comes to mind: hooded top, hunched over a laptop, lines of green code fluttering around like menacing birds. But that’s mostly a Hollywood myth – and the reality is far more interesting…
Many so-called hackers are ‘white hats’; honest, curious and socially conscious individuals who want to share their knowledge to improve products and online environments for everybody. And they should be heard.
Responsible disclosure
As the lead for privacy and security testing and investigation in the Which? Product Research team, I have disclosed various flaws and vulnerabilities to companies.
Today, I published a story about a significant flaw found in an internet router supplied by full fibre broadband provider, Hyperoptic. The flaw meant the router was at risk of being hacked with a phishing message.
Our findings were based on in-depth testing by respected experts at Context IS. (Disclaimer: some of whom may wear hoodies.)
We disclosed the issue to Hyperoptic in November and, after some back and forth, it committed to address the vulnerabilities.
Hyperoptic has been cooperative ever since and has fixed the flaw, but it has taken more than six months for it to be safe to publish our findings without putting Hyperoptic customers at risk.
Legal threats
Although time-consuming and lengthy, the Hyperoptic disclosure was relatively painless. On other occasions, it has been much more challenging.
Some companies take the feedback as a constructive act, helping them fix an issue that could have been exploited in much more devastating fashion down the line, while also spinning a nice PR story about ‘taking security seriously’.
However, we still see too many occasions where companies take a much more defensive or even aggressive stance when an issue is disclosed. This can mean grumblings and radio silence. Or, at worst, it can manifest in legal threats.
‘Secure by Design’
In March, the government came to Which? to launch its new ‘Secure by Design’ project, aimed at creating a code of practice for companies making network-connected products.
Among its various recommendations is this: ‘They [companies] have a vulnerability policy and public point of contact, so security researchers and others can report issues immediately, and they are quickly acted upon.’
Not all security researchers have the power and resources of Which? behind them. They are often working alone, trying to help companies, and indeed the industry as a whole, improve standards of practice.
Of course, a company should be allowed to qualify what has been discovered about its own products, services and systems. But as long as the discloser is acting responsibly, it’s important that they are heard, rather than fobbed off, delayed or even threatened.
After all, not all hackers are bad…
Have you changed your internet router password to be more secure? Do you think internet service providers are doing enough to protect their customers?