 Anyway thank you so much for coming. This is a good friend and great person to be giving a talk here today um especially with all the live bug uh hunting we're doing there's GE devices and bird devices and google devices over there and there are all all those manufacturers are letting people do live bug hunting activities um and so with no more delay Amit Azari will be giving a talk on issues that affect those types of activities and researchers like yourselves are those curious. Thank you so much. Thank you everybody. Um is it already good afternoon? Good afternoon. Hope you're enjoying Hacker 7 camp. I'm I'm certainly uh enjoying it. I'm having a lot of fun here with my sister and my colleagues from Intel. Again uh a free upgrade to all of you there in the back if you would like to join us up here uh please grab a seat uh we are about to begin uh this is gonna be a train into the regulatory landscape so we're gonna cover a lot of material uh but I will try to take it slow which is something I don't often do but I'll definitely try for you all and um let me know if you have questions you know feel free to reach out so how many of you here in the room have been to any of my other talks seen my work seen my research you're my sister so yeah we we have a bunch of hands here so um as those of you who know me know um because I'm Israeli that's the accent I want to start with a direct question uh do you know this guy? Okay we we have a few hands here um well this is Kevin Finster uh Kevin is a friend um he is a security researcher that uh that has certain expertise in the area of IoT um he hacks drones among others um and he discovered the vulnerability uh that according to reports uh affected one of DJI products uh and again according to the media reports um exposed some of their uh users information and when Kevin here wanted to report this vulnerability at the time DJI just uh again according to the reports launched a bug bounty um and that's the way they launched their bug bounty uh with this kind of media report and at the time uh it wasn't it wasn't a full blown you know bug bounty brief like a contract with all the terms and all the scope it was a little bit more kind of vague and limited so Kevin contacted DJI um you know though he has lots of hair he wanted to do the right thing he wanted to wear the white hat and he asked them is this in scope um and again according to the reports um they indeed authorized that the vulnerability he found was in scope not only that they offered him a nice bug bounty thirty thousand dollars any bug hunters here in the room I think I know I know a few um that's a pretty high bounty that's a nice bounty right and then the plot thickens um and again according to the reports what we learned that because of some disagreements and how Kevin personally felt about certain letters that were exchanged in negotiations over the disclosures of the bounty um he decided to basically walk away from the process in that letter um according to the reports the computer fraud and abuse act was mentioned the computer fraud and abuse act who knows this this term this law I see a few hands so for those of you who are not familiar that's the federal anti hacking law in the United States okay so that's the one of the main laws in the United States uh that also has uh international jurisdiction in certain circumstances that apply to unauthorized access to protected computers okay just one of those these laws um so Kevin decided to not continue in the disclosure process and to walk away from an approved thirty thousand dollar bounty okay um and at the time again according to the reports he actually ordered a Tesla uh to celebrate this thirty thousand dollar bug and he had to cancel his order uh and that's how the plot ended there and at the time and again this is a lot of the prior work that I did at UC Berkeley I will tell you a few words about myself in a moment uh I felt this is a really interesting story because flesh house not just the important of the collaboration between the research ecosystem and you know cooperation companies and the entire ecosystem but also the importance of how the law plays into that collaboration and how we should continue and work and build bridges between corporations and researchers and kind of continue and refine and evolve the legal landscape that governs the area of bug bounties and vulnerability disclosure programs and that's where a lot of my prior work uh kind of focused before I joined uh intel and I don't know if if those of you in the room are familiar with that so um I'm gonna be walking um basically um with you um on these various topics but I'm also gonna talk today beyond anti-hacking laws also on how that that landscape of bug bounties and VDP vulnerability disclosure programs relate to IOT and the broader evolving landscape of IOT security uh so my name is Dr. Armit Alazari Barone I recently graduated my doctoral degree from UC Berkeley uh thank you so much I actually graduated five months early to join the Intel because I'm very passionate about what we do there and I also still teach at UC Berkeley in the master in cyber security program and at Intel all of what we what I do is work very closely with our security organization as part of the corporate government affairs uh group that works with governments around the world to inform policymakers around some of the challenges in the area of doing security policy right what what are the experts in technology say and basically how can we work together uh to address those challenges but as a true lawyer and since I do have my doctoral degree in the law uh there is a little bit of fine print so of course I have my disclaimer although I am trained as an attorney I don't I am not practicing law in the United States and I'm not your lawyer so this is not legal advice you should seek your own legal advice if you're looking for some EFF is is a great resource to consider and again um what I'm gonna be talking today with you is my own personal opinions uh so take that into account as well and with that let me go a little bit into the details why is this story about Kevin so important we know that with the evolving attack landscape the ecosystem collaboration with the researchers is gonna be much more and more important and we also know that researchers security researchers care and they think about the issue of the potential legal liability so here's some data points for you I don't know if you've seen those uh research and service being done but they're really important so we know for example for a survey done by CDT the Center for Democracy and Technology that half of the researchers that were interviewed in that in that report actually shared that fear of legal risks and specifically mentioning the DMCA the other anti-federal uh law anti-hacking federal law in the United States and the CFAA has caused them to consider how they do research even to change their research we also know in another research that was conducted with more with with more than 400 researchers that's a big sample that 60 percent of them 6 6 0 reported that a fear of of legal risk is something they consider when they have already done the research they they hold the report and they think on whether to disclose it to a vendor or not right so this serves to kind of really um emphasize the need to build those reasons and also to think about what we do with that with respect to the legal landscape how can we address those concerns of the research community uh another interesting research uh that was done by more academics actually showed that 20 22 percent mentioned that at a certain time uh they they were actually potentially threatened with legal action and I think the broader the broader issue is not just you know the culture itself because I know uh Intel and many other corporations around the world and especially in Silicon Valley want to work with the ecosystem and actually incentivize and you know uh uh distribute by bounties and grants to work with the security ecosystem but this there is also a culture issue there is a cultural uh there is a culture of legal risk that is embedded within the hacking community which is a very important reason why we need to walk and and kind of talk on these things we also know that 92 percent of researchers said that it would actually work with a vendor to responsibly disclose the vulnerability and this is a key issue cordon vulnerability disclosure is one of the most important things we need to talk about as we look at IOT security and the evolving uh technological landscaping embedded and 92 of the of the participants of the server say they would work with uh with the vendor and way they consider not to with mostly because of frustrations around communications which suggest we need to continue and work on these issues and how does this play out into the regulatory landscape so believe it or not VDP the notion of having a vulnerability disclosure program the notion of being able to put that channel of communication uh to enable uh researchers to provide you with reports and work with them is a key issues that regulators are thinking about right all these different regulators for example recommend having that practice having that channel of communication so when you uh you know um here in the room with us uh are performing research when you are finding things you will have a security app email you will have a detailed VDP that actually describes what should you expect when you try to work with a vendor to disclose and all those different regulators including the the FTC I'm actually uh taking into account this issue and provided gang this most notably and we will talk about it in detail the department of justice the department of justice the absolute experts on the CFAN the anti hacking land uh anti hacking legal landscape I've actually provided a very detailed framework on how should we think about common vulnerability disclosure so I'm gonna talk about a little bit of that in in um uh next but what I want to highlight here that even the FTC for example in two cases together with many other circumstances okay so this is not um you know just one issue but when they consider what is a reasonable security practice which is a key term and I have you heard this term reasonable security practice this is a key term in the regulatory landscape of IOT but more broadly in the federal security regulation landscape in the United States and even abroad and when the FTC look looks into you know what to pursue and what is a reasonable security practices in at least two cases among with other other things they've actually mentioned this issue that you need to have a process to receive and address security vulnerability reports from security researchers and academics so I find that really uh remarkable because it shows to to kind of look at the evolving landscape and how VDP will become more and more and more regulated I'm gonna give you a little bit more data points on how how that specifically relates to IOT security and here it is uh in the UK uh this is very uh one very interesting uh kind of uh evolving landscape I recommend you all to follow they are actually put in forward uh what they call a consultation that's what they do when they think about the future law on IOT security focusing on consumer uh in household IOT and this is uh something that they've that have developed from their code of practice anyone here heard about the the UK government code of practice for IOT security check it out it's it's a document outlining like 13 key kind of um capabilities they think that uh you should consider with respect to IOT security and they've taken three of them one of them is this notion that that they should have a public point of contact for researchers you should have that vulnerability disclosure program the channel of communication and they're looking into how uh basically specifically regulating that so we are seeing the IOT security regulatory landscape not just evolving but becoming more and more embedded with this notion of VDP and I think what this shows to say is that we recognize we will need an ecosystem right without evolving landscape we need the help of everybody involved not just you know the innovation and the technologies that we also do at Intel but also the researchers and that's why we need to also work on this idea of vulnerability disclosure programs and how does the law interact into that so I mentioned already the CFAA I mentioned the DMCA and I wrote some terms at you but I want to go a little bit into the details so the computer fraud and abuse act the CFAA uh really the key main federal anti hacking law uh here in the United States but it really embodies this notion of unauthorized access have you heard about this term it's a key term uh that there is a circuit split in how this specific term should be interpreted in different circumstances here in the United States there is a lot of a little bit of vagueness around that and a lot of people discuss this vagueness uh but this notion of unauthorized access is actually also embedded to some extent in the DMCA the DMCA is another key federal anti hacking law that you should be familiar with especially if you're doing security researchers in IOT and embedded uh this is basically an amendment to the copyright law that focus on uh circumvention of protection measures that are geared to protect the code as copyright uh protected uh work and this anti circumvention law also has some prohibitions on unauthorized circumvention most notably the DMCA is known for having a specific security research exemption so today uh and I think this is amazing work done by many people that care about the community already in 2015 uh recently renewed a DMCA exemption for security research now when this um exemption started it really focused on good faith security research and there was device limitation uh from that specific law it was focused on uh voting machines and automobile uh I'm glad to report uh that uh the copyright office is actually considered to expended and the DOJ the Department of Justice actually also gave comments uh to the copyright office and actually supported not only the renewal of this exemption that it allows for good faith security research but actually the expansion of this exemption so I think this is a really interesting thing to take a look at uh and without going too much into the details it's certainly something you want to explore and um be knowledgeable about because there are certain requirements with respect to how the security needs to be done most notably in the 2018 revision they removed the need to do the research in a controlled environment and one of the key points uh if you look at the copyright office report is that the security research ecosystem came to the copyright office and said to them listen research is not just being done in controlled labs and clean rooms research is being done right here and this research could be beneficial for society so actually uh they have removed this uh controlled environment they still have other very other important considerations taken into account uh and I encourage you um for example by the way that the research would avoid harm to individuals or the public which is a key issue uh and I encourage you to take a look how this plays out into bug bounty and vulnerability disclosure programs so that's a key issue that's really that was really the focus of my prior work at Berkeley before I joined Intel I did a lot of research into the contracts of bug bounties and vulnerability disclosure programs why because as I told you anti hacking laws really focus on this idea of authorizations how many of your pen testers or consultants right usually you would have a contract a contract that authorize you know your ability to test your products with many other uh you know different provisions with respect to under which circumstances and what are the terms and the like this notion authorization is also a key issue when we think about vulnerability disclosure programs and more importantly bug bounties so the way those contracts play out into this landscape is that and as you will see is that we kind of want to make sure that that that notion of authorization does not und is not undermined by the contract of the bug bounty of the VDP and I will get to that so I I mentioned that the Department of Justice the main experts on the CFA actually have a framework for vulnerability disclosure programs now if if there is something you walk out from this room today with respect to this part of the presentation I really want to encourage you to take a look at this document and I believe me it's only by the way it's only seven pages and it's very readable so the Department of Justice the good people and this is led by Lord not Bailey he often comes to Hacker summer camp I just met him yesterday he gives talk at B sites reach out to him is a really really remarkable lawyer but also a great supporter of the security ecosystem they have put forward this basically framework that flesh out the fact that if you think about the computer fraud and abuse act and the anti hacking anti hacking legal landscape yes there are interactions with the CFA but generally this this type of idea that we need to work together and there needs to be a channel of communication should be supported it's a good practice and they want to encourage corporations to do it and that's where that's why they put together this framework that outlines a few key considerations that you need to think about when you do a framework and I'm gonna walk you through a bunch of them and now if you're in a corporation you're considering a VDP if you're a researcher take a look at those issues and kind of look for them as you consider to report things so first of all they really describe the fact that you need to have clear plain easily understood terms this idea of making sure that you're clearly communicating this key because we have researchers from all over the world right and it's already a very kind of complex ecosystem so you want to make it as clear as possible and they also talk about establishing boundaries right more and more it's important as distance can evolve to be very clear where are the lines what are the expectations they also discuss the fact that you should be kind of taking it slow make sure that you have the process at the backbone to support the VDP and interestingly enough they talk about the need to create a safe harbor to think about what is the language the specific language you're gonna put in the VDP to make sure that you address the legal concerns now we talked about the fact that hackers think about it we talked about the fact that researchers consider the legal risk so you need to think about whether you're gonna put in that language for example provisions that you're saying you know we will not pursue legal action if you follow the terms and this is something that comes from the Department of Justice of the United States so I really you know encourage everybody to take a look at that document especially if you're considering you know drafting a VDP and taking into account you know those issues and I want to move along I would just add that this issue of how we should think about the legal landscape of VDP is not only considered in the United States this is a report by the CEPS task force in Europe and they also flashed out this that this issue of the legal liability of security researchers should be clarified it's a different landscape in Europe but what we see here is that this is an international kind of issue that many you know many different policy experts have flashed out around the world okay and how this this play us out to my own work well again before I joined Intel I did a lot of work are basically creating templates and standardizing this landscape creating one contract that companies can adopt that explicitly address these issues and I encourage you to take a look maybe you heard about it it's called legal bug bounty and I think more and more organizations are looking how to basically we can develop the contractual landscape to support VDP this is interesting work done by Dropbox they open sourced something that is focused not just on the basically contractual interaction between the researcher and the company but between the vendor and the company in the context of VDP and bug bounties among others so this is already on github this is open and it's from my good friends at Dropbox you can take a look and one more data point for you here disclose IO I don't know if you heard about it Chloe my friend is presenting it as well here at DEF CON basically while and when I was doing this research I identified this gap the fact that we don't have one open source license and equivalent of that one contract in this landscape there is fragmented fragmentation and we need to harmonize that landscape so I work with background on this project called disclose IO and the idea is again to create an open source resource so companies organizations and even researchers when they are looking into you know how VDP bug bounties should look like they can take into that account you should always you know seek your legal advice because these are complicated landscapes so this is just something you know like a data point but doing a VDP doing a bug bounty that's something that we have international standards to guide you and I think you know it's important to do it right and finally and one area in which this connects with IOT is this specific issue so as I was working on this research I kind of I looked at Tesla's bug bounty and one of the thing I noticed is they didn't have a safe harbor and I flashed it out on on Twitter this is before I joined Intel and it was a real joy I worked for for a couple of months with the team at Tesla and they in fact change your contracts they added a safe harbor but not only that because they're so great you and the guys there they even expended it and added something that is really a novelty especially in the IOT car embedded area they added a provision saying that if you follow the terms of the bug bounty not only if you follow the language yes it's important to read the terms if you follow those terms not only they will not pursue legal action and the and the research is authorized if for some reason your Tesla you know gets broken right because security research right I assume that could happen if you are an authorized researchers and you are participating in a bug bounty they will fix that Tesla for free you can take it to the shop they will fix it for free so they waive the warranty limitations for participating in bug bounties and I think this is this is one of the key issues we're gonna see in embedded in IOT in hardware where we need more and more collaboration and there are actual devices and you know there are complexities so I think this is really interested I mean a really interesting development and good for Tesla and I'm also proud to say and this is one of the main reasons I joined Intel that we also have a bug bounty and we invite you all here to participate and hack our hardware and we really focused on our collaboration with the security research ecosystem in fact we have many of our hackers here at Hacker summer cap we had trainer trainers that participate in the black in the black hat trainings for hardware and we also had one presentation concerning our own security research so please take a look at that and I want to move along and really kind of touch on a few more interesting areas so I really walked kind of briefly around the issues of anti hacking laws and the VDP landscape but they're key legal and regulatory developments that we are seeing in the area of IOT one of the things that we have seen is an influx of regulation with respect to IOT security most notably we have we have already in California and in Oregon specific laws that are going to come into effect on January 2020 on the issue of IOT security have you heard about these laws maybe the California law it's most most notably known as a law that addresses no default passwords but not only that we have also have proposed federal bills in the area of IOT security which is something really interesting to take a look at and monitor and we also have a key effort by NIST right our key kind of leader when it comes to security expertise on the federal level that is focusing on promoting an IOT security baseline what are the kind of key you know things you should expect in with respect to IOT security devices and they just released a new report last week and I'm going to give you some highlights from that report but that is one of the key developments we are seeing on not just not a regulatory because NIST doesn't do regulation per say but especially in terms of the harmonization and how you know that key technical experts federal body looks into IOT security and from there we're going to you know walk a little bit more into the details into the UK consultation if we have time but this is really interesting the California law going to take effect January 2020 in California for devices all in California this potentially will have a big impact and it's focusing on connected devices and we will we will talk a little bit about the definition of connected device one of the key issues to look at when we think about the IOT security evolving landscape is how devices are being defined right we want to define them in a way that comports with innovation that doesn't under my innovations while supporting the importing security capabilities and we're going to talk a little bit about that now this law basically specifically requires reasonable security features for four connected devices and we're going to talk about the definitions and it fleshed out the fact that if that device has a means of authentication one way to achieve reasonable security is by basically taking out this notion of default password by requiring a unique pre-programmed password into the device or a way for the user to choose their own password a unique password when the device is forced being used a little bit into kind of definitions because I want to also compare this to the Oregon law and again this law will come into effect January 2020 so it's really coming very soon interestingly enough the definition of connected device talks about devices that are capable of connected to the internet directly or indirectly and has assigned IP address or Bluetooth address as we walk through the definition in the Oregon law you will notice there are a little bit of different kind of provisions there so the Oregon law is also already signed will come into effect also very soon and interestingly enough it has very similar requirements it's kind of a mirror law but that law is focused on household and consumer focusing consumer focused devices and it has very you know in terms of the actual requirements of reasonable security which is a key term that we also seen on the federal level from the FTC in many other places it the approach and the definition is a little bit different right it's not it's a device or other physical object which that's the same that not is not capable of connecting because that's a little bit vague but connects right director indirectly to the internet and is used primarily for personal family or household purposes and is assigned an internet protocol address or another address or number that identifies the connected device for the purpose of making a short range wireless connections to another device so you see that in that we lame already the Oregon Oregon state took a different approach not just naming specific IP addresses of Bluetooth addresses but expanding a little bit the definition I really encourage you to track this I think this is a really you know remarkable developments in the area of IOT security certainly on the state level we know that there are mural laws that are being proposed in different states and I think one of the key issues we need to be mindful about is again these are devices these are whole systems these are not components and we should really when we are thinking about regulating this area to foster security we need to also be mindful about the technical realities right we need a dialogue between the technical experts between the security researchers and the regulators to make sure that we define the terminology in an appropriate way that fosters innovation and it's also mindful to the fact that this is a very evolving technological landscape okay why do we have on a federal landscape I don't know if you heard about this law it's not a lie yet sorry it's a bill it's not it's not passed we have two proposed bill one in the house side one on the Senate side with some differences between them that are focusing on I the bill is called IOT cybersecurity improvement act and it's really focusing on driving the security baseline that I talked about that NIST is developing through federal procurement okay this is the idea that if the government requires certain requirements then they want to basically use that federal procurement to kind of push us the security requirements across the board across industry it's an interesting development as I mentioned they want to utilize government procurement and most notably the law also has a big CVD section both both proposed a powerful bill sorry both the house and Senate has a section that talks about quote and vulnerability disclosure within the government and they reference as well the international standards and and the bill suggests that as you know best practices and as guidelines are being developed in this area it's very important to align them with the international standards and I think this is one of the key other messages that we are going to see the CVD landscape develop and it's very important we continue and kind of look at industry best practices because industry has been leading the way in that regard and working with the OLA ecosystem for decades but also that we have international standards in this area that are really fleshed out that consensus based both of the ISOs great work done by Katie Mazuris and others and I encourage you to take a look at that we are seeing those ISO standards being referenced in proposed bills and I think it's very important that we continue and harmonize the landscaping that regard what else okay so I talked a little bit about the NIST effort I think this is a key really recent development and this started is I think they first released their first draft there was a report but the first draft really focusing on the IOT security baseline capabilities that's how they call it on February then it was a workshop on March and just last week fresh out of the oven they released another draft that is much more fleshed out 38 pages really interesting take a look they're looking into some key baseline capabilities that they think are important when you think about IOT security device identification device configuration data protection logical access and more and it's a technical more technical document but there is a free page blog that can walk you through it and I think you know that is a very remarkable effort I'm proud to say that we Intel provided comments to that I'm gonna be going next week to to the area of Washington DC to Maryland to also kind of participate in that workshop and that's the kind of effort you know the consensus driven collaborations that we're gonna need in order to address you know the different challenges within that's in that landscape it's it's a really remarkable effort but you see a lot of in a lot of industry experts coming together with government with regulatory bodies with bodies like NIST with the technical experts on this sitting together and flashing out you know what are the different baseline capabilities we need to be taking a look at and one of the most interesting interesting things that they highlight is that this is gonna be different for different sectors and different verticals and I think for IOT a landscape which is still evolving we have great connectivity with a lot of great value that is coming to society but we have different verticals in different sectors I think this idea of having that contextability of application in various environments is really important so take a look at that that by the way that effort a version of it is referenced in our proposed in the proposed bill on the federal level so we're already seeing at least one bill looking into this effort as a something really interesting to follow and I mentioned before this the call of practice of consumer IOT in UK just bring this as one example I know the governments of the world are looking into basically this issue of IOT security and this is just one effort by the UK government really putting together a call of practice for IOT actually they also came here to the hacker summer camp to hear from the security researchers to hear from the community and I had the pleasure of hearing their presentation and engaging to discuss their next step the UK consultation on this issue and they've put in together a call of practice that also talks about 13 key kind of things to think about when you are looking into IOT security this is consumer focused and they've taken this to the next step proposing a consultation for a potential future law again focusing on free key issues the unique password issue that we have also seen in California and Oregon the notion of having that point of contact right we talked about the VDP the notion of the fact that you're going to have a security at or point of contact that researchers can basically know where to reach out to you when they find things and this idea around this issue of security updates right which is also a key issue that we are seeing in many proposed efforts in this area so that's another very interesting things to take a look at and I think when it comes down to there is a real opportunity and that's why one of the things that I'm really passionate about so I talked about the opportunities to foster that ecosystem to foster that collaboration with the security research community that's something that I think you know we all work on very hard and is very important but there is also an opportunity for innovation there is opportunity for technologies that are pushing security in IOT and beyond and there is really the opportunity to focus on this issue of of trust trust that goes all the way into you know the fundamental right the foundations and I think you know just sharing with you very honestly that's one of the reasons why I joined Intel because there is an opportunity to affect impact on a very foundational level and as we think about that I think you know we should think about what are the technologies what are the leadership that we can create in that area as so I talked a little bit about the capabilities and you know at Intel part of what we do is we think about security in such an essential specifically in IOT and we have a bunch of capabilities that are looking into you know taking those capabilities this idea into the to the next level into the foundation so things like you know secure device onboarding which is a non default password notion of onboarding devices things like how we can have hardware acceleration for cryptographic protections things like how we can protect keys and platform integrity and just generally trust wariness right so I'm not the technical experts on this issue but I didn't want to give you a little bit of these ideas with most notably this idea that there is an opportunity there is an opportunity for innovation and with that I want to finish it off and leave time for questions.