In the AV industry, the concept of hackathons at tradeshows or actually paying a hacker to exploit a networked AV product or system is usually relegated to a fun topic of discussion – but perhaps they should be considered far more seriously.
A zero-day vulnerability is one where the manufacturer, vendor, and end-user are not aware of the security risk until after the system has been in use for a period of time. Often, they are not made aware of the vulnerability until it is exploited by hackers, which is called a zero-day exploit. Zero-day vulns are often considered a software topic, but AV/IoT devices, firmware, and control systems are also at risk.
The zero-day vulnerability timeline goes like this:
- Vulnerability is discovered by a black-hat hacker. (More on that term later.)
- Vulnerability is exploited, attack is launched, system is hacked, data integrity is breached.
- Vendor is made aware of the vulnerability. This day is considered “Day Zero.”
- Vendor works on a solution to the vulnerability, this takes some time.
- Vendor releases a security update and hopes end-users implement it.
Sometimes the vuln is discovered by a “white-hat” or “grey-hat” researcher, but it is hard to say if these ethical hackers were the first to discover the problem, or if the bad guys have already exploited the vulnerability, and just have not been found out yet.
There are anomaly-based intrusion detection systems that are able to detect some unknown, zero-day exploits, but finding vulnerabilities in IoT and audiovisual devices often takes some smart humans kicking the tires, and picking the locks, so to speak.
What do hackers do when they discover a zero-day vulnerability?
There are three typical tracks:
- Full Disclosure – release the details of the vulnerability to the public and vendor simultaneously. This forces the vendor to react quickly, but it also alerts the bad guys of the vulnerability.
- Responsible Disclosure – contact the vendor directly about the vulnerability, and give them time to release a patch to their end-users before fully disclosing the vulnerability to the public.
- Black Markets and Grey Markets – hackers and researchers sometimes sell their findings to vulnerability exploit brokers, who can then re-sell them to the vendors, nation-states, or competitors. Oftentimes, the hacker does not know who the vulnerability buyer is, or of their intentions. Many are only incentivized by the money and the challenge of finding the bugs.
Let’s Grow Up When It Comes to Cybersecurity
In this writer’s opinion, the AV industry should follow the example set by their big IT brothers and sisters; even if an AV company can’t pay out such large sums of money, there should be some sort of cash incentives for finding security vulnerabilities in AV systems. This could happen on three levels:
- At the manufacturer level – offer bug bounties for white-hat hackers who report vulnerabilities.
- At the integration level – setup knowledge bases of custom code and configurations, and reward other programmers, engineers, and technicians who can find any vulnerabilities in the systems.
- At the user level – reward any employee who raises a security concern about a device or process.
There have been some recent online discussions about setting up “hack-a-thons” at AV-industry trade shows. I think this is a fantastic idea to encourage AV security, reward hackers, and spread awareness.