Security Nation, Ep. 22

Developing Sustainable Vulnerability Management with Katie Moussouris

June 09, 2020

 

Katie Moussouris, CEO and Founder of Luta Security, joins us on this week’s episode of Security Nation to discuss vulnerability disclosure, bug bounties, and building systems that support sustainable security. Stick around for our Rapid Rundown, where Tod talks through the recent bug in the Samsung Quram image processor.

Appears on This Episode

Jen Ellis
Jen Ellis
Vice President, Community and Public Affairs

Jen Ellis is the vice president of community and public affairs at Rapid7. Jen’s primary focus is on creating positive social change to advance security for all. She believes that it is critical to build productive collaboration between those in the security community and those operating outside it, and to this end, she works extensively with security researchers, technology providers, operators, and influencers, and various government entities to help them understand and address cybersecurity challenges. She believes effective collaboration is our only path forward to reducing cyber attacks and protecting consumers and businesses. She has testified before Congress and spoken at a number of security industry events including SXSW, RSA, Derbycon, Shmoocon, SOURCE, UNITED, and various BSides.

Tod Beardsley
Tod Beardsley
Research Director, Rapid7

Tod Beardsley is the director of research at Rapid7. He has over 20 years of hands-on security experience, stretching from in-band telephony switching to modern IoT implementations. He has held IT Ops and IT Security positions in large organizations such as 3Com, Dell, and Westinghouse, as both an offensive and defensive practitioner. Today, Tod directs the myriad security research programs and initiatives at Rapid7. He can be uniquely identified at https://keybase.io/todb.

Katie Moussouris
Katie Moussouris
Founder and CEO, Luta Security

Katie Moussouris is the founder and CEO of, Luta Security, a company specializing in creating robust vulnerability disclosure and bug bounty programs. Ms. Moussouris has testified as an expert on bug bounties and the labor market for security research for the US Senate, and has also been called upon for European Parliament hearings on dual-use technology. She created Microsoft’s and the Pentagon’s first bug bounty programs. She was later invited by the US State Department to help renegotiate the Wassenaar Arrangement, during which she successfully helped change the export control language to include technical exemptions for vulnerability disclosure and incident response. She is a coauthor of an economic research paper on the labor market for bugs, published as a book chapter by MIT Press in 2017, and presented on the first system dynamics model of the vulnerability economy and exploit market in 2015, as part of her academic work as a visiting scholar at MIT Sloan School. She is also an author and co-editor of standards ISO 29147 Vulnerability disclosure and ISO 30111 Vulnerability handling processes.

Podcast Transcript

Jen Ellis: Hi, and welcome to this week's thrilling episode of Security Nation, the podcast where we talk to cool and interesting people doing cool and interesting things to advance security in, you guessed it, cool and interesting ways, the whole thing. I am your host, I am Rapid7’s VP of Community and Public Affairs, Jen Ellis, and with me is my amazing cohost, Mr. Tod Beardsley. Todsley, how are you doing?

Show more Show less

Tod Beardsley:

Ahoy, ahoy. I'm doing great. I am currently sweltering in my garage, or as we call them in America, the car hole.

Jen Ellis:

Yeah. It never gets old, I love it. So I imagine it's warm in there. I am experiencing a very strange, but very enjoyable, sort of weird, summer, the UK is having summer, what is happening? And I am living in an attic, as we have previously discussed. So it is quite warm where I am.

Tod Beardsley:

By the end of this podcast, we will both be melted down into puddles of sweat, 6,000 miles apart.

Jen Ellis:

It's so nice. So, I guess there's Katie Moussouris, who is the CEO and founder of Luta Security, but is also just super security famous. Katie is a super accomplished speaker, she has edited or written two IFOs, two of them, people, two. I barely read two IFOs—it's a huge undertaking. And she's done all sorts of other amazing things. I'm not going to prattle on about her forever, because that's awkward and she's listening. So instead, I'm going to say, hi, Katie, welcome for joining us.

Katie Moussouris:

Hi!

Jen Ellis:

It's so great to see you, how are you doing?

Katie Moussouris:

I'm doing great. I'm not in hot weather because I live in the Pacific Northwest and it pretty much rains almost all the time.

Jen Ellis:

Maybe global warming can help you too.

Katie Moussouris:

You know, it helped us by having wildfires and smoke from British Columbia coming down.

Jen Ellis:

That's not the kind of help you were looking for.

Katie Moussouris:

Yeah.

Jen Ellis:

Do you think it's awkward if we mentioned that we're engaged to be engaged, should we not bring that up? Do you think that would—

Katie Moussouris:

I think we should bring that up. I think that's something that the public needs to know and prepare themselves.

Jen Ellis:

The inquiring public wants to know why we're engaged to be engaged. Well, first because I have commitment issues, but that's a whole separate topic. So yes, it's because you are going to run for the White House in 2024.

Tod Beardsley:

Right, and obviously you can't do that if you're single. I mean, there's just not--

Katie Moussouris:

Yeah. There's never been a single president, so...

Tod Beardsley:

Not electable.

Katie Moussouris:

So instead we're remedying that with one of my best friends in the universe, and that's you Jen. And America needs a sweary British first lady. I think so.

Tod Beardsley:

Oh wow.

Jen Ellis:

What could be better? Let's get the Brits back in the White House. I feel like this might actually, we might get complaints after this podcast. Never mind. People are suddenly like, "Well, I was alright with the fact that you were sweary and that you're stupid, but now you've gone too far. There'll be no Brits up in the White House." Okay. So, Katie, I have a question for you before we get stuck into talking about Luta, which I really want to hear all about. You have done a lot of stuff. We might have mentioned that a few times. I'm very intrigued by what, of all the things that you've done professionally, you are proudest of?

Katie Moussouris:

Yes. That is a good question. I would have to say, professionally, I'm most proud of bringing a gender discrimination lawsuit against Microsoft, and we were going for class action. It was not class-certified, even though bizarrely all of the data pointed to the fact that pay and promotion equity were not occurring at the company.

Katie Moussouris:

My individual case is still ongoing. We'll see how that works out. But watching my mom, a single mom, a scientist, struggling to pay the bills when she was training men who were less qualified than her, obviously, she was training them, and then they would go on to make twice as much. And the fact that she died before she could really receive the pay and promotions that she deserved and earned in her career. So to me, pay and promotion equity is a core value of mine, and it's something that I wove into company culture at Luta.

Katie Moussouris:

And we've already had an instance where we found we're paying somebody less than what they should have been paid and we corrected it, and we gave them back pay. So for me, this is a super important issue and professionally, it's something that I'm proud of.

Katie Moussouris:

And even though I had to take that fight on alone and now it's kind of going back to me being alone with that fight, it still to me spoke to my values and it's worth it. Even if this particular run at justice wasn't fruitful in the way that we hoped it would be, the ... What is that phrase? The arc of the universe bends towards justice. That's pretty much what I'm going for.

Tod Beardsley:

And it's ongoing, right? You haven't lost or anything yet.

Katie Moussouris:

No, the case will continue until it doesn't.

Jen Ellis:

Well, I think it's super brave to take on a giant corporation like Microsoft. Bravo to you for doing that, and also bravo to you for living your own values and holding yourself accountable at the same standard at Luta.

Tod Beardsley:

Yeah, for sure.

Jen Ellis:

That is awesome. Let's hear about Luta. What was the genesis of it? When did the company start? What are you guys focused on? We want to hear all about it.

Katie Moussouris:

Well, I started Luta Security about four years ago, a little over four years ago. And it was right after launching Hack the Pentagon, which was the first bug bounty program of the U.S. Department of Defense.

Jen Ellis:

It was a very cool program.

Katie Moussouris:

Yeah, and the DoD is still running bug bounty challenges and is still, more importantly, running an ongoing vulnerability disclosure program. Because as we all know, those of us who've been in the vuln disclosure trenches, it's not just about offering cash for certain bugs. It's really about having a strong process to receive and remediate any bugs that are sent to you, especially with security implications. So having a vuln disclosure program and functional vuln disclosure program, that's what those ISO standards that I co-authored and co-edited were all about.

Jen Ellis:

Well, that's great. As I said, I've barely read two, so I wouldn't know.

Tod Beardsley:

Wait. So you're saying that people don't have to just invent their vuln disclosure programs out of whole cloth?

Jen Ellis:

What?

Katie Moussouris:

Right. And that it's not just as simple as throwing up a web form or an email address. You kind of have to have a process set up to deal with it. That would be like throwing a menu up in the front store window of a restaurant where you haven't actually built a kitchen or hired any staff. Right? Seems like a bad idea.

Jen Ellis:

I feel like Tod is sort of gleefully, right now, sort of rubbing his hands together and being like, "Yes..."

Tod Beardsley:

Yeah. I am going into the restaurant business, apparently, because this sounds hilarious. It sounds like a Charlie Chaplin movie, actually. And I assume that's what the backend of many baby vulnerability disclosures look like.

Katie Moussouris:

An image that I use the lot, especially when I conjure up the imagery of what's gone wrong in vuln disclosure, in bug bounties in the last few years, I usually say the term "bug bounty Botox," because nobody who's using bug bounties as a superficial fix that basically says, "No, no, we take your security seriously, look, we pay hackers." Nobody who does that, they're not focusing on their inner beauty. And so I will say, bug bounty Botox, but I'll often accompany it with an image of that animated GIF of Lucy and Ethel and the chocolate factory.

Jen Ellis:

Yeah I love that.

Katie Moussouris:

And there's all this chocolate, delicious chocolate coming down the belt too fast for them to process it. So when the bug banning platforms say, "Oh no, we take care of everything. It's just high-quality bugs coming your way. We will scrub all the spam." I'm like, yep, but who's helping Lucy and Ethel back in that chocolate factory? Cause even if it's delicious chocolate, pure bugs, deliciousness, still have to have someone to deal with it.

Jen Ellis:

Yeah, and I don't want to get to fine line, but I will say, like, I definitely have an issue with the fact that we have started to get to the point where we're conflating vulnerability handling with bug bounty. They are not the same freaking thing. And this message that's being propagated that makes people feel that they are, is so off putting to organizations. And it makes it seem like such a Herculean task to have any kind of intake process, which is really unhelpful to make it scary to them. You want it to be something that they feel they can do, but it is also to your point, it's missing the point because it isn't hard to set up a way of receiving. It's hard to set up a way of handling once you've received. Of triaging, of addressing, of fixing. So I agree with you. Like, I get very ranty about this, obviously.

Tod Beardsley:

It's happening right now.

Jen Ellis:

You have witness this is firsthand. And so it is, it is very harming to me when I hear you speaking about this and kind of helping people course correct on it and understand the reality of it. Thank you for doing that. And, and I want to just really quickly revisit Hack the Pentagon, ‘cause it was a really cool thing. And you were very involved with this. You were basically, sort of in the driving seat for some of it, I don't want to make it sound like the Pentagon wasn't, obviously they were. Do you want to just chat about that very quickly and we'll get back to Luta?

Katie Moussouris:

Sure. So I was still at Microsoft the first time I went to the Pentagon. I was invited by my friend, Michael Sulmeyer, who is amazing. And at the time he was director—right, you knew Mike Sulmeyer.

Jen Ellis:

Our date to prom together.

Katie Moussouris:

Right, our date to tech prom exactly, we like corsaged him and everything. So anyway, really good friend. But Michael Sulmeyer was in the audience for a guest lecture that I was invited to do for a consortium between MIT Sloan school and Harvard Kennedy School. Now why was I talking about bug bounties to this group of people? Well, because there was economic theory, game theory, all kinds of measured and balanced considerations for creating the Microsoft bug bounties. Because looking back, Microsoft started, I started their bug bounties in 2013 and essentially to this day, still Microsoft receives sort of the biggest intake funnel of all vuln disclosure in the world.

Katie Moussouris:

And I will probably, I will still back that up. They receive over 200,000 non-spam email messages into a secure app at Microsoft and that's going strong. That was already happening before they started offering cash. Right. So anyway, you had to take this huge problem, biggest software company in the world, distill it down to well, if we're getting all these books for free, why do we need a bug bounty? Well, it was to focus the eyes of the friendly researchers who were already looking at when and what products you wanted them to focus on the most. So anyway, I was giving this guest lecture at MIT, Sloan, Harvard Kennedy School, Michael Sulmeyer is in the audience. And he says, "Please come give this briefing to the Pentagon." And I was like, "That's amazing!" Because I had only ever been invited to The Doughnut, which is the British Pentagon, but it's a Doughnut. And I was like, "Why has my own government not invited me to their sort of round and angular thing that is the intelligence center?" I was confused.

Jen Ellis:

So yeah, Hack the Pentagon was a very cool program and it's good to see how the turn of events has sort of continue to build on it and invest and grow it. So let's get back to talking about Luta. So, okay. So you were talking about the inception and coming off the back of that program. So what does Luta focus on, what are you doing?

Katie Moussouris:

Well, we focus on helping Lucy and Ethel back there in the chocolate factory. We literally, we will measure the maturity of the operations taking place in the triage handling resolution, decision, resolution creation, resolution testing, resolution release, of vulnerabilities. So we're really, we're in the back of the restaurant. We're making sure that the kitchen has an oven for example, and even more importantly, a sink to wash your hands, and everything. So we go in and we do this maturity assessment and then we give recommendations as to how they can get better and more efficient. Often we actually counsel our customers to avoid doing bug bounties for a while because there are more efficient investments in security that they could be making. I hate seeing bug bounties where they're paying out a lot or even at all for low-hanging-fruit bugs, which we already have plenty of tools and techniques and the know-how to not only prevent those classes of bugs, but detect them before you actually released the code.

Katie Moussouris:

So we've really focused on appropriate investments in vulnerability prevention, vulnerability handling, vulnerability resolution. And yeah, so bug bounty may happen as one of the items that we recommend and we help organizations structure. But for example, the work that we did with the U.K. government was on structuring a repeatable, mature process for all vuln disclosure for the U.K. government. And they've been rolling it out ever since we helped them create that plan. So that's really what Luta security does. And we're proud of the work that we do. We don't actually do any sales and marketing, literally we're like the Liam Neeson of vuln disclosure, it's like a particular set of skills that we've gained over a very long career.

Tod Beardsley:

We'll find your bugs.

Katie Moussouris:

I will. I will make sure you can fix them.

Jen Ellis:

So you've been going for how long now?

Katie Moussouris:

Four years, four years and change. I think it's like four years and one month old.

Jen Ellis:

And how are things going?

Katie Moussouris:

Things are amazing. So we've been growing organically, we have no outside investors. So we're a truly bootstrapped company, kind of a company built the old-fashioned way where you have to actually have profits in order to reinvest into the business and hire more people. So we are hiring right now because we can, and because we have this organic growth and a strong customer base. Basically, we're adding people faster than we can say yes to new contracts, which is a wonderful space to be in. And for us, we're focusing our business model on really sustainable business. So we basically will hire people contract at first. And if it's a mutual good fit, convert them to permanent employees of Luta, or they also have the freedom and labor mobility, which is a central value, labor rights and workers' rights is a central value of mine and of our company.

Katie Moussouris:

They actually have the right to work at the client site full-time after the contract is over, if they want to.

Tod Beardsley:

Oh wow.

Jen Ellis:

That's cool.

Tod Beardsley:

That's shocking and radical.

Katie Moussouris:

Well, it is radical. I mean, I'm a little Wabi-Sabi. But the thing is like we build it into the contracts up front saying, yep, you poach our people for a recruiting and re-staffing fee. And the fact of the matter is they basically get a masterclass in how to do vulnerability coordination appropriately. We've set them up for success. And this is what we're doing. We're doing this at Zoom and we're gearing up to do this anywhere where people really just need hands-on, in-the-trenches help, instruction. And then maybe if they're, for some reason, a better fit than Luta is, which, they're going to have to fight me.

Tod Beardsley:

Seems unlikely, but okay.

Katie Moussouris:

But hey look, if there's a director position or something like that, that they know there's no room for yet at Luta, and they want to take an opportunity someplace else, who am I to stand in the way of a worker getting what they deserve in terms of pay and promotion? So for me, living those values and staffing and hiring that way, it's basically the antidote to gig economy, "You're not an employee," like, "You're nothing to me." All that stuff. I'm literally saying you could be everything to me. It just depends, right? And I think that, I don't know, investing in trusting people to work hard at what they're doing and not be distracted by the fact that they feel like they're trapped in this one mode of employment. Look, we're doing a lot of experiments. We're going against the typical startup norms where they justify underpaying people saying, "Oh, we're just a little startup." It's like, well, then start up harder.

Jen Ellis:

So I heard you mention in passing "the Zoom" and I don't know if you know, but I'm pretty sure that anyone who's ever listened to this podcast or that's been listening since the lockdown, will know, Tod has a bit of an interest in Zoom's security.

Tod Beardsley:

Yeah.

Jen Ellis:

So I'm sure that his ears also pricked up when you said the word Zoom. So can you tell us a little bit about what you're doing with them?

Katie Moussouris:

Yeah, absolutely. So we were called up by the CEO last summer, right after a disclosure incident. My friend Jonathan had a little disclosure disagreement with them, but actually it worked out really well. He and Zoom were very amicable through the whole thing. He was like, "Look, I just wanted to see this bug fixed in 90 days. If you guys can't fix it, going to have to go public with it, because I think the public has a right to know to be able to protect themselves." And all of that behavior is actually quite reasonable in disclosure, as we all know. But I think a lot of organizations and a lot of the media that hasn't really been familiar with our world, they actually don't understand that. Right. So that's when it started. And Eric, the CEO had called us up and said, "Everyone tells me that apparently you're the Liam Neeson of vuln disclosure." No, he didn't say that, but he got a lot of recommendations.

Katie Moussouris:

So we started working with them, probably I think we kicked off like in December or something like that, but we were finishing up a maturity assessment, right, against our maturity model. And we were kind of putting the final touches on the final deliverable when coronavirus hit. And we saw a lot of disclosure stories around Zoom. And so of course we reached out, this is our area, we reached out and said, "Hey folks, we're working on wrapping this up, but do you need any more help?" And they basically said, "Oh yeah, if..."

Jen Ellis:

"God, yes, yes!"

Katie Moussouris:

No, but it's one of the many areas they're focusing on in their 90-day security push. Which I think that move was actually quite a good one for them because it's not often in an organization's history that they pause all feature development that isn't security related.

Jen Ellis:

Right.

Katie Moussouris:

And that's exactly what they've done here.

Jen Ellis:

Yeah, it's a bold move.

Katie Moussouris:

They got so popular overnight. They turned into a different threat model of an organization. Basically they have gathered among all of us third party folks, they've gathered myself, Lea Kissner, who is amazing, she used to be Google's Chief Privacy Officer, to help with privacy concerns at a global scale now that they are a global scale company. And Alex Stamos is also advising them. Matthew Reign, who is looking over their end-to-end encryption, and then a number of different professional penetration testing companies that we are so happy are there to help out its trail of bits: Bishop Fox, NCC Group, and we're just really, really happy to work with them. So basically what we're doing now—

Tod Beardsley:

It's kind of an all-star team that Zoom suddenly picked up. And maybe not even so suddenly, like you say, it's been over the course of nine months or so. Right? But then they had their explosive growth. In the space of a month they went from what like 10 million to like 200 million active dailies or something. Yeah.

Katie Moussouris:

They literally went from that from 10 million to 200 million within a couple of weeks. Like they did not actually have any time to readjust their corporate threat model before it was like, "Oh, it's all here. It's all happening."

Tod Beardsley:

So we're recording this toward the end of May. And I believe that puts them... where are we now on their 90-day cycle?

Jen Ellis:

We are actually recording this over Zoom.

Tod Beardsley:

We are. We are sort of "dog-fooding" this whole thing. And I like Zoom. I use Zoom for anything I can. But anyway, so we're recording the end of May. So I think that puts us in day 40-ish or so of their 90-day?

Katie Moussouris:

Something like that, yeah. I think it ends somewhere in July, something like that. Yep.

Tod Beardsley:

And it seems like I see the updates and I read the release notes and every once in a while, there's something that sneaks in that doesn't feel like security. Maybe it's covering some other security thing. Like what was the one I saw the other day? It was, "Change the sound for the waiting room notification." It smelled security, but it was still funny.

Katie Moussouris:

No. I mean, if you think about it, that's a security issue. It's a security and privacy issue and expectations. Right? So a lot of the changes that I've noticed are around what is the reasonable expectation that you would have of security and privacy? And they've been making updates to actually highlight certain things. They've been making updates that will turn on certain security features by default and also they're forcing mandatory updates to upgrade their end-to-end encryption as they are incrementally redesigning it. Right?

Katie Moussouris:

And I believe, let's see tomorrow, the 22nd of May, they're going to be releasing a white paper that is a high-level design white paper, and they're doing a request for public comment. And I think that's a really smart thing to do. I mean, you don't want to implement a new end-to-end encryption solution that preserves functionality, right? That's obviously why everybody jumped on Zoom is because it just works, but you don't want to push out an implementation of a design that hasn't been fully vetted. And as we like to say from when I was a pen tester, if you're going to roll your own crypto don't smoke it.

Tod Beardsley:

Right. Well, and you could do worse than a team of like you, and Matthew Green, and Trey Labodes. And like, you've got a lot of good crypto eyes on this thing.

Jen Ellis:

Yeah there's some pretty heavy hitters on that list.

Katie Moussouris:

Yeah, so no, we're just really happy that we're getting to participate at this really cool point in time in a company's evolution. And like, we all say this, so it sort of semi tongue in cheek, but it's true: Security is a journey. This is not something that every organization, every government instantaneously crawls out of the organizational womb, knowing exactly how to deal with vulnerability reports. There's a maturity process and that's really why we center our services around a maturity assessment and a roadmap. And how do we actually get people from a lot of low hanging fruit, which we don't want to see in bugs and released code, right? I retired from professional pen testing in what, 2007? Thirteen years ago, I retired from professional pen testing. So there's no excuse for vulnerabilities existing that I can still find, right? 13-year-old tools and techniques and everything should be something that the organization manages to take care of themselves, not wait for somebody on the outside to point it out to them.

Jen Ellis:

Absolutely.

Tod Beardsley:

Well, there is no expectation that at the end of this 90-day security sprint, all security is done and we're just, we're just tapping out and "Come at me, bro." I don't, I don't imagine that's your plan.

Katie Moussouris:

Yeah. That would be an odd way to call a security program successful, is to say that it's done. A security program is successful in that it evolves with the threats and that's really, that's why we're all here.

Jen Ellis:

That is very nicely articulated. I couldn't agree more. I just want to be clear though, that I don't think I crawled out of the womb. I think it was just, I don't think that's how that works.

Tod Beardsley:

Shot, just shot out.

Jen Ellis:

Just shot out, right? Okay. I'm sorry. I made it more awkward.

Jen Ellis:

So, we're at the end of our time. And I know that as we mentioned, you're very busy person and you're going to have to, you're going to have to leave us. Also, I am pretty much achieving puddle state, so I'm just going to like slither across the floor, but Katie, it was so great having you on and it's so great to hear about the stuff you're working on. It's fascinating to get your take on Zoom. Cause normally all I get to do is hear Todd bang on about it.

Tod Beardsley:

Nearly always positively, nearly.

Jen Ellis:

Yes. Oh yeah.

Katie Moussouris:

We made the change that you suggested on Twitter when they were putting the contact info at the bottom of that security page in addition to the top. So it's weird now.

Jen Ellis:

I am proud of you. Thank you for telling him that Katie 'cause you definitely made his day. That is awesome. So yeah. So thank you very much for coming on. I hope that you will come back again sometime in the future. Good luck with Zuta and with hiring and with Zoom and the evolving situation there. We appreciate it.

Katie Moussouris:

It was a pleasure to be on with you guys and I would love to do it again sometime. So let's just, let's make it happen. Maybe it will be hot here and you guys will feel cool and I will be sweating.

Tod Beardsley:

We will have bigger problems then, but okay.

Jen Ellis:

But it would be great. All right, cool. Well, I am famous for being super awkward at the end of every interview, so this is normal. I just don't like the bias. What can I tell you?

Tod Beardsley:

We just have to headshot Jen and be done.

Jen Ellis:

Just a double-tap and we’re out. So, Tod! Onto the Rapid Rundown!

Tod Beardsley:

Well, this week for the Rapid Rundown, I think we're going to talk about one ... One bug, one love.

Jen Ellis:

Yeah, I don't ... it still sounds like Queen to me.

Tod Beardsley:

No? You hate that? See, I'm trying to do a U2 and you're hearing Queen.

Jen Ellis:

I mean, I got to say like, if you had to be Bono or Freddie Mercury in my world, being Freddie Mercury hands down is a winner.

Tod Beardsley:

Oh, yeah. Times 100.

Jen Ellis:

I cannot tell you how little time I have for him. And it's sad because I'm sure Bono listens and he's going to be deeply hurt by me saying that. But seriously, come on now.

Tod Beardsley:

Bono probably doesn't care about this because it affects Samsung phones, not Apple phones. So.

Jen Ellis:

Right.

Tod Beardsley:

So this bug-

Jen Ellis:

You know that Freddie would have been Android all the way. Come on now. Okay.

Tod Beardsley:

Of course, of course he would. So this is a bug, it was released, it was discovered and published by Google Project Zero. It was discovered specifically by Mr. Jurczyk. I have no idea how to pronounce his name.

Jen Ellis:

It didn't show, don't worry.

Tod Beardsley:

Nope. Yeah. But he's a member of Project Zero and this is specifically CVE-2020-8899, which is kind of an easy to remember number. So I like those.

Jen Ellis:

Yeah, it's quite good, yeah.

Tod Beardsley:

Yeah. 8899. So this is a bug in the Samsung Quram image processor that you can trigger via the MMS functionality, which for everyone else in the world is, so MMS stands for multimedia message system or something like that. It's built on top of SMS, which we all know and love. It's texting. It's just basic old texting. So the short story is that you get a command shell. Basically you get a rogue code execution on Samsung phones, basically all of them, through a series of text messages. And that's it. No user interaction required. The user doesn't have to see them, they don't have to click on them, they don't have to do anything.

Jen Ellis:

Well, that sounds no bueno, unless you're a bad guy. In which case it sounds muy bueno?

Tod Beardsley:

Yeah, it is a kind of magic. So-

Jen Ellis:

Oh, look at that. Oh, I do appreciate that. That was nice. Well done. Well played. Yeah.

Tod Beardsley:

So yeah, it's kind of super bad. Now because it's Project Zero and because they haven't seen in the wild, they did do all the normal coordinated vulnerability disclosures you'd expect, Samsung purportedly has a fix for this. So if you're on a Samsung phone, you're going to want to check for that. But it's Samsung. And so this is the problem with Samsung and Android and that whole goofball ecosystem is that all of the patches to all the operating systems for Android for any individual carrier is gated by the handset manufacturer, which Samsung has already released the patch. Google ... well, basically Google, really the Android Project, but it's basically Google, and then the phone carrier. So it all depends on who your carrier is. And there's dozens to hundreds of them. And so at this point, you're now dependent on your carrier to vet this patch and release it out.

Tod Beardsley:

I hope they do it quickly, because Project Zero is no joke. This is very unlike, probably the last bug I got really excited about, which turned out to be kind of nothing. But this one is legit. There's a video that was released by the discover that just shows it. And so, yeah, so you might think, "Oh my God, this is super bad news. I get a magic text and I get owned." Not so fast. According to the video, according to the video demo, anyway, the exploit takes about an hour and a half or so to exploit and results in hundreds of text messages that you haven't read yet. So if you're in a meeting and you're getting hundreds of weird text messages-

Jen Ellis:

That does seem like a bit of a weird, like, "Hi, I'm here."

Tod Beardsley:

Yeah.

Jen Ellis:

It's not exactly stealth attack, is it?

Tod Beardsley:

It is un-stealth. It is about the least stealth thing you can do. Unless of course you're asleep and you're not looking at your phone and you're a sane person and you turn off your notifications at night. So what I would suggest is that if you think you have this issue, then honestly turn off your phone at night or put it in airplane mode without wifi. It's really crazy.

Jen Ellis:

If you get infected, because you said it's an hour or whatever. What do you do? What do you do at that point? Do you just run around screaming?

Tod Beardsley:

Just run around screaming. Well, so when you get remote code execution, it's with the privileges of the Samsung messages app, which is usually pretty good privileges. That thing usually has lots of reach. You've already given it permission to do a bunch of things like share photos. And obviously it can read your texts because that's where all your texts come from. And so an attacker, honestly, this bug is kind of tailor-made for law enforcement. Let's say I'm law enforcement and I've got a guy and I have his phone and I know the phone number. I could use this bug to just read all the text messages and see all the stored pictures. That's pretty much the use for this bug.

Jen Ellis:

Wow. That's going to be some fascinating reading if you get into my phone, let me tell you.

Tod Beardsley:

Yeah, I'm sure lots of LOL cats.

Jen Ellis:

Yeah, lots of like, "Are we going to try and see Mom? No, we're probably not going down to see Mom." And bear in mind this is text messages between me and a person that is two floors below me. So yeah. Some really dynamite reading there.

Tod Beardsley:

However, it is a shell. It is remote code execution. So there are probably other, there are hints of other privilege escalation vulnerabilities in messages that, they're not published. They're just kind of a theory at this point. We'll see. I mean, people are definitely going to be analyzing this bug in detail. Again, because it's Project Zero, there's full-ish crash reports. So people have really good ideas of where to look to go repro this. So the clock is ticking on the manufacturers.

Jen Ellis:

So how does it work? So you get a text message ...

Tod Beardsley:

You get several hundred text messages.

Jen Ellis:

But you get malicious text messages then, or-

Tod Beardsley:

Yep. Yep.

Jen Ellis:

And then do you have to take action for that text message to actually have effect?

Tod Beardsley:

Nope.

Jen Ellis:

Or is it just having it on your phone is bad?

Tod Beardsley:

Just on the lock screen, totally works. No interaction required.

Jen Ellis:

Yeah, that does seem quite bad.

Tod Beardsley:

It's bad. It's the worst. I mean, it's a totally different bug, but it reminds me of the impact of the old Stagefright bug by our friend jduck. Stagefright was the bug that kicked me off of Android. I was in the exact same position. I was waiting for my carrier to give me the damn update and like, "All right, forget it, forget it. I can't do this anymore. I can't do this anymore. I'm getting an iPhone." Because it would suck if I got owned. So. And that's it. So, I mean, the problem is not really Samsung and it's definitely not Google. It's not a shoot the messenger kind of thing, but the problem lies in this mishmash of carriers and all the goofball janky stuff that they do with their Android releases, all the changes they make to Android in order to push them to the phones. Which some of them, I'm sure are legit. Some of them are kind of skeez, but like-

Jen Ellis:

Yeah, a lot if it's like, "Let's make it so that you always want to buy our products because it feels familiar."

Tod Beardsley:

Yeah. It's the Candy Crush problem, right? It is the pre-installed Candy Crush or whatever that prevents this patch, this security patch, from hitting.

Jen Ellis:

I'm sorry, pre-installed Candy Crush seems like a terrible idea.

Tod Beardsley:

So anyway, that's my hobby horse. Check every day if you have this bug and if you don't, put your phone ... And by the way, turning your phone off at night, it won't prevent you from getting owned. It's just when you turn your phone on, you'll notice that you've now just got owned. Or you'll see all the messages start coming in. So that's the thing. You'll have a chance to stop it just by turning it off again. But that's it. You're kind of doomed at that point.

Jen Ellis:

Yeah. So I guess the thing is to harass Samsung?

Tod Beardsley:

It's not so much Samsung, it's the carriers. So it's whoever your phone carrier is, you call the helpline, which you should be doing anyway, because you've got to make sure that those customer support people are still employed during these troubled times. And so you call customer support every day and say like, "Hey, there's a patch for CVE-2020-8899. Can I have it please?" And variations on that. Anyway, that's your happy news for the week.

Jen Ellis:

All right. Well, thank you. Thank you for educating slash terrifying us, or rather me. As usual, it was very interesting. And I look forward to the next installment of the Rapid Rundown.

Jen Ellis:

So that just leaves me to thank our very special, the most special of all special guests. And obviously to thank you, Tod, Mr. Beardsley-

Tod Beardsley:

Thank you.

Jen Ellis:

And our amazing, wonderful producer, Bri, the patron saint of patience. And just to say, until the next thrilling episode.