Should Manufacturers Sponsor Penetration Testing Of Competitor's Products?

In the Dear John letter discussion, U17 suggests the following:

...it would seem that publicizing the backdoors so that the integrators can demonstrate the risk would be one of the few avenues to combat the predators. One thing to talk about them, another to provide the steps a),b),c) so that integrators can plant the seeds in the mind of the end user. In essence provide a limited configuration to the customer and let them see the exposure they're facing.

But why stop there?

Why not put a few bucks to work and have some pen testers see what vulnerabilities they can find in their competitors products?

If they find something especially damaging they could have the pen testers release it on their own, to avoid any negative backlash.

Or they could sit on the bug, until just the right moment comes and then have it 'discovered', or build up a few to make a bigger splash in the news.

Pay the hackers to give as many talks as possible about the findings after to keep it alive.

This is assuming end-users actually care if their camera can be hacked or comes with a backdoor, certainly a dubious proposition in the past. But I feel awareness of the danger of unsafe devices is finally growing at the consumer level, and once you get branded as hackable, it might be hard to shake.

Might get the industry to fix their problems quicker.

Should manufactures pen test the competition? Yes/No.


Related: Go After Your Competitors

In this industry, it likely will not happen, though I think the idea has merit.

(1) A lot of manufacturers are woefully ignorant of their competitors. Sometimes I speak with manufacturers and are simply dumbfounded that they do not know even fundamental attributes of their competitor's offerings. If they do not have the time / interest / abilities to know that, I am not optimistic about pen testing.

(2) Almost all manufacturers are highly reluctant to say anything negative about competitors, even if it is true. There are only rare occasions (e.g., Pelco Criticizes Arecont's Multi-Imager).

Perhaps more interesting, I think it is something that IPVM should fund. Thoughts?

(1) A lot of manufacturers are woefully ignorant of their competitors.

No doubt. However, negative ads, because of their indirectness, are best used by market leaders vs. other market leaders, i.e. Coke vs. Pepsi.

So of the firms that have the required market share to justify playing the "don't pass" line, there might more competitive intel available, e.g. we can only hope that Sonysonic is not clueless about Hikua and neither are in the dark about Axis.

(2) Almost all manufacturers are highly reluctant to say anything negative about competitors, even if it is true.

My guess is they do so because they fear a negative backlash from running such ads, and possibly to avoid retaliation.

That's where this method really shines, since hackers are finding vulnerabilities all the time, and who can tell if they were part of some competitor incentive plan or not? As opposed to running an anonymous negative ad against your competitor, where everybody would be assuming who it was from.

Any way to reduce security holes has to be addressed, regardless of politics.

I could be wrong, but I don't believe ethical hacking works in this fashion. An ethical hacker generally would not release anything publicly unless a company with a hacked product/service is entirely non-responsive to their findings of vulnerabilities.

As well, I am not sure they would work for Manufacturer A to hack the product of Manufacturer B.

Those points aside, I do think an independent pen-testing program could have merit and improve the industry going forward.

By independent, consider something like Consumer Reports, Underwriter's Laboratory (UL), or an IPVM style of organization--no horse in the race so to speak. That angle gets away from what otherwise may be viewed as skewed results with ulterior motives.

IPVM? Impartial? Everyone knows John hates EVERYONE!

If John did like a vendor I don't think he have the heart to tell us.

I don't believe ethical hacking works in this fashion.

Who said anything about ethics? ;)

The commn ethical model followed is called "responsible disclosure", and would typically involve notifying the vendor ahead of time giving them some time to react. 30 days is also common, and often companies do not or do not choose to act at which point the exploit is published.

Who wouldn't jump right on it? Keep in mind that these days with everyone looking for zero-day attacks of any sort, many, many trivial exploits exist that pose no real threat.

I think (some) hackers are easily motivated by money, and I would be surprised if this type of thing isn't happening already in the bigger arenas of networking and desktop OS.