Vendor allegedly assaults security researcher who disclosed massive vulnerability

File this under how a vendor should not react when researchers tell them they discovered a massive security hole in their product.

The vendor is Atrient, the product is PowerKiosk, and the flaw allows personal data to be transmitted unencrypted — reportedly serious enough to make it “extremely vulnerable to criminal abuse.” PowerKiosk customers include some of the biggest casinos — Caesars, Hard Rock and MGM. And what casino wouldn’t be concerned to learn that personal details of its loyal customers, such as driver’s license scans, home address and contact details, were being transmitted in plaintext — as in wide open, unencrypted and “publicly visible to anyone on the internet who knew where to look.” (Shodan?)

Additionally, Atrient’s third-party subcontractors were allegedly “not taking even basic security steps to secure any of this infrastructure from being discover on the open internet.”

The vulnerability was discovered by @Me9187 and Dylan Wheeler, aka @degenerateDaE, but Atrient allegedly ignored them as they repeatedly tried to report the vulnerability. 

After a friend tweeted about the flaw to help the researchers, it wasn’t Atrient’s attention that was snagged but the FBI’s — the FBI Cyber Fusion Unit division, according to an article on Secjuice. While that might give any number of security researchers a near panic-induced heart attack, the FBI realized the seriousness of the vulnerability and offered to help. In fact, the FBI set up a call with Atrient and the security researchers the very next day. Apparently the feds weren’t as easy to ignore as the researchers had been. During the conference call, Atrient reportedly told the FBI it would rather “talk about this offline” when the feds asked if Atrient had properly notified their customers of the breach and flaw in the systems.

The scary one in this scenario is actually not the FBI, but Atrient because it allegedly offered the researchers a $60,000 bug bounty as long as they were quiet about the flaw and waited on attorneys to draw up an NDA. Four months later … no bug bounty payment, no NDA, and no fix for the flaw.

After learning Atrient planned to speak at the ICE London conference about a “new facial recognition feature in their kiosks that scanned users faces” and “uploaded the biometric data to their servers,” the researchers registered as attendees.

When Wheeler approached Atrient COO Jessie Gill, the article states that Gill “suddenly lunged at the researcher and violently grabbed him by his clothes on his chest before then tearing his attendee badge away from him, telling the researcher that he didn’t need it anymore and that he would keep hold of it.”

In a video recorded after the incident in which Wheeler retrieved his allegedly ripped-off badge from the table where Gill was sitting, Gill denied knowing Wheeler. The assault was reported to the London Metropolitan Police and the ICE conference, which vowed to take the safety of attendees seriously. CCTV video likely exists of the whole incident, but that is unlikely to be handed over to anyone except the police, so anyone who witnessed the assault or can refute it, has been asked to speak up.

The unfolding saga doesn’t end here, as Gill sent a threatening email to the researchers. The FBI may need to step up to clarify if Atrient contacted the feds to report the security researchers last November or if the feds contacted Atrient to set up the initial conference call to disclose the vulnerability. As for the rest of the threats, you really should read the email yourself.

UPDATE: The company (my attacker specifically) has now emailed myself and @Me9187, with the stance that we ‘hacked’ them and ‘threatened’ them. I will make it perfectly clear publically that all calls where recorded, and emails where also archived, we made no attempt to (1/2) pic.twitter.com/h8tt2E2xA4

— Dylan 🤖 (@degenerateDaE) February 5, 2019

extort the company, and never did we personally make any claims of monetary payment, infact the contrary was purported, and my attacker himself proclaimed he would like to buy our research off us. @atrient please know that you can not abuse security researchers like this. (2/2)

— Dylan 🤖 (@degenerateDaE) February 5, 2019

This is undoubtedly not the last you will hear about this clusterflub.