JONES DAY 555 CALIFORNIA STREET I 2611-! I SAN FRANCISCO. CALIFORNIA 15?) TELEPHONE: 415 626.3939 0 FRCSIHILE cl 415 cm Direct Harbor. (415} 875-5550 lublrindjonesdayecm JP020437 April 29, 2015 EIA EMAIL AND OVERNIQHT MAIL Mike Davis Re: Intellectual mm Dear Mike: As discussed today, Jones Day is outside counsel for Inc. In that regard, I write on behalf of in response to lOActive's recent communication regarding ?the :ystem," lOActive?s claim that is has ?discovered a number of serious vulnerabilities,? and IOActive's plans for a ?public advisory on April 30 where [it] will release [its] findings to the general public." Speci?cally, requests that lOActive refrain from the public reporting of any security vulnerabilities relating to the :ystem or products until has had an opporttmity to identify these supposed security vulnerabilities, and, if appropriate, take any necessary remedial steps. I note that your correSpondence to states that IOActive orefers to ?release vulnerabilities (security flaws) responsibly by sharing them with prior to a public advisory.? Yet, when 1 reached out to discuss this matter with you today, you declined to share any information about your activities concerning the products, what products lOActive allegedly researched, the nature of the supposed vulnerabilities, or how you uncovered such vulnerabilities. I understand your reluctance may have been based on a need to verify our relationship to . and hopefully this letter satis?es those concems. Of course, as you know, the public reporting of security vulnerabilities can have signi?cant consequences. also takes the protection and enforcement of its intellectual property rights seriously and, prior to any public reporting, wants to ensure that there has been no violation of those rights, including ?5 license agreements or other intellectual property laws such as the anticircumvention provision of the Digital Millennium Copyright Act. Presumably, IOActive is also aligned with ensuring responsible disclosure and compliance with the laws. AMITIIDIIH IDITON CHICAGO COLUHIUI DELLA. FRANKFURT NONE NONE HOUSTON IIVINI 'l JIDDAH LONDON ANOILII- MADRID MIME-O CITY MIAMI I MILAN MOICOW NIH RIYAEIH IAN DIEGO IIN FRANCIICD FAULD I SHANGHAI I TOKYO JONES DAY SSBCAIJFORNIASTREET I TELEPHONE: 14.415.626.393. 0 Direct (415)075-5850 Err-rat Wee-n May 4. 2015 VIAEM AND RNI HTD Re: Dear is committed to continually improving its products and values the security research community?s thoughtful and responsible contributions. The company strives to ensure that only objective, complete, and accurate information is reported about its products, and we hope that IOActive has a similar goal. For this reason, I write to advise you that the ?Security Advisory? provided to me on Thursday, April 30 contains material inaccuracies and omissions regarding ?3 technology, mischaracterizes the severity of the purported vulnerabilities, and unfairly depicts the overall relevance of your ?ndings to ?5 product lines. sells a broad range of products for use in a variety of security applications. While IOActive apparently reverse engineered one product. your ?ndings are not applicable to all of the products and software sold by In addition, continually updates its ?rmware to address many types of security threats, including the potential attack theorized in your report. The provided dra? of the report omits these facts, and therefore distorts the characterization of the risk posed by the attack to '5 products as a whole. Moreover, IOActive?s reverse engineering process required the use of skilled technicians, sophisticated lab equipment, and other costly resources not generally available to the public to extract ?s firmware from an embedded semiconductor chip. Leaving aside the question of whether lOActive?s methodology violated ?5 legal rights, your process appears to have included at least the following steps: (1) forcibly disassembling a to remove the cylinder using ?a few sharp strikes to the mechanical retainer?; (2) shaving off the semiconductor chip?s packaging; (3) connecting leads onto the depackaged chip; (4) extracting the ?rmware from the depackatted chin: and (5) reverse engineering a portion of the source code for the extracted ?rmware. does not claim, and never has, that a door protected by one of its products is impregnable. it is simply common sense that anyone with the time, ALKHOQLI 0 AHITIHDAH 0 ATLANTA ICIJINO IDITON CHICAGO - CLEVELAND COLUHIUI DALLAI DUIAI DUBSELDORF FRANKFURT HOMO KONG NOUITOH JIDDAN LONDON ANOILII HADIND HCIICO (:l'f'lI MIAMI 0 HILAN I MOSCOW IUNICH 0 HIV 0 PARIS 0 PITTSBURGH 0 IIYADH IAN DIEGO FRANCISCO 5A0 PAULO IILICON VALLIV SYDNIY 0 TAIFII TOKVO WAIHIHGTOII JONES DAY sophistication and resources to engage in lOActive?s methodology could more simply defeat a product by drilling the lock off the door, or for that matter chopping the door down with an axe. To suggest, as your report does, that products suffer from ?severe? vulnerabilities simply because you were able to develop a bypass in your lab ignores the fact that the exploit in question was not possible without the use of costly and sophisticated lab equipment and highly skilled technicians?not exactly a real-world scenario for the intended use of products. Under the circumstances, we are surprised by IOActive?s aggressive stance and tight deadlines on the publication of in: remrt- IOActive?s own disclosure policy states that IOActive ?will work with? a party likr ?to de?ne a course of action for remediation and will determine a future disclosure date for publishing a security advisory.? Yet when I contacted IOActive researcher Mike Davis on April 29, I was initially told that IOActive would only push back its publication deadline if made its technical staff available for a meeting with IOActive that same day. After discussions with you on Friday May 1, you indicated that after discussions with IOActive?s CEO. now must make its technical staff available for a meeting with IOActive before Monday at noon. lOActive's tactics?to threaten disclosure of alleged product vulnerabilities unless makes its technical staff available within a matter of days?is simply making this process more dif?cult for all of us. Even if we could arrange such a meeting by the deadline you have set for us, we do not appear to have been provided with the information necessary to prepare for such a meeting. I wrote you an email on Friday, May 1, to ask whether IOActive has any additional information beyond what is contained the report you sent me (which has only two pages of text and three pages of photographs). You wrote me back and indicated there was no additional information. Yet in our discussion by phone later that day, you indicated that lOActive may publish information that goes beyond the scope of the report you have provided?including a version of an exploit IOActive has developed as a result of its lab work that could be deployed from a hand- held open source electronics platform such as an Arduino. Given that IOActive has not provided us with any written information regarding this exploit, we are not in a position to assess the accuracy of the information you intend to make public. Why IOActive has not provided with all of the information it intends to make public is unclear given that the company?s policies apparently state that you will do so. Finally, I note that, based on our conversation on Friday, May I, it appears IOActive?s treatment of is driven at least in part by the fact that IOActive researcher Mike Davis was offended when I asked whether the company?: is the same individual who was prosecuted by federal authorities for wire fraud in 2010 as suggested by publicly-available news reports.l While at the time it seemed relevant to determine whether See http:/Iwwv uhnn?hldluimimlhimirr?l?luh: nun-Islam". . WWIIMWWEHDW1HEWET :rinuslymuiderpublicdjmul?r I'E'P?ll't?dil'lhd. pub-Iii nbj?dw. WI: :Icpu-El Elul midi-Ia:- nmdd. bulili?lulfh: mind Ind belin'll is??illudh?'mm Tylewng/I .Ii; -