Company invokes DMCA to block researcher from disclosing flaws in its product

Electronic lock maker CyberLock has attempted to prevent IOActive from releasing information about a host of security flaws they discovered in its product of the same name.

Mike Davis, the IOActive research scientist who discovered the flaws, published the Digital Millenium Copyright Act (DMCA) violation threat he received a week ago from a lawyer retained by CyberLock.

In the latter, the lawyer says that IOActive has not given the company enough time to review the vulnerability information they sent, and that they have imposed and impossible requests and deadline for its technical staff to meet with IOActive researchers to discuss the findings.

Davis claims that CyberLock was given the vulnerability information 30 days before they plan to release the information publicly, and have tried to get in touch with IOActive in the meantime, but waited for the last moment to attempt to gag them via this DMCA threat.

It didn’t work, though, and the company released an advisory detailing the flaws the day after, on April 30.

“In various marketing materials, CyberKey is described as “unclonable” and suitable for use in money handling and critical infrastructure systems as a secure and auditable solution,” they shared. “However, after some reverse engineering it appears that these devices are easily cloned, and new keys can be created from lost cylinders and keys regardless of the permissions granted to the key.”

DMCA infringement notices have occasionally been used with mixed success by companies eager to prevent researchers to publish information that might endanger their “copyrighted work.”