The long-lasting consequences of Coalfire’s Iowa pentest fiasco
The two security pros who were arrested for doing their job are still angry.
Gary DeMurcurio and Justin Wynn, who work as penetration testers for Colorado-based security firm Coalfire Labs, were charged with burglary in September 2019 after they broke into an Iowa courthouse. Unlike in a typical break-in, though, Iowa state officials had hired DeMercurio and Wynn to test the courthouse’s defenses, then alert the authorities about any vulnerabilities that actual thieves may try to exploit.
While prosecutors eventually dropped charges against the two pen-testers, the case made national headlines and highlighted the risks that security professionals take as part of their employment. Now, DeMercurio and Wynn are breaking their silence with a presentation at Black Hat, the virtual cybersecurity conference where they plan to detail their experience, and may delve into how performative security tactics, like arresting people without grounds, doesn’t actually solve anything.
“The citizens of Iowa are getting screwed,” DeMurcurio said during an interview prior to the Black Hat conference. “It’s a comedy of errors.”
A contract between Coalfire and the Iowa Court Information System authorized Wynn and DeMurcurio to conduct physical security tests, including impersonating courthouse employees, following staffers into a building, entering restricted areas of the building and lying about their reason for being there. It did not authorize them to force-open doors or deactivate the alarm systems.
Things seemed to be going according to plan on Sept. 9, 2019 at the Dallas County Courthouse, where they found an unlatched door, only to close it in order to test the lock. Then, the pair pulled out a plastic cutting board with a custom notch in it, inserting it in the crack of the door to trip the latch.
The only problem was that the door triggered an alarm. So the pen-testers did what they always do when an alarm goes off in the middle of a job: they sat tight and waited for the police to arrive.
When law enforcement showed up, responding officers couldn’t figure out how to get in. DeMurcurio and Wynn recalled sitting inside the courthouse, yelling to officers outside that they had been hired to find security holes, and that they would walk out voluntarily.
“Their systems didn’t work,” DeMurcurio says now. “They had some sort of hourly lockout for the officers, which is ridiculous. They were going back and forth on the dispatch to try to figure out how to get in. There were officers yelling back and forth, ‘How the f–k did they get in?’ and they couldn’t figure it out.”
Upon their exit, the Coalfire employees made their case to the police, who seemed to understand the confusion. That changed when the local sheriff arrived, demanded to see the contract and then ordered his subordinates to take Wynn and DeMurcurio into custody, reasoning that the pair had “force-opened” a door by using the plastic cutting board, which he said was against the rules. (Sheriff Chad Leonard told Wired that DeMurcurio handed him a “get out of jail free” card in a dismissive manner.)
The two men spent nearly 24 hours in jail, were held on $100,000 bail and charged with burglary. The apparent confusion evolved into a minor political scandal when Iowa state lawmakers complained that “the hiring of an outside company to break into the courthouses in September created ‘significant danger, not only to the contractors, but to local law enforcement and members of the public.’’
It wasn’t until some four months later, when prosecutors announced they’d dropped the charges.
Looking back, the pen-testers say the episode is evidence that too many authorities fail to see the actual security vulnerabilities right in front of them. At one point, they say, the police doubted Wynn and DeMurcurio were professional pen-testers because the custom plastic cutting board they used to enter the courthouse wasn’t a more sophisticated piece of equipment.
“It shows the ignorance, for lack of a better term, of what we do and how we do it,” DeMercurio said. “If I can go to Home Depot and buy something that I can use to break into your bank, it shows that Joe Public can do the same thing.”
The incident has had professional ramifications, too. DeMurcurio, a former U.S. Marine, had applied for a security clearance that suddenly seems to be held up in limbo. Wynn hasn’t been on a physical security assessment since he was arrested, citing concerns about being stopped outside a bank with a prior allegation of burglary against him.
The real impact, though, has been a reassessment of the criminal justice system, as a whole. Wynn and DeMurcurio say they’ve been following the Black Lives Matter protests in the wake of the police killings of George Floyd, Breonna Taylor and other Black Americans.
“Every kid in America grows up like, ‘You’re innocent until proven guilty,’ whereas the exact opposite is true,” DeMurcurio said. “There’s footage of the sheriff who had us arrested saying, ‘The burden of proof is on them.’ That was like hearing a record scratch. What if I was somebody else, or I looked different?”