Vulnerabilities / Threats
11/2/2016
05:50 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

New DMCA Exemptions Give White Hats License To Hack Cars, Medical Devices

But there are important caveats to the new Digital Millennium Copyright Act rules.

A recent decision by the US Copyright Office to temporarily remove certain restrictions in the Digital Millennium Copyright Act (DMCA) paves the way for security researchers to look for vulnerabilities in connected cars and medical devices without fear of legal repercussions.

The Copyright Office on Oct. 27 issued a set of long-awaited rules governing the circumvention of technological measures, such as encryption, that control access to copyright protected material under the DMCA. The rules grant new exemptions for such circumvention as long as it is done in good faith and complies with relevant fair-use requirements.

"I have seen so many presentations at conferences pulled because of DMCA liability concerns. This is going to embolden a lot of people to do research," says Tiffany Rad, a legal expert and co-founder of Anatrope, a maker of wireless automotive technologies."There is going to be more information shared" on vulnerabilities in cars and medical devices, she says.

The DCMA exemptions are available for a two-year period, after which the Copyright Office will review them to see if they need to be extended. They were originally passed last October, but go into effect only now.

Exemptions currently apply to a relatively broad range of technologies including video games, DVDs, BluRays, cell phones, and tablets. But most significant from the security community’s perspective are new exemptions for vulnerability research on medical devices and cars.

The Electronic Frontier Foundation (EFF), which has been among the many organizations vigorously campaigning for the changes, predicted the exemptions would promote security, innovation, and competition in these sectors. The rights group, however, was sharply critical of the length of time it took for the exemptions to become available, saying these changes were needed because of a “fundamentally flawed law that forbids users from breaking DRM, even if the purpose is a clearly lawful fair use.”

The Copyright Office’s new exemptions apply to Section 1201 of the DMCA, a controversial provision in the statute that prohibits people from breaking Digital Rights Management (DRM) controls to access copyright protected material.

Under DMCA, such circumvention is defined as any action taken to "descramble a scrambled work, to decrypt an encrypted work, or otherwise to avoid, bypass, remove, deactivate, or impair a technological measure, without the authority of the copyright owner."

It applies even when the legitimate owner of a device such as a DVD, for instance, attempts to override the protections on it to copy music or movies.

Indeed, the creators of the legislation originally intended for it to deter people from precisely such actions, says Anatrope's Rad.

But in recent years, some companies including car manufacturers and medical device-makers began holding the DMCA provision over security researchers looking for vulnerabilities in their products. Rather than making their technologies more secure, many began wielding DMCA as a weapon against white-hat hacking, she says.

The new exemptions for vehicles and medical devices remove the legal uncertainty associated with section 1201 and finally allow security researchers to publicly talk about and share details of their vulnerability research.

But there are some important caveats. The new exemptions for instance allow vehicle owners to circumvent Digital Right Management (DRM) protections to access various electronic control units in their vehicle for repair purposes. But it excludes breaking protections in control units related to vehicle telematics and entertainment systems. The exemptions are also only available to land vehicles, and to the legitimate owner of the vehicle. Any vulnerability research that a researcher performs has to be on a personally owned vehicle.

"Reverse engineering and modifying software for security research purposes is something that's going to happen, DMCA exemption or not," says Cory Thuen, senior security consultant with IOActive. "With an exemption we now have the good guys doing it too, which is important for advancing cybersecurity as a whole."

In granting the exemptions, the Copyright Office overturned concerns expressed by opponents of the changes, which included the Auto Alliance, Global Automakers, GM, John Deere, BSA, Intellectual Property Owners Association, and the National Association of Manufacturers.

Related stories:

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Printers: The Weak Link in Enterprise Security
Kelly Sheridan, Associate Editor, Dark Reading,  10/16/2017
20 Questions to Ask Yourself before Giving a Security Conference Talk
Joshua Goldfarb, Co-founder & Chief Product Officer, IDDRA,  10/16/2017
Why Security Leaders Can't Afford to Be Just 'Left-Brained'
Bill Bradley, SVP, Cyber Engineering and Technical Services, CenturyLink,  10/17/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.