Vulnerabilities / Threats

11/2/2016
05:50 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

New DMCA Exemptions Give White Hats License To Hack Cars, Medical Devices

But there are important caveats to the new Digital Millennium Copyright Act rules.

A recent decision by the US Copyright Office to temporarily remove certain restrictions in the Digital Millennium Copyright Act (DMCA) paves the way for security researchers to look for vulnerabilities in connected cars and medical devices without fear of legal repercussions.

The Copyright Office on Oct. 27 issued a set of long-awaited rules governing the circumvention of technological measures, such as encryption, that control access to copyright protected material under the DMCA. The rules grant new exemptions for such circumvention as long as it is done in good faith and complies with relevant fair-use requirements.

"I have seen so many presentations at conferences pulled because of DMCA liability concerns. This is going to embolden a lot of people to do research," says Tiffany Rad, a legal expert and co-founder of Anatrope, a maker of wireless automotive technologies."There is going to be more information shared" on vulnerabilities in cars and medical devices, she says.

The DCMA exemptions are available for a two-year period, after which the Copyright Office will review them to see if they need to be extended. They were originally passed last October, but go into effect only now.

Exemptions currently apply to a relatively broad range of technologies including video games, DVDs, BluRays, cell phones, and tablets. But most significant from the security community’s perspective are new exemptions for vulnerability research on medical devices and cars.

The Electronic Frontier Foundation (EFF), which has been among the many organizations vigorously campaigning for the changes, predicted the exemptions would promote security, innovation, and competition in these sectors. The rights group, however, was sharply critical of the length of time it took for the exemptions to become available, saying these changes were needed because of a “fundamentally flawed law that forbids users from breaking DRM, even if the purpose is a clearly lawful fair use.”

The Copyright Office’s new exemptions apply to Section 1201 of the DMCA, a controversial provision in the statute that prohibits people from breaking Digital Rights Management (DRM) controls to access copyright protected material.

Under DMCA, such circumvention is defined as any action taken to "descramble a scrambled work, to decrypt an encrypted work, or otherwise to avoid, bypass, remove, deactivate, or impair a technological measure, without the authority of the copyright owner."

It applies even when the legitimate owner of a device such as a DVD, for instance, attempts to override the protections on it to copy music or movies.

Indeed, the creators of the legislation originally intended for it to deter people from precisely such actions, says Anatrope's Rad.

But in recent years, some companies including car manufacturers and medical device-makers began holding the DMCA provision over security researchers looking for vulnerabilities in their products. Rather than making their technologies more secure, many began wielding DMCA as a weapon against white-hat hacking, she says.

The new exemptions for vehicles and medical devices remove the legal uncertainty associated with section 1201 and finally allow security researchers to publicly talk about and share details of their vulnerability research.

But there are some important caveats. The new exemptions for instance allow vehicle owners to circumvent Digital Right Management (DRM) protections to access various electronic control units in their vehicle for repair purposes. But it excludes breaking protections in control units related to vehicle telematics and entertainment systems. The exemptions are also only available to land vehicles, and to the legitimate owner of the vehicle. Any vulnerability research that a researcher performs has to be on a personally owned vehicle.

"Reverse engineering and modifying software for security research purposes is something that's going to happen, DMCA exemption or not," says Cory Thuen, senior security consultant with IOActive. "With an exemption we now have the good guys doing it too, which is important for advancing cybersecurity as a whole."

In granting the exemptions, the Copyright Office overturned concerns expressed by opponents of the changes, which included the Auto Alliance, Global Automakers, GM, John Deere, BSA, Intellectual Property Owners Association, and the National Association of Manufacturers.

Related stories:

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
WebAuthn, FIDO2 Infuse Browsers, Platforms with Strong Authentication
John Fontana, Standards & Identity Analyst, Yubico,  9/19/2018
NSS Labs Files Antitrust Suit Against Symantec, CrowdStrike, ESET, AMTSO
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/19/2018
Turn the NIST Cybersecurity Framework into Reality: 5 Steps
Mukul Kumar & Anupam Sahai, CISO & VP of Cyber Practice and VP Product Management, Cavirin Systems,  9/20/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Are you sure this is how we get our data into the cloud?
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-8298
PUBLISHED: 2018-09-24
Multiple SQL injection vulnerabilities in the login page in RXTEC RXAdmin UPDATE 06 / 2012 allow remote attackers to execute arbitrary SQL commands via the (1) loginpassword, (2) loginusername, (3) zusatzlicher, or (4) groupid parameter to index.htm, or the (5) rxtec cookie to index.htm.
CVE-2018-14825
PUBLISHED: 2018-09-24
A skilled attacker with advanced knowledge of the target system could exploit this vulnerability by creating an application that would successfully bind to the service and gain elevated system privileges. This could enable the attacker to obtain access to keystrokes, passwords, personal identifiable...
CVE-2018-17437
PUBLISHED: 2018-09-24
Memory leak in the H5O_dtype_decode_helper() function in H5Odtype.c in the HDF HDF5 through 1.10.3 library allows attackers to cause a denial of service (memory consumption) via a crafted HDF5 file.
CVE-2018-17438
PUBLISHED: 2018-09-24
A SIGFPE signal is raised in the function H5D__select_io() of H5Dselect.c in the HDF HDF5 through 1.10.3 library during an attempted parse of a crafted HDF file, because of incorrect protection against division by zero. It could allow a remote denial of service attack.
CVE-2018-17439
PUBLISHED: 2018-09-24
An issue was discovered in the HDF HDF5 1.10.3 library. There is a stack-based buffer overflow in the function H5S_extent_get_dims() in H5S.c. Specifically, this issue occurs while converting an HDF5 file to a GIF file.