Billy Rios has discovered major security holes in TSA passenger-screening equipment at US airport checkpoints as well as in medical equipment, and often shares his findings with the US Department of Homeland Security and the Food and Drug Administration. But Rios almost always faces the affected product vendor's general counsel in a delicate legal dance that serves as a chilling reminder of the looming legal risks security researchers face just for doing their jobs.
"Legal is always on the table… This stuff happens all the time, more than people realize, behind the scenes," says Rios, who is director of threat intelligence at Qualys. "A lot of times researchers put themselves at risk as an individual" when they disclose their findings, he says.
The legal implications of good hackers hacking into increasingly networked and vulnerable consumer products is intensifying. The Digital Millennium Copyright Act (DMCA) and the Computer Fraud and Abuse Act (CFAA) often pose a gray area for security research, and companies in the consumer space that traditionally have had little or no interaction with security researchers often don't understand the difference between a good hacker and a nefarious one.
"You don't want researchers to be prosecuted as if they were a hacker using exploits to exploit companies or networks or to steal IP [intellectual property]. These are two totally different things," Rios says. "The legislation we have, or the regulatory body that takes a look at this, needs to understand that. Right now, the way a lot of these laws are [written and interpreted], there's no distinction."
Jay Radcliffe, a security researcher who has found security weaknesses in insulin pumps, had to curb his research for fear of legal action. Radcliffe says he was advised to steer clear of the firmware and operating system of embedded devices when he first began digging into the security of his own Medtronic insulin pump. Radcliff, who is a diabetic, initially went to the Electronic Frontier Foundation (EFF) for some legal advice while hacking the device as an independent researcher and was told he could only go so far without facing possible legal problems. "They [the EFF] said there are some things in the DCMA that could [send me] to jail" if I investigated them, says Radcliffe, who joined Rapid7 this summer as a senior security consultant. "So I said I'm not going to look at any of that."
He focused his white-hat hacking instead on weaknesses in wireless access to the pumps. "So I only had about 30% of the attack surface that I was able to do research on," he says.
Radcliffe, who says he has been threatened with legal action before, and his company Rapid7 are part of a group of security researchers and supporters who are now petitioning the White House for reforms to the DMCA and the CFAA. The security researchers in their petition are calling for solid legal protection so they can more effectively and thoroughly find security weaknesses in consumer devices and systems.
"While responsible companies cooperate with the technical community and the public to improve the safety of code, others do not. They instead try to prevent researchers and others from sharing safety research, threatening criminal and civil actions under the Digital Millennium Copyright Act and the Computer Fraud and Abuse Act," the petition reads in part. "Reform the DMCA and CFAA to unlock and encourage research about potentially dangerous safety and security weaknesses in software."
Andrea Matwyshyn, law professor and advocate for cyber safety who helped craft the petition, says, as with any technology policy issue, it will require a long-term conversation and dialogue with legislators and regulators. "It's not going to be a quick fix," Matwyshyn says. The coalition hopes to help advance regulatory changes, namely, under an exemption section under DCMA. "That's one avenue where perhaps things could be clarified and improved and recalibrated to balance consumer and IP" protections, she says.
"More long-term, a statutory fix by Congress is another way to address this. There are many ways to improve this situation to give researchers greater certainty. Whether it's path one or path two isn't as important as the end result is: to have a climate that's researcher-friendly" so consumers have better access to information about the security and safety of products they buy or use, for example.
Researchers sometimes are forced to dial back their research for fear of legal ramifications. "One of the reasons you don't see a lot of breaking into medical devices and the power grid… because there are armies of lawyers and the risk is too great. It's slowed down research and had a chilling effect," Radcliffe says.
But the stakes have never been higher for finding security flaws before the bad guys do, as consumer products with public safety ramifications are increasingly networked -- cars, medical devices, TSA checkpoint screening equipment, satellite ground terminal equipment, and home alarm and automation systems. Those are the pacemakers, insulin pumps, vehicles, and carry-on baggage scanners that consumers use and operate, but some of these consumer industries are more seasoned in cyber security issues than others, and not all companies understand the difference between a white-hat and a black-hat hacker.
[Public safety issues bubble to the top in security flaw revelations. Read Internet Of Things Security Reaches Tipping Point.]
Not every researcher who reverse-engineers or tests consumer products for security flaws faces actual legal threats, however. Cesar Cerrudo, CTO at IOActive, which has researchers who specialize in car hacking, satellite terminal hacking, and smart traffic systems hacking, says his team hasn't faced any legal hurdles thus far. "Luckily, we haven't had legal threats from vendors. We consult with our legal department before doing anything that could cause problems, but there is always the possibility to get sued, and bad laws or badly interpreted laws can put in jail the wrong people for stupid things," Cerrudo says.
IOActive researchers often struggle to acquire the consumer equipment they want to test, however, he says. "The only limitation we are having is that some devices are very difficult to get, and while we are almost sure they are vulnerable and being used in critical infrastructure, we can't get them," says Cerrudo, who adds that he has not yet studied the details of the petition effort.
Cerrudo and Qualys's Rios say they draw the line at hacking a live production system on the Internet. "Trying to hack systems and devices on production would be crazy and illegal no matter [if] you want to prove it has security issues," Cerrudo says. "At the same time, running an Internet scan or pointing to a security flaw in a website shouldn't be illegal."
No one has ever warned Rios off of any of his research parameters, he says. But he also has set his own boundaries, which comes with tradeoffs: "I have a personal boundary -- not to test that exploit against a live system on the Net or anything like that. But, that leaves a gap in some of my knowledge."
Craig Smith, CEO and founder of Theia Labs, says he is careful when it comes to releasing a hacking tool -- especially if it's a personal project he's working on that isn't part of his day job. The key is making it clear the tool is a freebie or is relatively generic when it comes to hacking a car or other feature, for example, says Smith, who has signed the online petition.
"I do a lot of traditional penetration-testing and reversing… on the side," he says. "If I'm not hired for that, I have to be more careful" of the potential for legal action by the affected vendor.
The other issue to weigh as a researcher, he says, is whether it's really worth exposing a flaw if it won't ever get fixed and publicizing it may do more harm to the public than good. "Maybe the [flawed] firmware can't be updated, for example, so what's the appropriate way to deal with this? How can you work with these companies to make it better?"
He says legal threats don't ever stop him from researching a product, but they do at times influence whether he publishes his findings. Companies not well-versed in security research could take the legal route, he says. "The knee-jerk is to come after you. You have to think about that," says Smith, who says he'd like to see DCMA eliminated altogether someday.
"Piracy is already against the law," he says.
Meanwhile, Rapid7, which has spearheaded the petition, also has formed the Coalition for Security Research to promote security research amid the explosion of the Internet of Things and connected consumer products. "The mission of the Coalition for Security Research is to protect and promote security research to make businesses and individuals safer," a summary of the group says. Rapid7 is reaching out for members to join the group.