Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

11/2/2016
05:50 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

New DMCA Exemptions Give White Hats License To Hack Cars, Medical Devices

But there are important caveats to the new Digital Millennium Copyright Act rules.

A recent decision by the US Copyright Office to temporarily remove certain restrictions in the Digital Millennium Copyright Act (DMCA) paves the way for security researchers to look for vulnerabilities in connected cars and medical devices without fear of legal repercussions.

The Copyright Office on Oct. 27 issued a set of long-awaited rules governing the circumvention of technological measures, such as encryption, that control access to copyright protected material under the DMCA. The rules grant new exemptions for such circumvention as long as it is done in good faith and complies with relevant fair-use requirements.

"I have seen so many presentations at conferences pulled because of DMCA liability concerns. This is going to embolden a lot of people to do research," says Tiffany Rad, a legal expert and co-founder of Anatrope, a maker of wireless automotive technologies."There is going to be more information shared" on vulnerabilities in cars and medical devices, she says.

The DCMA exemptions are available for a two-year period, after which the Copyright Office will review them to see if they need to be extended. They were originally passed last October, but go into effect only now.

Exemptions currently apply to a relatively broad range of technologies including video games, DVDs, BluRays, cell phones, and tablets. But most significant from the security community’s perspective are new exemptions for vulnerability research on medical devices and cars.

The Electronic Frontier Foundation (EFF), which has been among the many organizations vigorously campaigning for the changes, predicted the exemptions would promote security, innovation, and competition in these sectors. The rights group, however, was sharply critical of the length of time it took for the exemptions to become available, saying these changes were needed because of a “fundamentally flawed law that forbids users from breaking DRM, even if the purpose is a clearly lawful fair use.”

The Copyright Office’s new exemptions apply to Section 1201 of the DMCA, a controversial provision in the statute that prohibits people from breaking Digital Rights Management (DRM) controls to access copyright protected material.

Under DMCA, such circumvention is defined as any action taken to "descramble a scrambled work, to decrypt an encrypted work, or otherwise to avoid, bypass, remove, deactivate, or impair a technological measure, without the authority of the copyright owner."

It applies even when the legitimate owner of a device such as a DVD, for instance, attempts to override the protections on it to copy music or movies.

Indeed, the creators of the legislation originally intended for it to deter people from precisely such actions, says Anatrope's Rad.

But in recent years, some companies including car manufacturers and medical device-makers began holding the DMCA provision over security researchers looking for vulnerabilities in their products. Rather than making their technologies more secure, many began wielding DMCA as a weapon against white-hat hacking, she says.

The new exemptions for vehicles and medical devices remove the legal uncertainty associated with section 1201 and finally allow security researchers to publicly talk about and share details of their vulnerability research.

But there are some important caveats. The new exemptions for instance allow vehicle owners to circumvent Digital Right Management (DRM) protections to access various electronic control units in their vehicle for repair purposes. But it excludes breaking protections in control units related to vehicle telematics and entertainment systems. The exemptions are also only available to land vehicles, and to the legitimate owner of the vehicle. Any vulnerability research that a researcher performs has to be on a personally owned vehicle.

"Reverse engineering and modifying software for security research purposes is something that's going to happen, DMCA exemption or not," says Cory Thuen, senior security consultant with IOActive. "With an exemption we now have the good guys doing it too, which is important for advancing cybersecurity as a whole."

In granting the exemptions, the Copyright Office overturned concerns expressed by opponents of the changes, which included the Auto Alliance, Global Automakers, GM, John Deere, BSA, Intellectual Property Owners Association, and the National Association of Manufacturers.

Related stories:

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
News
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
News
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31607
PUBLISHED: 2021-04-23
In SaltStack Salt 2016.9 through 3002.6, a command injection vulnerability exists in the snapper module that allows for local privilege escalation on a minion. The attack requires that a file is created with a pathname that is backed up by snapper, and that the master calls the snapper.diff function...
CVE-2021-31597
PUBLISHED: 2021-04-23
The xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized (when the property exists but is undefined) is considered to be false within the https.request function of Node.js. In other words, no certificate is ever rejected.
CVE-2021-2296
PUBLISHED: 2021-04-22
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.20. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromi...
CVE-2021-2297
PUBLISHED: 2021-04-22
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.20. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromi...
CVE-2021-2298
PUBLISHED: 2021-04-22
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.23 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attac...