Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

11/2/2016
05:50 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

New DMCA Exemptions Give White Hats License To Hack Cars, Medical Devices

But there are important caveats to the new Digital Millennium Copyright Act rules.

A recent decision by the US Copyright Office to temporarily remove certain restrictions in the Digital Millennium Copyright Act (DMCA) paves the way for security researchers to look for vulnerabilities in connected cars and medical devices without fear of legal repercussions.

The Copyright Office on Oct. 27 issued a set of long-awaited rules governing the circumvention of technological measures, such as encryption, that control access to copyright protected material under the DMCA. The rules grant new exemptions for such circumvention as long as it is done in good faith and complies with relevant fair-use requirements.

"I have seen so many presentations at conferences pulled because of DMCA liability concerns. This is going to embolden a lot of people to do research," says Tiffany Rad, a legal expert and co-founder of Anatrope, a maker of wireless automotive technologies."There is going to be more information shared" on vulnerabilities in cars and medical devices, she says.

The DCMA exemptions are available for a two-year period, after which the Copyright Office will review them to see if they need to be extended. They were originally passed last October, but go into effect only now.

Exemptions currently apply to a relatively broad range of technologies including video games, DVDs, BluRays, cell phones, and tablets. But most significant from the security community’s perspective are new exemptions for vulnerability research on medical devices and cars.

The Electronic Frontier Foundation (EFF), which has been among the many organizations vigorously campaigning for the changes, predicted the exemptions would promote security, innovation, and competition in these sectors. The rights group, however, was sharply critical of the length of time it took for the exemptions to become available, saying these changes were needed because of a “fundamentally flawed law that forbids users from breaking DRM, even if the purpose is a clearly lawful fair use.”

The Copyright Office’s new exemptions apply to Section 1201 of the DMCA, a controversial provision in the statute that prohibits people from breaking Digital Rights Management (DRM) controls to access copyright protected material.

Under DMCA, such circumvention is defined as any action taken to "descramble a scrambled work, to decrypt an encrypted work, or otherwise to avoid, bypass, remove, deactivate, or impair a technological measure, without the authority of the copyright owner."

It applies even when the legitimate owner of a device such as a DVD, for instance, attempts to override the protections on it to copy music or movies.

Indeed, the creators of the legislation originally intended for it to deter people from precisely such actions, says Anatrope's Rad.

But in recent years, some companies including car manufacturers and medical device-makers began holding the DMCA provision over security researchers looking for vulnerabilities in their products. Rather than making their technologies more secure, many began wielding DMCA as a weapon against white-hat hacking, she says.

The new exemptions for vehicles and medical devices remove the legal uncertainty associated with section 1201 and finally allow security researchers to publicly talk about and share details of their vulnerability research.

But there are some important caveats. The new exemptions for instance allow vehicle owners to circumvent Digital Right Management (DRM) protections to access various electronic control units in their vehicle for repair purposes. But it excludes breaking protections in control units related to vehicle telematics and entertainment systems. The exemptions are also only available to land vehicles, and to the legitimate owner of the vehicle. Any vulnerability research that a researcher performs has to be on a personally owned vehicle.

"Reverse engineering and modifying software for security research purposes is something that's going to happen, DMCA exemption or not," says Cory Thuen, senior security consultant with IOActive. "With an exemption we now have the good guys doing it too, which is important for advancing cybersecurity as a whole."

In granting the exemptions, the Copyright Office overturned concerns expressed by opponents of the changes, which included the Auto Alliance, Global Automakers, GM, John Deere, BSA, Intellectual Property Owners Association, and the National Association of Manufacturers.

Related stories:

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
Slideshows
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
Commentary
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-22677
PUBLISHED: 2021-05-07
An integer overflow exists in the APIs of the host MCU while trying to connect to a WIFI network may lead to issues such as a denial-of-service condition or code execution on the SimpleLink Wi-Fi (MSP432E4 SDK: v4.20.00.12 and prior, CC32XX SDK v4.30.00.06 and prior, CC13X0 SDK versions prior to v4....
CVE-2021-29495
PUBLISHED: 2021-05-07
Nim is a statically typed compiled systems programming language. In Nim standard library before 1.4.2, httpClient SSL/TLS certificate verification was disabled by default. Users can upgrade to version 1.4.2 to receive a patch or, as a workaround, set "verifyMode = CVerifyPeer" as documente...
CVE-2020-4901
PUBLISHED: 2021-05-07
IBM Robotic Process Automation with Automation Anywhere 11.0 could allow an attacker on the network to obtain sensitive information or cause a denial of service through username enumeration. IBM X-Force ID: 190992.
CVE-2021-21419
PUBLISHED: 2021-05-07
Eventlet is a concurrent networking library for Python. A websocket peer may exhaust memory on Eventlet side by sending very large websocket frames. Malicious peer may exhaust memory on Eventlet side by sending highly compressed data frame. A patch in version 0.31.0 restricts websocket frame to reas...
CVE-2021-27437
PUBLISHED: 2021-05-07
The affected product allows attackers to obtain sensitive information from the WISE-PaaS dashboard. The system contains a hard-coded administrator username and password that can be used to query Grafana APIs. Authentication is not required for exploitation on the WISE-PaaS/RMM (versions prior to 9.0...