A recent decision by the US Copyright Office to temporarily remove certain restrictions in the Digital Millennium Copyright Act (DMCA) paves the way for security researchers to look for vulnerabilities in connected cars and medical devices without fear of legal repercussions.
The Copyright Office on Oct. 27 issued a set of long-awaited rules governing the circumvention of technological measures, such as encryption, that control access to copyright protected material under the DMCA. The rules grant new exemptions for such circumvention as long as it is done in good faith and complies with relevant fair-use requirements.
"I have seen so many presentations at conferences pulled because of DMCA liability concerns. This is going to embolden a lot of people to do research," says Tiffany Rad, a legal expert and co-founder of Anatrope, a maker of wireless automotive technologies."There is going to be more information shared" on vulnerabilities in cars and medical devices, she says.
The DCMA exemptions are available for a two-year period, after which the Copyright Office will review them to see if they need to be extended. They were originally passed last October, but go into effect only now.
Exemptions currently apply to a relatively broad range of technologies including video games, DVDs, BluRays, cell phones, and tablets. But most significant from the security community’s perspective are new exemptions for vulnerability research on medical devices and cars.
The Electronic Frontier Foundation (EFF), which has been among the many organizations vigorously campaigning for the changes, predicted the exemptions would promote security, innovation, and competition in these sectors. The rights group, however, was sharply critical of the length of time it took for the exemptions to become available, saying these changes were needed because of a “fundamentally flawed law that forbids users from breaking DRM, even if the purpose is a clearly lawful fair use.”
The Copyright Office’s new exemptions apply to Section 1201 of the DMCA, a controversial provision in the statute that prohibits people from breaking Digital Rights Management (DRM) controls to access copyright protected material.
Under DMCA, such circumvention is defined as any action taken to "descramble a scrambled work, to decrypt an encrypted work, or otherwise to avoid, bypass, remove, deactivate, or impair a technological measure, without the authority of the copyright owner."
It applies even when the legitimate owner of a device such as a DVD, for instance, attempts to override the protections on it to copy music or movies.
Indeed, the creators of the legislation originally intended for it to deter people from precisely such actions, says Anatrope's Rad.
But in recent years, some companies including car manufacturers and medical device-makers began holding the DMCA provision over security researchers looking for vulnerabilities in their products. Rather than making their technologies more secure, many began wielding DMCA as a weapon against white-hat hacking, she says.
The new exemptions for vehicles and medical devices remove the legal uncertainty associated with section 1201 and finally allow security researchers to publicly talk about and share details of their vulnerability research.
But there are some important caveats. The new exemptions for instance allow vehicle owners to circumvent Digital Right Management (DRM) protections to access various electronic control units in their vehicle for repair purposes. But it excludes breaking protections in control units related to vehicle telematics and entertainment systems. The exemptions are also only available to land vehicles, and to the legitimate owner of the vehicle. Any vulnerability research that a researcher performs has to be on a personally owned vehicle.
"Reverse engineering and modifying software for security research purposes is something that's going to happen, DMCA exemption or not," says Cory Thuen, senior security consultant with IOActive. "With an exemption we now have the good guys doing it too, which is important for advancing cybersecurity as a whole."
In granting the exemptions, the Copyright Office overturned concerns expressed by opponents of the changes, which included the Auto Alliance, Global Automakers, GM, John Deere, BSA, Intellectual Property Owners Association, and the National Association of Manufacturers.