Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:20 PM
Connect Directly

White Hat Hackers Fight For Legal Reform

Security researchers petition to update digital intellectual property and copyright protection laws that limit their work in finding and revealing security bugs.

Billy Rios has discovered major security holes in TSA passenger-screening equipment at US airport checkpoints as well as in medical equipment, and often shares his findings with the US Department of Homeland Security and the Food and Drug Administration. But Rios almost always faces the affected product vendor's general counsel in a delicate legal dance that serves as a chilling reminder of the looming legal risks security researchers face just for doing their jobs.

"Legal is always on the table… This stuff happens all the time, more than people realize, behind the scenes," says Rios, who is director of threat intelligence at Qualys. "A lot of times researchers put themselves at risk as an individual" when they disclose their findings, he says.

The legal implications of good hackers hacking into increasingly networked and vulnerable consumer products is intensifying. The Digital Millennium Copyright Act (DMCA) and the Computer Fraud and Abuse Act (CFAA) often pose a gray area for security research, and companies in the consumer space that traditionally have had little or no interaction with security researchers often don't understand the difference between a good hacker and a nefarious one.

"You don't want researchers to be prosecuted as if they were a hacker using exploits to exploit companies or networks or to steal IP [intellectual property]. These are two totally different things," Rios says. "The legislation we have, or the regulatory body that takes a look at this, needs to understand that. Right now, the way a lot of these laws are [written and interpreted], there's no distinction."

Jay Radcliffe, a security researcher who has found security weaknesses in insulin pumps, had to curb his research for fear of legal action. Radcliffe says he was advised to steer clear of the firmware and operating system of embedded devices when he first began digging into the security of his own Medtronic insulin pump. Radcliff, who is a diabetic, initially went to the Electronic Frontier Foundation (EFF) for some legal advice while hacking the device as an independent researcher and was told he could only go so far without facing possible legal problems. "They [the EFF] said there are some things in the DCMA that could [send me] to jail" if I investigated them, says Radcliffe, who joined Rapid7 this summer as a senior security consultant. "So I said I'm not going to look at any of that."

He focused his white-hat hacking instead on weaknesses in wireless access to the pumps. "So I only had about 30% of the attack surface that I was able to do research on," he says.

Radcliffe, who says he has been threatened with legal action before, and his company Rapid7 are part of a group of security researchers and supporters who are now petitioning the White House for reforms to the DMCA and the CFAA. The security researchers in their petition are calling for solid legal protection so they can more effectively and thoroughly find security weaknesses in consumer devices and systems.

"While responsible companies cooperate with the technical community and the public to improve the safety of code, others do not. They instead try to prevent researchers and others from sharing safety research, threatening criminal and civil actions under the Digital Millennium Copyright Act and the Computer Fraud and Abuse Act," the petition reads in part. "Reform the DMCA and CFAA to unlock and encourage research about potentially dangerous safety and security weaknesses in software."

Andrea Matwyshyn, law professor and advocate for cyber safety who helped craft the petition, says, as with any technology policy issue, it will require a long-term conversation and dialogue with legislators and regulators. "It's not going to be a quick fix," Matwyshyn says. The coalition hopes to help advance regulatory changes, namely, under an exemption section under DCMA. "That's one avenue where perhaps things could be clarified and improved and recalibrated to balance consumer and IP" protections, she says.

"More long-term, a statutory fix by Congress is another way to address this. There are many ways to improve this situation to give researchers greater certainty. Whether it's path one or path two isn't as important as the end result is: to have a climate that's researcher-friendly" so consumers have better access to information about the security and safety of products they buy or use, for example.

Researchers sometimes are forced to dial back their research for fear of legal ramifications. "One of the reasons you don't see a lot of breaking into medical devices and the power grid… because there are armies of lawyers and the risk is too great. It's slowed down research and had a chilling effect," Radcliffe says.

But the stakes have never been higher for finding security flaws before the bad guys do, as consumer products with public safety ramifications are increasingly networked -- cars, medical devices, TSA checkpoint screening equipment, satellite ground terminal equipment, and home alarm and automation systems. Those are the pacemakers, insulin pumps, vehicles, and carry-on baggage scanners that consumers use and operate, but some of these consumer industries are more seasoned in cyber security issues than others, and not all companies understand the difference between a white-hat and a black-hat hacker.

[Public safety issues bubble to the top in security flaw revelations. Read Internet Of Things Security Reaches Tipping Point.]

Not every researcher who reverse-engineers or tests consumer products for security flaws faces actual legal threats, however. Cesar Cerrudo, CTO at IOActive, which has researchers who specialize in car hacking, satellite terminal hacking, and smart traffic systems hacking, says his team hasn't faced any legal hurdles thus far. "Luckily, we haven't had legal threats from vendors. We consult with our legal department before doing anything that could cause problems, but there is always the possibility to get sued, and bad laws or badly interpreted laws can put in jail the wrong people for stupid things," Cerrudo says.

IOActive researchers often struggle to acquire the consumer equipment they want to test, however, he says. "The only limitation we are having is that some devices are very difficult to get, and while we are almost sure they are vulnerable and being used in critical infrastructure, we can't get them," says Cerrudo, who adds that he has not yet studied the details of the petition effort.

Cerrudo and Qualys's Rios say they draw the line at hacking a live production system on the Internet. "Trying to hack systems and devices on production would be crazy and illegal no matter [if] you want to prove it has security issues," Cerrudo says. "At the same time, running an Internet scan or pointing to a security flaw in a website shouldn't be illegal."

No one has ever warned Rios off of any of his research parameters, he says. But he also has set his own boundaries, which comes with tradeoffs: "I have a personal boundary -- not to test that exploit against a live system on the Net or anything like that. But, that leaves a gap in some of my knowledge."

Craig Smith, CEO and founder of Theia Labs, says he is careful when it comes to releasing a hacking tool -- especially if it's a personal project he's working on that isn't part of his day job. The key is making it clear the tool is a freebie or is relatively generic when it comes to hacking a car or other feature, for example, says Smith, who has signed the online petition.

"I do a lot of traditional penetration-testing and reversing… on the side," he says. "If I'm not hired for that, I have to be more careful" of the potential for legal action by the affected vendor.

The other issue to weigh as a researcher, he says, is whether it's really worth exposing a flaw if it won't ever get fixed and publicizing it may do more harm to the public than good. "Maybe the [flawed] firmware can't be updated, for example, so what's the appropriate way to deal with this? How can you work with these companies to make it better?"

He says legal threats don't ever stop him from researching a product, but they do at times influence whether he publishes his findings. Companies not well-versed in security research could take the legal route, he says. "The knee-jerk is to come after you. You have to think about that," says Smith, who says he'd like to see DCMA eliminated altogether someday.

"Piracy is already against the law," he says.

Meanwhile, Rapid7, which has spearheaded the petition, also has formed the Coalition for Security Research to promote security research amid the explosion of the Internet of Things and connected consumer products. "The mission of the Coalition for Security Research is to protect and promote security research to make businesses and individuals safer," a summary of the group says. Rapid7 is reaching out for members to join the group.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
10/22/2014 | 8:59:14 AM
Re: Long-term conversation with legislators & regulators
I can't argue with the fact that this is a critically important national conversation to have. Probably an international conversation...  Have to applaud the white-hatters for beating the drums about it.
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
10/22/2014 | 8:59:09 AM
Re: Long-term conversation with legislators & regulators
I can't argue with the fact that this is a critically important national conversation to have. Probably an international conversation...  Have to applaud the white-hatters for beating the drums about it.
Kelly Jackson Higgins
Kelly Jackson Higgins,
User Rank: Strategist
10/22/2014 | 8:54:48 AM
Re: Long-term conversation with legislators & regulators
My first question about this initiative was "This Congress? Are you kidding me?" But it's really more about keeping the conversation going, educating these industries that have no clue about security research, and hopefully getting consumers more information about the products they are buying and the safety implications of vulnerable software in their cars, etc. I like Billy Rios' perspective about the importance of researchers working with the corresponding fed agencies like DHS and FDA where applicable.
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
10/22/2014 | 7:53:47 AM
Long-term conversation with legislators & regulators
Sadly, given the gridlock in Washington, it's hard to imagine a thoughtful conversation about reforming giving white hat hackers the freedome to do their work and ensure the safety of the IoT. That, and the anti-regulatory lobbyists who work for the product manufacturers.
User Rank: Ninja
10/21/2014 | 7:01:59 PM
White Hat Police Academy
I've heard it suggested before when legal types were part of this conversation that potentially white hat needs to fall under law enforcement, or similar agencies.  In other words, if you want to work in the field of computer security and do penetration testing and combative hacking, you'll be protected but under the umbrella of the LAPD or FBI, for example.  Amusing, considering some of the more talented cyber security specialists out there are kids.  Of course, being associated with such organizations should provide that extra amount of protection white hatters are calling for, right?  Well, maybe not.  How many fully justified shootings have we seen ruin the career of both peace and police officers?  And, with all the political and economic pressure applied daily to these agencies, who can say when a scapegoat is needed when that really bad exploit is revealed that these agencies can't have anyone else know about?  

Another bill, then?  Well, search away on the Library of Congress website under Bills and Resolutions.  There are plenty of stalled bills out there with keywords like "penetration" "cybersecurity" "hacker" and so forth; many intending to redefine the ecosystem and what happens in it.  But the keyword here is "stalled".  Hell could freeze over before we get the protection and standards being asked for.  What, then?  Well, the industry could pull together and up the game; improve technology and keep some of that tech under wraps, as best it can.  White hatters can start thinking a little more gray, even black, and start covering tracks a little better; write less papers, and deliver exploits anonymously.

Ultimately, this is going to be a long battle.  The force and tactics needed for white hatters to do good work and beat cyber criminals at their own game might always be on the gray side of legal, no matter how laws are adjusted.  And once we start adjusting those laws, whose to say if the black hatters don't just benefit a little themselves from it...



COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-24
An XSS issue in Joplin desktop 1.0.190 to 1.0.245 allows arbitrary code execution via a malicious HTML embed tag.
PUBLISHED: 2020-09-24
SQL injection exists in the jdownloads 3.2.63 component for Joomla! com_jdownloads/models/send.php via the f_marked_files_id parameter.
PUBLISHED: 2020-09-24
A vulnerability in Cisco Aironet Access Points (APs) could allow an unauthenticated, remote attacker to cause a denial of service (DoS) on an affected device. The vulnerability is due to improper resource management while processing specific packets. An attacker could exploit this vulnerability by s...
PUBLISHED: 2020-09-24
A vulnerability in the DHCP message handler of Cisco IOS XE Software for Cisco cBR-8 Converged Broadband Routers could allow an unauthenticated, remote attacker to cause the supervisor to crash, which could result in a denial of service (DoS) condition. The vulnerability is due to insufficient error...
PUBLISHED: 2020-09-24
A vulnerability in the Umbrella Connector component of Cisco IOS XE Software for Cisco Catalyst 9200 Series Switches could allow an unauthenticated, remote attacker to trigger a reload, resulting in a denial of service condition on an affected device. The vulnerability is due to insufficient error h...