05:20 PM
Connect Directly

White Hat Hackers Fight For Legal Reform

Security researchers petition to update digital intellectual property and copyright protection laws that limit their work in finding and revealing security bugs.

Billy Rios has discovered major security holes in TSA passenger-screening equipment at US airport checkpoints as well as in medical equipment, and often shares his findings with the US Department of Homeland Security and the Food and Drug Administration. But Rios almost always faces the affected product vendor's general counsel in a delicate legal dance that serves as a chilling reminder of the looming legal risks security researchers face just for doing their jobs.

"Legal is always on the table… This stuff happens all the time, more than people realize, behind the scenes," says Rios, who is director of threat intelligence at Qualys. "A lot of times researchers put themselves at risk as an individual" when they disclose their findings, he says.

The legal implications of good hackers hacking into increasingly networked and vulnerable consumer products is intensifying. The Digital Millennium Copyright Act (DMCA) and the Computer Fraud and Abuse Act (CFAA) often pose a gray area for security research, and companies in the consumer space that traditionally have had little or no interaction with security researchers often don't understand the difference between a good hacker and a nefarious one.

"You don't want researchers to be prosecuted as if they were a hacker using exploits to exploit companies or networks or to steal IP [intellectual property]. These are two totally different things," Rios says. "The legislation we have, or the regulatory body that takes a look at this, needs to understand that. Right now, the way a lot of these laws are [written and interpreted], there's no distinction."

Jay Radcliffe, a security researcher who has found security weaknesses in insulin pumps, had to curb his research for fear of legal action. Radcliffe says he was advised to steer clear of the firmware and operating system of embedded devices when he first began digging into the security of his own Medtronic insulin pump. Radcliff, who is a diabetic, initially went to the Electronic Frontier Foundation (EFF) for some legal advice while hacking the device as an independent researcher and was told he could only go so far without facing possible legal problems. "They [the EFF] said there are some things in the DCMA that could [send me] to jail" if I investigated them, says Radcliffe, who joined Rapid7 this summer as a senior security consultant. "So I said I'm not going to look at any of that."

He focused his white-hat hacking instead on weaknesses in wireless access to the pumps. "So I only had about 30% of the attack surface that I was able to do research on," he says.

Radcliffe, who says he has been threatened with legal action before, and his company Rapid7 are part of a group of security researchers and supporters who are now petitioning the White House for reforms to the DMCA and the CFAA. The security researchers in their petition are calling for solid legal protection so they can more effectively and thoroughly find security weaknesses in consumer devices and systems.

"While responsible companies cooperate with the technical community and the public to improve the safety of code, others do not. They instead try to prevent researchers and others from sharing safety research, threatening criminal and civil actions under the Digital Millennium Copyright Act and the Computer Fraud and Abuse Act," the petition reads in part. "Reform the DMCA and CFAA to unlock and encourage research about potentially dangerous safety and security weaknesses in software."

Andrea Matwyshyn, law professor and advocate for cyber safety who helped craft the petition, says, as with any technology policy issue, it will require a long-term conversation and dialogue with legislators and regulators. "It's not going to be a quick fix," Matwyshyn says. The coalition hopes to help advance regulatory changes, namely, under an exemption section under DCMA. "That's one avenue where perhaps things could be clarified and improved and recalibrated to balance consumer and IP" protections, she says.

"More long-term, a statutory fix by Congress is another way to address this. There are many ways to improve this situation to give researchers greater certainty. Whether it's path one or path two isn't as important as the end result is: to have a climate that's researcher-friendly" so consumers have better access to information about the security and safety of products they buy or use, for example.

Researchers sometimes are forced to dial back their research for fear of legal ramifications. "One of the reasons you don't see a lot of breaking into medical devices and the power grid… because there are armies of lawyers and the risk is too great. It's slowed down research and had a chilling effect," Radcliffe says.

But the stakes have never been higher for finding security flaws before the bad guys do, as consumer products with public safety ramifications are increasingly networked -- cars, medical devices, TSA checkpoint screening equipment, satellite ground terminal equipment, and home alarm and automation systems. Those are the pacemakers, insulin pumps, vehicles, and carry-on baggage scanners that consumers use and operate, but some of these consumer industries are more seasoned in cyber security issues than others, and not all companies understand the difference between a white-hat and a black-hat hacker.

[Public safety issues bubble to the top in security flaw revelations. Read Internet Of Things Security Reaches Tipping Point.]

Not every researcher who reverse-engineers or tests consumer products for security flaws faces actual legal threats, however. Cesar Cerrudo, CTO at IOActive, which has researchers who specialize in car hacking, satellite terminal hacking, and smart traffic systems hacking, says his team hasn't faced any legal hurdles thus far. "Luckily, we haven't had legal threats from vendors. We consult with our legal department before doing anything that could cause problems, but there is always the possibility to get sued, and bad laws or badly interpreted laws can put in jail the wrong people for stupid things," Cerrudo says.

IOActive researchers often struggle to acquire the consumer equipment they want to test, however, he says. "The only limitation we are having is that some devices are very difficult to get, and while we are almost sure they are vulnerable and being used in critical infrastructure, we can't get them," says Cerrudo, who adds that he has not yet studied the details of the petition effort.

Cerrudo and Qualys's Rios say they draw the line at hacking a live production system on the Internet. "Trying to hack systems and devices on production would be crazy and illegal no matter [if] you want to prove it has security issues," Cerrudo says. "At the same time, running an Internet scan or pointing to a security flaw in a website shouldn't be illegal."

No one has ever warned Rios off of any of his research parameters, he says. But he also has set his own boundaries, which comes with tradeoffs: "I have a personal boundary -- not to test that exploit against a live system on the Net or anything like that. But, that leaves a gap in some of my knowledge."

Craig Smith, CEO and founder of Theia Labs, says he is careful when it comes to releasing a hacking tool -- especially if it's a personal project he's working on that isn't part of his day job. The key is making it clear the tool is a freebie or is relatively generic when it comes to hacking a car or other feature, for example, says Smith, who has signed the online petition.

"I do a lot of traditional penetration-testing and reversing… on the side," he says. "If I'm not hired for that, I have to be more careful" of the potential for legal action by the affected vendor.

The other issue to weigh as a researcher, he says, is whether it's really worth exposing a flaw if it won't ever get fixed and publicizing it may do more harm to the public than good. "Maybe the [flawed] firmware can't be updated, for example, so what's the appropriate way to deal with this? How can you work with these companies to make it better?"

He says legal threats don't ever stop him from researching a product, but they do at times influence whether he publishes his findings. Companies not well-versed in security research could take the legal route, he says. "The knee-jerk is to come after you. You have to think about that," says Smith, who says he'd like to see DCMA eliminated altogether someday.

"Piracy is already against the law," he says.

Meanwhile, Rapid7, which has spearheaded the petition, also has formed the Coalition for Security Research to promote security research amid the explosion of the Internet of Things and connected consumer products. "The mission of the Coalition for Security Research is to protect and promote security research to make businesses and individuals safer," a summary of the group says. Rapid7 is reaching out for members to join the group.

Kelly Jackson Higgins is Executive Editor at She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
User Rank: Ninja
10/21/2014 | 7:01:59 PM
White Hat Police Academy
I've heard it suggested before when legal types were part of this conversation that potentially white hat needs to fall under law enforcement, or similar agencies.  In other words, if you want to work in the field of computer security and do penetration testing and combative hacking, you'll be protected but under the umbrella of the LAPD or FBI, for example.  Amusing, considering some of the more talented cyber security specialists out there are kids.  Of course, being associated with such organizations should provide that extra amount of protection white hatters are calling for, right?  Well, maybe not.  How many fully justified shootings have we seen ruin the career of both peace and police officers?  And, with all the political and economic pressure applied daily to these agencies, who can say when a scapegoat is needed when that really bad exploit is revealed that these agencies can't have anyone else know about?  

Another bill, then?  Well, search away on the Library of Congress website under Bills and Resolutions.  There are plenty of stalled bills out there with keywords like "penetration" "cybersecurity" "hacker" and so forth; many intending to redefine the ecosystem and what happens in it.  But the keyword here is "stalled".  Hell could freeze over before we get the protection and standards being asked for.  What, then?  Well, the industry could pull together and up the game; improve technology and keep some of that tech under wraps, as best it can.  White hatters can start thinking a little more gray, even black, and start covering tracks a little better; write less papers, and deliver exploits anonymously.

Ultimately, this is going to be a long battle.  The force and tactics needed for white hatters to do good work and beat cyber criminals at their own game might always be on the gray side of legal, no matter how laws are adjusted.  And once we start adjusting those laws, whose to say if the black hatters don't just benefit a little themselves from it...



Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
10/22/2014 | 7:53:47 AM
Long-term conversation with legislators & regulators
Sadly, given the gridlock in Washington, it's hard to imagine a thoughtful conversation about reforming giving white hat hackers the freedome to do their work and ensure the safety of the IoT. That, and the anti-regulatory lobbyists who work for the product manufacturers.
Kelly Jackson Higgins
Kelly Jackson Higgins,
User Rank: Strategist
10/22/2014 | 8:54:48 AM
Re: Long-term conversation with legislators & regulators
My first question about this initiative was "This Congress? Are you kidding me?" But it's really more about keeping the conversation going, educating these industries that have no clue about security research, and hopefully getting consumers more information about the products they are buying and the safety implications of vulnerable software in their cars, etc. I like Billy Rios' perspective about the importance of researchers working with the corresponding fed agencies like DHS and FDA where applicable.
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
10/22/2014 | 8:59:09 AM
Re: Long-term conversation with legislators & regulators
I can't argue with the fact that this is a critically important national conversation to have. Probably an international conversation...  Have to applaud the white-hatters for beating the drums about it.
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
10/22/2014 | 8:59:14 AM
Re: Long-term conversation with legislators & regulators
I can't argue with the fact that this is a critically important national conversation to have. Probably an international conversation...  Have to applaud the white-hatters for beating the drums about it.
Understanding Evil Twin AP Attacks and How to Prevent Them
Ryan Orsi, Director of Product Management for Wi-Fi at WatchGuard Technologies,  11/14/2018
Veterans Find New Roles in Enterprise Cybersecurity
Kelly Sheridan, Staff Editor, Dark Reading,  11/12/2018
To Click or Not to Click: The Answer Is Easy
Kowsik Guruswamy, Chief Technology Officer at Menlo Security,  11/14/2018
Register for Dark Reading Newsletters
White Papers
Current Issue
Flash Poll
Online Malware and Threats: A Profile of Today's Security Posture
Online Malware and Threats: A Profile of Today's Security Posture
This report offers insight on how security professionals plan to invest in cybersecurity, and how they are prioritizing their resources. Find out what your peers have planned today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2018-11-16
PHPMailer before 5.2.27 and 6.x before 6.0.6 is vulnerable to an object injection attack.
PUBLISHED: 2018-11-15
tp4a TELEPORT 3.1.0 allows XSS via the login page because a crafted username is mishandled when an administrator later views the system log.
PUBLISHED: 2018-11-15
Simultaneous Multi-threading (SMT) in processors can enable local users to exploit software vulnerable to timing attacks via a side-channel timing attack on 'port contention'.
PUBLISHED: 2018-11-15
The Bluetooth subsystem on Polycom Trio devices with software before 5.5.4 has Incorrect Access Control. An attacker can connect without authentication and subsequently record audio from the device microphone.
PUBLISHED: 2018-11-15
The Web administration console on Polycom Trio devices with software before 5.5.4 has XSS.