05:20 PM
Connect Directly

White Hat Hackers Fight For Legal Reform

Security researchers petition to update digital intellectual property and copyright protection laws that limit their work in finding and revealing security bugs.

Billy Rios has discovered major security holes in TSA passenger-screening equipment at US airport checkpoints as well as in medical equipment, and often shares his findings with the US Department of Homeland Security and the Food and Drug Administration. But Rios almost always faces the affected product vendor's general counsel in a delicate legal dance that serves as a chilling reminder of the looming legal risks security researchers face just for doing their jobs.

"Legal is always on the table… This stuff happens all the time, more than people realize, behind the scenes," says Rios, who is director of threat intelligence at Qualys. "A lot of times researchers put themselves at risk as an individual" when they disclose their findings, he says.

The legal implications of good hackers hacking into increasingly networked and vulnerable consumer products is intensifying. The Digital Millennium Copyright Act (DMCA) and the Computer Fraud and Abuse Act (CFAA) often pose a gray area for security research, and companies in the consumer space that traditionally have had little or no interaction with security researchers often don't understand the difference between a good hacker and a nefarious one.

"You don't want researchers to be prosecuted as if they were a hacker using exploits to exploit companies or networks or to steal IP [intellectual property]. These are two totally different things," Rios says. "The legislation we have, or the regulatory body that takes a look at this, needs to understand that. Right now, the way a lot of these laws are [written and interpreted], there's no distinction."

Jay Radcliffe, a security researcher who has found security weaknesses in insulin pumps, had to curb his research for fear of legal action. Radcliffe says he was advised to steer clear of the firmware and operating system of embedded devices when he first began digging into the security of his own Medtronic insulin pump. Radcliff, who is a diabetic, initially went to the Electronic Frontier Foundation (EFF) for some legal advice while hacking the device as an independent researcher and was told he could only go so far without facing possible legal problems. "They [the EFF] said there are some things in the DCMA that could [send me] to jail" if I investigated them, says Radcliffe, who joined Rapid7 this summer as a senior security consultant. "So I said I'm not going to look at any of that."

He focused his white-hat hacking instead on weaknesses in wireless access to the pumps. "So I only had about 30% of the attack surface that I was able to do research on," he says.

Radcliffe, who says he has been threatened with legal action before, and his company Rapid7 are part of a group of security researchers and supporters who are now petitioning the White House for reforms to the DMCA and the CFAA. The security researchers in their petition are calling for solid legal protection so they can more effectively and thoroughly find security weaknesses in consumer devices and systems.

"While responsible companies cooperate with the technical community and the public to improve the safety of code, others do not. They instead try to prevent researchers and others from sharing safety research, threatening criminal and civil actions under the Digital Millennium Copyright Act and the Computer Fraud and Abuse Act," the petition reads in part. "Reform the DMCA and CFAA to unlock and encourage research about potentially dangerous safety and security weaknesses in software."

Andrea Matwyshyn, law professor and advocate for cyber safety who helped craft the petition, says, as with any technology policy issue, it will require a long-term conversation and dialogue with legislators and regulators. "It's not going to be a quick fix," Matwyshyn says. The coalition hopes to help advance regulatory changes, namely, under an exemption section under DCMA. "That's one avenue where perhaps things could be clarified and improved and recalibrated to balance consumer and IP" protections, she says.

"More long-term, a statutory fix by Congress is another way to address this. There are many ways to improve this situation to give researchers greater certainty. Whether it's path one or path two isn't as important as the end result is: to have a climate that's researcher-friendly" so consumers have better access to information about the security and safety of products they buy or use, for example.

Researchers sometimes are forced to dial back their research for fear of legal ramifications. "One of the reasons you don't see a lot of breaking into medical devices and the power grid… because there are armies of lawyers and the risk is too great. It's slowed down research and had a chilling effect," Radcliffe says.

But the stakes have never been higher for finding security flaws before the bad guys do, as consumer products with public safety ramifications are increasingly networked -- cars, medical devices, TSA checkpoint screening equipment, satellite ground terminal equipment, and home alarm and automation systems. Those are the pacemakers, insulin pumps, vehicles, and carry-on baggage scanners that consumers use and operate, but some of these consumer industries are more seasoned in cyber security issues than others, and not all companies understand the difference between a white-hat and a black-hat hacker.

[Public safety issues bubble to the top in security flaw revelations. Read Internet Of Things Security Reaches Tipping Point.]

Not every researcher who reverse-engineers or tests consumer products for security flaws faces actual legal threats, however. Cesar Cerrudo, CTO at IOActive, which has researchers who specialize in car hacking, satellite terminal hacking, and smart traffic systems hacking, says his team hasn't faced any legal hurdles thus far. "Luckily, we haven't had legal threats from vendors. We consult with our legal department before doing anything that could cause problems, but there is always the possibility to get sued, and bad laws or badly interpreted laws can put in jail the wrong people for stupid things," Cerrudo says.

IOActive researchers often struggle to acquire the consumer equipment they want to test, however, he says. "The only limitation we are having is that some devices are very difficult to get, and while we are almost sure they are vulnerable and being used in critical infrastructure, we can't get them," says Cerrudo, who adds that he has not yet studied the details of the petition effort.

Cerrudo and Qualys's Rios say they draw the line at hacking a live production system on the Internet. "Trying to hack systems and devices on production would be crazy and illegal no matter [if] you want to prove it has security issues," Cerrudo says. "At the same time, running an Internet scan or pointing to a security flaw in a website shouldn't be illegal."

No one has ever warned Rios off of any of his research parameters, he says. But he also has set his own boundaries, which comes with tradeoffs: "I have a personal boundary -- not to test that exploit against a live system on the Net or anything like that. But, that leaves a gap in some of my knowledge."

Craig Smith, CEO and founder of Theia Labs, says he is careful when it comes to releasing a hacking tool -- especially if it's a personal project he's working on that isn't part of his day job. The key is making it clear the tool is a freebie or is relatively generic when it comes to hacking a car or other feature, for example, says Smith, who has signed the online petition.

"I do a lot of traditional penetration-testing and reversing… on the side," he says. "If I'm not hired for that, I have to be more careful" of the potential for legal action by the affected vendor.

The other issue to weigh as a researcher, he says, is whether it's really worth exposing a flaw if it won't ever get fixed and publicizing it may do more harm to the public than good. "Maybe the [flawed] firmware can't be updated, for example, so what's the appropriate way to deal with this? How can you work with these companies to make it better?"

He says legal threats don't ever stop him from researching a product, but they do at times influence whether he publishes his findings. Companies not well-versed in security research could take the legal route, he says. "The knee-jerk is to come after you. You have to think about that," says Smith, who says he'd like to see DCMA eliminated altogether someday.

"Piracy is already against the law," he says.

Meanwhile, Rapid7, which has spearheaded the petition, also has formed the Coalition for Security Research to promote security research amid the explosion of the Internet of Things and connected consumer products. "The mission of the Coalition for Security Research is to protect and promote security research to make businesses and individuals safer," a summary of the group says. Rapid7 is reaching out for members to join the group.

Kelly Jackson Higgins is Executive Editor at She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
User Rank: Ninja
10/21/2014 | 7:01:59 PM
White Hat Police Academy
I've heard it suggested before when legal types were part of this conversation that potentially white hat needs to fall under law enforcement, or similar agencies.  In other words, if you want to work in the field of computer security and do penetration testing and combative hacking, you'll be protected but under the umbrella of the LAPD or FBI, for example.  Amusing, considering some of the more talented cyber security specialists out there are kids.  Of course, being associated with such organizations should provide that extra amount of protection white hatters are calling for, right?  Well, maybe not.  How many fully justified shootings have we seen ruin the career of both peace and police officers?  And, with all the political and economic pressure applied daily to these agencies, who can say when a scapegoat is needed when that really bad exploit is revealed that these agencies can't have anyone else know about?  

Another bill, then?  Well, search away on the Library of Congress website under Bills and Resolutions.  There are plenty of stalled bills out there with keywords like "penetration" "cybersecurity" "hacker" and so forth; many intending to redefine the ecosystem and what happens in it.  But the keyword here is "stalled".  Hell could freeze over before we get the protection and standards being asked for.  What, then?  Well, the industry could pull together and up the game; improve technology and keep some of that tech under wraps, as best it can.  White hatters can start thinking a little more gray, even black, and start covering tracks a little better; write less papers, and deliver exploits anonymously.

Ultimately, this is going to be a long battle.  The force and tactics needed for white hatters to do good work and beat cyber criminals at their own game might always be on the gray side of legal, no matter how laws are adjusted.  And once we start adjusting those laws, whose to say if the black hatters don't just benefit a little themselves from it...



Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
10/22/2014 | 7:53:47 AM
Long-term conversation with legislators & regulators
Sadly, given the gridlock in Washington, it's hard to imagine a thoughtful conversation about reforming giving white hat hackers the freedome to do their work and ensure the safety of the IoT. That, and the anti-regulatory lobbyists who work for the product manufacturers.
Kelly Jackson Higgins
Kelly Jackson Higgins,
User Rank: Strategist
10/22/2014 | 8:54:48 AM
Re: Long-term conversation with legislators & regulators
My first question about this initiative was "This Congress? Are you kidding me?" But it's really more about keeping the conversation going, educating these industries that have no clue about security research, and hopefully getting consumers more information about the products they are buying and the safety implications of vulnerable software in their cars, etc. I like Billy Rios' perspective about the importance of researchers working with the corresponding fed agencies like DHS and FDA where applicable.
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
10/22/2014 | 8:59:09 AM
Re: Long-term conversation with legislators & regulators
I can't argue with the fact that this is a critically important national conversation to have. Probably an international conversation...  Have to applaud the white-hatters for beating the drums about it.
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
10/22/2014 | 8:59:14 AM
Re: Long-term conversation with legislators & regulators
I can't argue with the fact that this is a critically important national conversation to have. Probably an international conversation...  Have to applaud the white-hatters for beating the drums about it.
New Cold Boot Attack Gives Hackers the Keys to PCs, Macs
Kelly Sheridan, Staff Editor, Dark Reading,  9/13/2018
Yahoo Class-Action Suits Set for Settlement
Dark Reading Staff 9/17/2018
RDP Ports Prove Hot Commodities on the Dark Web
Kelly Sheridan, Staff Editor, Dark Reading,  9/17/2018
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2018-09-19
In Elastic Cloud Enterprise (ECE) versions prior to 1.1.4 it was discovered that a user could scale out allocators on new hosts with an invalid roles token. An attacker with access to the previous runner ID and IP address of the coordinator-host could add a allocator to an existing ECE install to ga...
PUBLISHED: 2018-09-19
Kibana versions 5.3.0 to 6.4.1 had a cross-site scripting (XSS) vulnerability via the source field formatter that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.
PUBLISHED: 2018-09-19
Elasticsearch Alerting and Monitoring in versions before 6.4.1 or 5.6.12 have an information disclosure issue when secrets are configured via the API. The Elasticsearch _cluster/settings API, when queried, could leak sensitive configuration information such as passwords, tokens, or usernames. This c...
PUBLISHED: 2018-09-19
X-Pack Machine Learning versions before 6.2.4 and 5.6.9 had a cross-site scripting (XSS) vulnerability. Users with manage_ml permissions could create jobs containing malicious data as part of their configuration that could allow the attacker to obtain sensitive information from or perform destructiv...
PUBLISHED: 2018-09-19
X-Pack Machine Learning versions before 6.2.4 and 5.6.9 had a cross-site scripting (XSS) vulnerability. If an attacker is able to inject data into an index that has a ML job running against it, then when another user views the results of the ML job it could allow the attacker to obtain sensitive inf...