White hat hackers can breathe a little easier for the next two years because of a temporary removal of restrictions imposed on hacking of everything from cars, medical devices, to smart home appliances.
Last week the U.S. Copyright Office temporarily removed certain restrictions imposed by the Digital Millennium Copyright Act (DMCA) that had long prevented researchers from circumventing protections, such as encryption, that restricted access to copyright protected material.
The move was met with applause by the research community that has long argued more cooperation is needed between device manufacturers and researchers.
“Obviously, adversaries don’t abide by regulations, so their ability to reverse engineer and figure out how to get into a device and find ways to exfiltrate data has been successful,” said Anthony James, CMO with research firm TrapX. “In terms of opening up new opportunities for researchers, this is only good for the industry,” James said. “As an industry we wait for an attacker to exploit a vulnerability that they have the time, resources and energy to discover. This allows researchers to be more proactive when it comes to building defenses.”
The exemption lifts the longstanding “prohibition against circumvention of technological measures that effectively control access to copyrighted works,” according to the U.S. Copyright Office and Library of Congress exemption of the DMCA Section 1201 issued on Oct. 28.
The exemption applies to a wide range of research including automobiles, medical devices and consumer IoT devices and also allows the sharing of research data without fear of being sued.
That said, there are still restrictiosn on how far the research can go. For example, researchers can reverse engineer medical devices, but are restricted from accessing the Internet services used by those devices. Researchers can also tinker with a variety of IoT devices, but are restricted from accessing a computer they don’t own. The exemption allows car hacking, but excludes breaking protections related to vehicle telematics and entertainment systems.
In addition, researchers are also faced with a “good-faith restrictions” that if deemed in violation of, researchers could still face prosecution under the Computer Fraud and Abuse Act, said Craig Young, researcher at Tripwire.
“There are still some restrictions that give me pause,” Young said. “However, from the perspective of a researcher, it’s a good step forward. But whether it’s gone far enough is the question.”
He said even with these exemptions, researchers walk a fine legal line. “There are still some legal gray areas that exist. Maybe it’s a tool for breaking the encryption on a firmware installation in a car or medical device or a tool for analyzing the traffic that goes through the CAN bus of a car.”
The exemption to DMCA’s Section 1201, despite its flaws, said the Electronic Frontier Foundation, “will promote security, innovation, and competition – and also help the next generation of engineers continue to learn by taking their devices apart to see how they work.”
“Reverse engineering and modifying software for security research purposes is something that’s going to happen, DMCA exemption or not,” said Corey Thuen, senior security consultant with IOActive, “With an exemption we now have the good guys doing it too, which is important for advancing cybersecurity as a whole.”
Thuen said the exemptions would help projects such as the Open Garages vehicle research labs thrive. “Supporting the end-users’ ability to modify and alter their car is an interesting development in the ongoing conflict of ‘owning’ software vs ‘licensing’ software,” he said.
The rule change met resistance from several companies and industry trade associations such as the Auto Alliance, Global Automakers, GM, John Deere, The Software Alliance, Intellectual Property Owners Association, and the National Association of Manufacturers. The exemptions are set to expire after two years, after which there will be a comment period for stakeholders to argue for an extension of the exemption to DMCA’s Section 1201.