Car hackers and jailbreakers today apparently got a green light from the Librarian of Congress David Mao to tinker away.
The Library of Congress’ triennial exemptions to the anti-circumvention rules within the Digital Copyright Millennium Act (DCMA) were released today, and among the exemptions to section 1201 of the DCMA are allowances for “good-faith” testing of vehicular computer systems for the identification and correction of vulnerabilities.
“The proponents of these security exemptions observed as a general matter that computer programs are pervasive in modern machines and devices, including vehicles, home appliances and medical devices, and that independent security research is necessary to uncover flaws in those computer programs,” the rule reads.
This summer, prior to the Black Hat conference, researchers Charlie Miller and Chris Valasek demonstrated remotely executable vulnerabilities in the vehicles’ Uconnect software that affected critical systems on Fiat Chrylser Jeeps. The automaker quickly recalled 1.4 million Jeeps and kicked off legislative debate about the legality of such research.
Today’s ruling opens the door for further research, but only a year after the regulation is signed into law.
“I don’t know if the manufacturers will attempt to challenge the rulemaking; certainly they shouldn’t as the harms they claim to fear are nothing more than unfounded speculation and at any rate have nothing to do with copyright,” said Corynne McSherry, legal director of the Electronic Frontier Foundation, which filed the request. “The yearlong delay is supposedly intended to allow other government agencies to prepare, but it’s nonsensical. Researchers and car owners need an exemption now, not later.”
Miller and Valasek, both of whom have since joined Uber’s security team, have been known for their groundbreaking research into vehicle computer security. Two years ago at Black Hat, the duo demonstrated an attack from inside the vehicle that accessed braking and acceleration systems. This year, they were able to attack the vehicles remotely.
However, prior to today, section 1201 prohibited manipulation of access controls on such software, paving the way to potential legal action from carmakers, for example. The exemption allows researchers to access the technological protection method, or TPM, on behalf of the vehicle’s owner.
“This is an important step, but the various limitations and caveats really highlight the need for fundamental reform,” McSherry said.
The EFF’s petition to renew a previous exemption to jailbreak smartphones was also approved, and extended to tablets and smartwatches.
“This clarifies the law around jailbreaking, making clear that users are allowed to run operating systems and applications from any source, not just those approved by the manufacturer,” the EFF wrote in a blog post. “Today’s ruling is a victory for users, artists, and researchers. However, the laborious process required to remove a legal cloud over clear fair uses highlights the need for fundamental reforms.”