The latest car hacking research from Charlie Miller and Chris Valasek has elicited a broad spectrum of reactions: admiration for the skill; outrage at the danger the demo may have put drivers; and even a patch from an automaker. And the EFF is hoping it might also help produce a new exemption to the Digital Millennium Copyright Act, the bane of many security researchers.
The DMCA, enacted in 1998, was meant to help prevent piracy and copyright infringement, especially by circumventing access controls, DRM, and other technologies. The law was lauded by publishers, music labels, and movie studios as a key to protecting their content in the digital age. But the DMCA also has been used in many cases to threaten security researchers and prevent research from being published.
One of the more notorious cases in this vein was the threat by the Recording Industry Association of America against Princeton professor Ed Felten in 2001. Felten was planning to present results of his team’s work from a public contest to defeat the copy protection technology developed by the Secure Digital Music Initiative. Felten’s team successfully defeated the SDMI and before he was to present the findings at a conference, the RIAA and SDMI threatened him with action under the DMCA because the DRM system was being used commercially. Felten didn’t give the talk but later delivered the findings at a different conference.
The EFF, which helped Felten sue the RIAA after this episode, has been working on DMCA issues for more than 15 years and its lawyers earlier this year sought an exemption from the law for legitimate security research on vehicles.
“This proposed class would allow circumvention of TPMs protecting computer programs that control the functioning of a motorized land vehicle for the purpose of researching the security or safety of such vehicles. Under the exemption as proposed, circumvention would be allowed when undertaken by or on behalf of the lawful owner of the vehicle,” the agenda for the meeting when it was proposed in May says.
Now, the EFF is hopeful that the demonstration of risk to consumers shown by Miller and Valasek’s new research could help the exemption’s cause. A final rule is due in the autumn.
“Vehicle manufacturers dismissed prior warnings about flawed security by claiming that the exploits relied on physical access to the car. But it has long been known that vehicles’ wireless systems (such as Bluetooth) contain vulnerabilities that would allow a malicious hacker to gain access to critical vehicle functions,” Kit Walsh, a staff attorney at the EFF, said.
The research Miller and Valasek released this week demonstrated an exploit against a vulnerability in the Uconnect computer in some Jeep vehicles. The researchers showed that they could exploit the bug remotely and eventually take control of some of the vehicle’s key systems, including its transmission and other controls.