Nmedia - Fotolia

What effect would DMCA changes have on security researchers?

There's been a lot of controversy around the DMCA, especially because of the Chrysler car hack. Here are the issues with it and how it affects security researchers.

The reported wireless hack of a Jeep Chrysler vehicle by two security researchers raised the question of creating exemptions for the Digital Millennium Copyright Act for exploit research. What is the issue with the DMCA and why would an exemption help security? What implications could this have on security researchers?

The Digital Millennium Copyright Act of 1998 was passed to make U.S. copyright laws fit for the digital age and compliant with the World Intellectual Property Organization Copyright Treaty and the WIPO Performances and Phonograms Treaty. However, Section 1201 of the DMCA, often referred to as the DMCA anti-circumvention provisions, has been a source of some controversy since it went into effect in 2000 because it criminalizes the circumvention of access controls and technical protection measures, whether or not there is actual infringement of copyright itself.

The intention was to stop software pirates from defeating Digital rights management and other content access/copy restrictions on copyrighted works. But like many laws criminalizing the malicious use of technology, it has been fairly ineffective at dissuading the hardened criminal or those based in other countries from pursuing their activities. The people it does discourage are those engaged in genuine research for the benefit of both consumers and copyright owners. There have been various cases where important research has not been published due to fear of prosecution. For example, a Dutch cryptographer who broke Intel's High-bandwidth Digital Content Protection specification did not publish his results because he feared being prosecuted or sued under the DMCA.

A recent demonstration of a wireless car hack, which can control the car's accelerator, kill the engine, engage the brakes and even disable them, has reopened the debate as to whether certain forms of research should be exempted from the DMCA. The researchers found a flaw in a software component the automobile manufacturer Chrysler calls Uconnect, which is an in-vehicle connectivity system that controls the car's navigation and entertainment, enables phone calls and creates a Wi-Fi hotspot. The flaw in Uconnect can clearly be used to endanger life or kill someone and raises not just safety but privacy concerns. The researchers said they could track a car's GPS coordinates and measure its speed, saying that anyone who knows the car's IP address could gain access to the Uconnect system from anywhere in the country.

Their work has certainly pushed vehicle security and privacy legislation into the spotlight with calls for federal standards to secure automobiles and protect drivers' privacy by establishing security standards to protect Internet-connected vehicles from hacking, as well as standards to improve the transparency of how driver data is gathered, transmitted, stored and used. These researchers have been in contact with Chrysler, which has since released a software update for approximately 1.4 million U.S. vehicles to "insulate" them from remote manipulation and block remote access. Should they be at risk of criminal prosecution for undertaking this potentially life-saving research? Time and again, it is independent security researchers who discover software vulnerabilities, not those who are responsible for the software itself. Discovering how to rewrite the car's entertainment system hardware chip took researchers Miller and Valasek months. Would that level of analysis happen in house?

It took a while for the software industry to appreciate the benefits of independent research and it has gone from threatening to sue researchers to paying bug bounties to encourage the research and disclosure of vulnerabilities to help improve the security of their products. The Alliance of Automobile Manufacturers' response has been to create an automobile information sharing and analysis center (ISAC), a nonprofit organization that provides a central resource for gathering and sharing information on cyberthreats. ISACs already exist in many industries such as aviation, defense and financial services. This will certainly help in the search and mitigation of potential vulnerabilities in motor vehicle electronics and associated in-vehicle networks -- hopefully they will realize it's not a good idea to allow key physical components such as brakes to sit on the same network as the car's entertainment system.

The DMCA explicitly provides for exemptions to be granted when it is shown that access-control technology has had a substantial adverse effect on the ability of people to make noninfringing uses of copyrighted works. The Electronic Frontier Foundation has tried to file for an exemption to Section 1201 to protect security and safety research on vehicle software from DMCA liability, as well as an exemption that would allow alternative software providers from the original manufacturer to secure vehicle software and perform repairs and customization. The U.S. Librarian of Congress will issue a final ruling in the fall.

Ask the Expert:
Want to ask Michael Cobb a question about application security? Submit your questions now via email. (All questions are anonymous.)

Next Steps

Learn the key to Internet of Things device discovery

Find out whether or not you need a wearables security policy in your enterprise

Learn how facial recognition authentication can improve mobile security

This was last published in December 2015

Dig Deeper on Information security laws, investigations and ethics