​US tweaks copyright law to legalise vehicle, medical device, vote-machine hacking

Security researchers in the US will be able to probe software in vehicles, medical devices and voting machines, unimpeded by laws that make it illegal to bypass copyright protection technology.

Clearance to legally hack the three classes of systems comes by way of newly agreed exemptions to the US’ Digital Millennium Copyright Act (DMCA), which otherwise forbids bypassing technological measures, such as digital rights management (DRM) software, designed to block access to copyrighted works.

The exemptions, announced by the Library of Congress on Tuesday, come into effect for vehicles and medical devices “no early than 12 months after” the date the regulation is enacted, while researchers can legally hack voting machines immediately.

All three categories of devices have come under scrutiny in recent years due to the potential for hackers to use undisclosed and often difficult to patch security vulnerabilities to cause potentially life-threatening harm to users, for example, by revealing the identity of voters, remotely electrocuting a person with a pacemaker or remotely tampering with a vehicle’s brakes.

Exemptions are enacted every third year by the Library of Congress. Until today’s round however, security researchers could have be trapped by a gag order and penalties for violating DMCA. The new rules permit tampering with software for the purpose of “good-faith security research”.

The amendments come in the wake of Volkswagen's diesel debacle, which used software in a so-called “defeat device” to cheat tests to monitor certain pollutants in vehicle emissions.

Removing impediments to security research on vehicle software may have allowed the public to discover Volkswagen’s scheme earlier, some have argued.

While companies use a range of measures, such as cease and desist letters, to suppress publication of sensitive security research, DMCA remains a key avenue to silence researchers before they disclose a bug publicly. In turn, this can snuff out any chance of a vendor fixing a vulnerable product.

The incentive to use DCMA for purposes other than copyright can be seen in the high cost to manufacturers in responding to publicly disclosed bugs.

Shortly after two US security researchers in July revealed critical remotely exploitable bugs in Jeep vehicles, parent company Fiat-Chrysler recalled 1.4 million vehicles — just to install a firmware update.

The exemption on vehicle software hacking was driven by the Electronic Frontiers Foundation (EFF). It notes that a section of DMCA allowed vehicle manufacturers to threaten legal action against anyone who needs unlock “access controls” — a requirement aimed at protecting DRM technology but not limited to it.

“This ‘access control’ rule is supposed to protect against unlawful copying but as we’ve seen in the recent Volkswagen scandal—where VW was caught manipulating smog tests—it can be used instead to hide wrongdoing hidden in computer code,” said EFF staff attorney Kit Walsh.

The exemptions were opposed by General Motors and farm machinery maker John Deere, US medical device association, AdvaMed, the Department of Transport, the Environmental Protection Agency and the Food and Drug Administration.

Read more: ACMA: 215 million threats lurk on Australian networks

Walsh was baffled by the year-long wait to implement the new exemption, however the document notes that the grace period was awarded to allow government agencies sufficient time to respond.

By contrast, an exemption on the 12-month wait was waived for voting machines “on the ground that there was no public safety issue or other proffered justification for delay of this aspect of the exemption.”

The Medical Device Research Coalition meanwhile fought for the exemption on software embedded in pacemakers, implantable cardioverter defibrillators, insulin pumps, and continuous glucose monitors, and their corresponding personal monitoring systems.

Join the CSO newsletter!

Error: Please check your email address.

Tags Digital Millennium Copyright Act (DMCA)Jeep vehicles​medical devicecopyright lawvote-machine hackingsecurity researchersCSO Australia

More about DeereEFFEnvironmental Protection AgencyJohn DeereLibrary of CongressTransport

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts