Security researchers in the US will be able to probe software in vehicles, medical devices and voting machines, unimpeded by laws that make it illegal to bypass copyright protection technology.
Clearance to legally hack the three classes of systems comes by way of newly agreed exemptions to the US’ Digital Millennium Copyright Act (DMCA), which otherwise forbids bypassing technological measures, such as digital rights management (DRM) software, designed to block access to copyrighted works.
The exemptions, announced by the Library of Congress on Tuesday, come into effect for vehicles and medical devices “no early than 12 months after” the date the regulation is enacted, while researchers can legally hack voting machines immediately.
All three categories of devices have come under scrutiny in recent years due to the potential for hackers to use undisclosed and often difficult to patch security vulnerabilities to cause potentially life-threatening harm to users, for example, by revealing the identity of voters, remotely electrocuting a person with a pacemaker or remotely tampering with a vehicle’s brakes.
Exemptions are enacted every third year by the Library of Congress. Until today’s round however, security researchers could have be trapped by a gag order and penalties for violating DMCA. The new rules permit tampering with software for the purpose of “good-faith security research”.
The amendments come in the wake of Volkswagen's diesel debacle, which used software in a so-called “defeat device” to cheat tests to monitor certain pollutants in vehicle emissions.
Removing impediments to security research on vehicle software may have allowed the public to discover Volkswagen’s scheme earlier, some have argued.
While companies use a range of measures, such as cease and desist letters, to suppress publication of sensitive security research, DMCA remains a key avenue to silence researchers before they disclose a bug publicly. In turn, this can snuff out any chance of a vendor fixing a vulnerable product.
The incentive to use DCMA for purposes other than copyright can be seen in the high cost to manufacturers in responding to publicly disclosed bugs.
Shortly after two US security researchers in July revealed critical remotely exploitable bugs in Jeep vehicles, parent company Fiat-Chrysler recalled 1.4 million vehicles — just to install a firmware update.
The exemption on vehicle software hacking was driven by the Electronic Frontiers Foundation (EFF). It notes that a section of DMCA allowed vehicle manufacturers to threaten legal action against anyone who needs unlock “access controls” — a requirement aimed at protecting DRM technology but not limited to it.
“This ‘access control’ rule is supposed to protect against unlawful copying but as we’ve seen in the recent Volkswagen scandal—where VW was caught manipulating smog tests—it can be used instead to hide wrongdoing hidden in computer code,” said EFF staff attorney Kit Walsh.
The exemptions were opposed by General Motors and farm machinery maker John Deere, US medical device association, AdvaMed, the Department of Transport, the Environmental Protection Agency and the Food and Drug Administration.
Walsh was baffled by the year-long wait to implement the new exemption, however the document notes that the grace period was awarded to allow government agencies sufficient time to respond.
By contrast, an exemption on the 12-month wait was waived for voting machines “on the ground that there was no public safety issue or other proffered justification for delay of this aspect of the exemption.”
The Medical Device Research Coalition meanwhile fought for the exemption on software embedded in pacemakers, implantable cardioverter defibrillators, insulin pumps, and continuous glucose monitors, and their corresponding personal monitoring systems.