Car Hack Demonstrates Why Security Researchers Shouldn't Have To Worry About Copyright In Exposing Weaknesses
from the copyright-where-it-doesn't-belong dept
So, by now you've heard the story of how Wired reporter Andy Greenberg allowed two car hackers to hack into a car that he was driving, remotely, while he was on a highway. The story is getting plenty of well-deserved attention, with some people raising a variety of concerns. The most obvious concern is the "holy hell, that seems scary, we should improve car security." And that's true. A second level of concern is over whether or not that experiment on a real highway was appropriate, given the very real potential of danger (including the truck that almost hit Greenberg). A third concern is over the reality of the threat, given that Greenberg was driving a car owned by the hackers, that they had the ability to touch previously (i.e. the "remote" part of the hack sounds scary, but it's less scary if hackers have to get into your car first).However, the part that I wanted to focus on is related to a discussion we were just having a few weeks ago, in which General Motors (which was not the target of this particular hack) claimed that any sort of tinkering with their software, such as to discover these kinds of security holes, should be considered copyright infringement, thanks to Section 1201 of the DMCA. Section 1201, also known as the anti-circumvention provision, says circumventing "technological protection measures" (TPMs) -- even for reasons that have nothing to do with copyright -- should be deemed copyright infringement and subject to all the statutory damages (up to $150k per violation!) that copyright allows. Some have been pushing for an exemption for things like security researchers tinkering with new connected car systems to make sure they're safe. And GM and other automakers have said "no way." GM's argument is, more or less, that the company would prefer to put its head in the sand, and not have security researchers help it discover security flaws in its systems -- leaving only malicious attackers to find those.
While proponents such as Electronic Frontier Foundation characterize the exemption as merely allowing the vehicle owners to “tinker” with their vehicles “in a decades-old tradition of mechanical curiosity and self-reliance,” if granted, the proposed exemption could introduce safety and security issues as well as facilitate violation of various laws designed specifically to regulate the modern car, including emissions, fuel economy, and vehicle safety regulations.Of course, copyright is not the right law to be relying on if you think that tinkering with your software could lead to safety problems. Instead, it seems to be the law that automakers are relying on to try to hide some of the security vulnerabilities in their cars.
The Association of Global Automakers goes even further with its argument, basically saying that since they already let security researchers of their own choosing do research, no one else should be able to do that research also:
Automobile manufacturers are not adverse to external input and have a long and symbiotic history with aftermarket businesses and others, but are justifiably unwilling to risk public safety, security, and environmental wellness by compromising quality controls and oversight. Moreover, the exemption is unnecessary given that automobile manufacturers already provide access to their valuable copyrighted materials for the precise purposes proposed. By allowing every automobile owner to access and copy automotive software in the name of research, the proposed exemption undermines existing research efforts and, ultimately, wrests control of such research from those in the best position to actually improve the security and safety of our automobiles: the automobile manufacturers and their suppliers, who have the utmost responsibility to ensure that vehicles are safe and secure. The very real risk that ostensibly legitimate research unwittingly undermines vehicle security by serving as a guidebook to software vulnerabilities that enables or even accelerates illicit hacking and malicious modifications to automotive software weighs heavily against the proposed exemption. The balance of benefit versus detriment, in view of all factors involved, simply dictates against the proposed exemption.In short, since security researchers might find a really serious hole in our software that might put lives in danger, we're much better off using copyright law to make sure no one's even looking for such a hole. Are they serious? Wouldn't it be much better to give people incentives to find these kinds of security flaws so the automakers can fix them rather than relying on security-by-head-in-the-sand?
Finally, the Alliance of Automobile Manufacturers also opposed the exemption for some fairly bizarre reasons, claiming that it would magically free up researchers to disclose how a vulnerability works without first informing the manufacturer:
By arguing that the current legal landscape is too treacherous for independent researchers, proponents are in effect seeking to be freed from existing statutory constraints that are biased in favor of prudent and responsible practices – such as managing disclosure of security vulnerabilities to minimize the risk of legal violations and exploitation of those vulnerabilities by bad actors – to protect the safety and security of members of the public. For instance, under the proposed exemption, researchers who publish detailed analyses of vulnerabilities before sharing their findings with manufacturers would nonetheless benefit from a blanket exemption to circumvention liability, even though such premature publication could dramatically increase the risk of such harmful exploitations.This is bullshit. There is nothing in removing the liability for circumvention that changes industry best practices of first alerting the manufacturer. That would still be standard practice. What it would do, however, is stop those manufacturers from responding by threatening a ridiculous copyright infringement lawsuit instead of realizing they need to fix a real problem in their systems. And if the automakers don't think such threats happen, we've got plenty of examples to send their way.
If the automakers are serious about wanting to make sure their cars on the road are safe, they should be encouraging this kind of research (though perhaps not on actual highways... ). But the fact that copyright law is blocking some of this kind of research is a real travesty.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: 1201, anti-circumvention, automotive, car, copyright, dmca, hack, hackers
Companies: chrysler, gm
Reader Comments
Subscribe: RSS
View by: Time | Thread
Let's not forget that these same 2 security researchers put on a demonstration on a Toyota Prius and a Ford Escape at Defcon in 2013. At the time, it required a wired connection to the diagnostic port. The automakers ignored it and said their systems were secure.
As to the threat concern, yes, these guys did have physical access to the Jeep used. But they are also able to scan the network using a burner phone on Sprint's network that UConnect uses to locate other cars running the same software all over the place. The same vulnerable software that they can exploit remotely.
[ link to this | view in chronology ]
You made the bed...
Well perhaps if so many companies didn't respond to people trying to be 'nice' by telling them about vulnerabilities first with lawsuits and threats of them, more people might be willing to do so. As it stands, only a fool tells a company about a security issue now, the smart ones publish it anonymously and publicly.
[ link to this | view in chronology ]
Re: You made the bed...
[ link to this | view in chronology ]
Re: You made the bed...
Start a bounty program and make people want to help you. Exploits are going to be found. Period. It's your choice how you'll be informed about them.
[ link to this | view in chronology ]
Security?
1. Man annoys his neighbor, who has serious anger management issues.
2. Angry neighbor hacks into his new car because manufacturer failed to proactively upgrade known security flaw.
3. Man begins to back out of his driveway but hits the brakes when he sees a school bus on the street.
4. Brakes do not function due to the angry neighbors' hack and he T-bones the bus.
5. Children are injured, some seriously.
6. Bus driver says he saw the brake lights come on but the car did not slow down.
7. Investigation discovers the hack and the perpetrator.
8. Parent sue angry neighbor, who has few assets, and the manufacturer. Lawyers find during discovery that manufacturer was aware of the problem but decided not to fix it.
9. County Attorney tries to determine if criminal charges could apply to the case and if so who to charge.
[ link to this | view in chronology ]
Re: Security?
[ link to this | view in chronology ]
Re: Re: Security?
[ link to this | view in chronology ]
Re: Re: Re: Security?
Not to mention enormous mass advantage.
[ link to this | view in chronology ]
Re: Re: Re: Re: Security?
There was a case out in Nevada, in which a fuel tank truck collided with a tran at a grade crossing. It did a substantial amount of damage to a sleeping car, but the casualties were not very high.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Security?
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Security?
When I first heard about the Lac Megantic railroad accident, I was pretty well baffled, because I had not known that it was possible to operate train brakes in that fashion. It was not a customary way of operating train brakes, nor one which is recommended, but a weird expedient dreamed up as a means of saving small sums of money. Of course the result was that forty-three people were killed, and a major portion of the town burnt out.. Ah, well, as my Human Factors Engineering professor said, many years ago, "you can make something foolproof, but you can't make it damm-foolproof!"
[ link to this | view in chronology ]
Yeah, you know what the beautiful thing about there already being laws against this stuff that they're pointing out there are laws against? The fact that there are already laws against it! So that's already covered and they don't need copyright abuse to handle cases of people trying to do stuff like that.
If we were talking about manufactured physical goods, such as a car, I would agree. But we're not; we're talking about the software in the car, and fixing bugs in software does not work that way. Decades of experience shows exactly the opposite, as succinctly summed up by Eric Raymond in what he calls Linus's Law: "given enough eyeballs, all bugs are shallow." Or in other words, the more independent people you have looking at a problem, the more likely it will be that the solution will be obvious to one of them, and thus the faster it will get fixed.
[ link to this | view in chronology ]
Re:
That is IF anyone LOOKS AT THE SOURCE CODE in the first place. Open source just ain't what it used to be.
Modern package management has spoiled people rotten
A lot of admins just take drop the binary package in place, install warnings be damned, never to upgrade it unless their boss presses them to.
Just think of the OpenSSL bugs. In fact I'd argue that there are more "bad guy" eyeballs peering over the code of major security packages than "good guy" ones.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re:
It's a really bizarre claim. Are they saying that manufacturers and suppliers can't do security research until they're sure nobody else is doing it? "Wrests control"? I guess in the sense that they wouldn't be the only ones doing the research, so they wouldn't have control over all research efforts. But then they don't go on to explain what the problem with that is. Not in any way that makes sense at least.
[ link to this | view in chronology ]
I hate the blame game
Bad guys, whomever they are, whatever their motives are or whatever their affiliations are will *DO BAD STUFF* and figure out how to do it. It called resources. They do not care about laws.
Researchers or just the general public continue to point out stupidity, or some would say greed for not staying the course to solidify products, especially interconnected products. These companies should be using well founded current security *AND* polices for security.
I say let research move forward and be free from tortuous prosecution and continue to disclose the stupidity from organizations that refuse to do better.
All peoples will be better from these efforts.
If you release a shitty product that can hurt someone, fix it, or better yet educate yourself not to release it in the first place.
Does anyone really believe that *ANY* major car manufacture doesn't have a team that said, well, you know, this is a bad idea? Engineers and a lot of us regular folks are not idiots to these facts. $$$$.
The merits of when to hold companies responsible and then harder issue about punishment without reprieve is where I fear we will never get to. But that is another rant.
[ link to this | view in chronology ]
Only if you "get" it
Never has it been argued that car companies "get" the Internet.
Ditto airliner manufacturers.
[ link to this | view in chronology ]
Comcast's top lobbyist David Cohen can't possibly be holding $2,700 per plate fundraising dinners for Washington politicians, since bribery and influence peddling are illegal.
And those 9/11 truthers must be on to something, as it's impossible to fly jetliners into buildings without violating a few laws.
[ link to this | view in chronology ]
Then there are cases like Microsoft, purposely delaying patches in order to allow the NSA more time to use unsecured holes in software.
All of this goes back to no one having any sort of nudge factor short of public dumping to get the manufacturer to actually address flaws.
[ link to this | view in chronology ]
wut?
And how has that been working so far? You keep saying this, but everyone else seems to find the vulnerabilities. Your putative security teams need help. Have some for free, morons.
Bad actors do not give a fuck about copyright or other law. R U srs here? GTFO.
[ link to this | view in chronology ]
To GM
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
The design of metal objects weighing over a ton traveling at over 65 miles an hour should not be subject to any sort of logic intended to limit their potential for catastrophic destruction, this is simply insane - ok?
[ link to this | view in chronology ]
Re:
Forget internet, don't let it be controlled by any remote means at all.
[ link to this | view in chronology ]
They can get all kinds of free quality assurance testing, but seem to prefer to pay in the courtroom because they can put off the payment of a decade or so.
[ link to this | view in chronology ]
Re:
If they haven't learned by now.... every time it comes up, the calculus is, do we go public and definitely take a hit, or try to keep it secret and maybe get away with it? THIS TIME guys, we will succeed in keeping it a secret.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Any car mechanics can tell you the many low-tech ways to sabotage vehicles. While the wired article is interesting, it just fuels gratuitous paranoia.
[ link to this | view in chronology ]
There is even a bigger hole in this model
[ link to this | view in chronology ]
Re: There is even a bigger hole in this model
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Nothing new on this side
The engineers of the Ford Bronco said if the car was 10cm wider it would be substantially more stable, but they got overruled.
Then over decades unsafe cars were sold that would flip over on bends at relatively low speeds.
The only way to fix this is by simply not buying from them. If they dont want to fix the bugs on the software... just hit them where it hurts, and buy a nice toyota or something like that.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Section 1201 is Like Gun Control
So your choice, customers and researchers where your the first to know, or we all get surprised by the bad guys.
[ link to this | view in chronology ]
Re: Section 1201 is Like Gun Control
And it doesn't stop law-abiding people. Non-criminal* hackers will still be hacking the software for the same reasons they always do.
*excluding that breaking this particular law technically makes them "criminals".
[ link to this | view in chronology ]
FFS
Go watch some dash cam videos already...
[ link to this | view in chronology ]
Re: FFS
[ link to this | view in chronology ]
[ link to this | view in chronology ]