Car Hack Demonstrates Why Security Researchers Shouldn't Have To Worry About Copyright In Exposing Weaknesses

from the copyright-where-it-doesn't-belong dept

So, by now you've heard the story of how Wired reporter Andy Greenberg allowed two car hackers to hack into a car that he was driving, remotely, while he was on a highway. The story is getting plenty of well-deserved attention, with some people raising a variety of concerns. The most obvious concern is the "holy hell, that seems scary, we should improve car security." And that's true. A second level of concern is over whether or not that experiment on a real highway was appropriate, given the very real potential of danger (including the truck that almost hit Greenberg). A third concern is over the reality of the threat, given that Greenberg was driving a car owned by the hackers, that they had the ability to touch previously (i.e. the "remote" part of the hack sounds scary, but it's less scary if hackers have to get into your car first).

However, the part that I wanted to focus on is related to a discussion we were just having a few weeks ago, in which General Motors (which was not the target of this particular hack) claimed that any sort of tinkering with their software, such as to discover these kinds of security holes, should be considered copyright infringement, thanks to Section 1201 of the DMCA. Section 1201, also known as the anti-circumvention provision, says circumventing "technological protection measures" (TPMs) -- even for reasons that have nothing to do with copyright -- should be deemed copyright infringement and subject to all the statutory damages (up to $150k per violation!) that copyright allows. Some have been pushing for an exemption for things like security researchers tinkering with new connected car systems to make sure they're safe. And GM and other automakers have said "no way." GM's argument is, more or less, that the company would prefer to put its head in the sand, and not have security researchers help it discover security flaws in its systems -- leaving only malicious attackers to find those.

While proponents such as Electronic Frontier Foundation characterize the exemption as merely allowing the vehicle owners to “tinker” with their vehicles “in a decades-old tradition of mechanical curiosity and self-reliance,” if granted, the proposed exemption could introduce safety and security issues as well as facilitate violation of various laws designed specifically to regulate the modern car, including emissions, fuel economy, and vehicle safety regulations.

Of course, copyright is not the right law to be relying on if you think that tinkering with your software could lead to safety problems. Instead, it seems to be the law that automakers are relying on to try to hide some of the security vulnerabilities in their cars.

The Association of Global Automakers goes even further with its argument, basically saying that since they already let security researchers of their own choosing do research, no one else should be able to do that research also:

Automobile manufacturers are not adverse to external input and have a long and symbiotic history with aftermarket businesses and others, but are justifiably unwilling to risk public safety, security, and environmental wellness by compromising quality controls and oversight. Moreover, the exemption is unnecessary given that automobile manufacturers already provide access to their valuable copyrighted materials for the precise purposes proposed. By allowing every automobile owner to access and copy automotive software in the name of research, the proposed exemption undermines existing research efforts and, ultimately, wrests control of such research from those in the best position to actually improve the security and safety of our automobiles: the automobile manufacturers and their suppliers, who have the utmost responsibility to ensure that vehicles are safe and secure. The very real risk that ostensibly legitimate research unwittingly undermines vehicle security by serving as a guidebook to software vulnerabilities that enables or even accelerates illicit hacking and malicious modifications to automotive software weighs heavily against the proposed exemption. The balance of benefit versus detriment, in view of all factors involved, simply dictates against the proposed exemption.

In short, since security researchers might find a really serious hole in our software that might put lives in danger, we're much better off using copyright law to make sure no one's even looking for such a hole. Are they serious? Wouldn't it be much better to give people incentives to find these kinds of security flaws so the automakers can fix them rather than relying on security-by-head-in-the-sand?

Finally, the Alliance of Automobile Manufacturers also opposed the exemption for some fairly bizarre reasons, claiming that it would magically free up researchers to disclose how a vulnerability works without first informing the manufacturer:

By arguing that the current legal landscape is too treacherous for independent researchers, proponents are in effect seeking to be freed from existing statutory constraints that are biased in favor of prudent and responsible practices – such as managing disclosure of security vulnerabilities to minimize the risk of legal violations and exploitation of those vulnerabilities by bad actors – to protect the safety and security of members of the public. For instance, under the proposed exemption, researchers who publish detailed analyses of vulnerabilities before sharing their findings with manufacturers would nonetheless benefit from a blanket exemption to circumvention liability, even though such premature publication could dramatically increase the risk of such harmful exploitations.

This is bullshit. There is nothing in removing the liability for circumvention that changes industry best practices of first alerting the manufacturer. That would still be standard practice. What it would do, however, is stop those manufacturers from responding by threatening a ridiculous copyright infringement lawsuit instead of realizing they need to fix a real problem in their systems. And if the automakers don't think such threats happen, we've got plenty of examples to send their way.

If the automakers are serious about wanting to make sure their cars on the road are safe, they should be encouraging this kind of research (though perhaps not on actual highways... ). But the fact that copyright law is blocking some of this kind of research is a real travesty.

Filed Under: 1201, anti-circumvention, automotive, car, copyright, dmca, hack, hackers
Companies: chrysler, gm

AT&T Won't Give Up On Mobile TV, Now Wants To Sell You $1300 Gear To Watch Cartoons In Your Car

from the that's-a-lot-for-some-cartoons dept

Despite a ton of hype from its backers over the years, there's been very little interest in mobile TV services -- especially with the current subscription-based model. AT&T launched its mobile TV offering using Qualcomm's MediaFLO service last year, and given the lack of news about it, it doesn't seem to have set the world on fire. But AT&T doesn't seem to have learned too much from that experience and adapted its business model to a new satellite-based mobile TV offering that's made for in-car use, preferring instead to trod the same path with a sizable monthly service fee and expensive equipment. For just $1299 for the equipment (not including professional installation) and $28 per month, its CruiseCast service will deliver customers 22 channels of TV and 20 audio channels. Even if these weren't trying economic times, the pricing seems pretty prohibitive, and it's hard to imagine this service will find much more success than other similar efforts. Further, it's really difficult to see a future for any sort of mobile TV service that's built around the subscription model, especially when it tries to force customers back into linear programming schedules, and give up the control that their DVRs and other on-demand technologies offer.

Filed Under: car, driving, mobile tv
Companies: at&t