Car Hack Demonstrates Why Security Researchers Shouldn't Have To Worry About Copyright In Exposing Weaknesses

from the copyright-where-it-doesn't-belong dept

So, by now you’ve heard the story of how Wired reporter Andy Greenberg allowed two car hackers to hack into a car that he was driving, remotely, while he was on a highway. The story is getting plenty of well-deserved attention, with some people raising a variety of concerns. The most obvious concern is the “holy hell, that seems scary, we should improve car security.” And that’s true. A second level of concern is over whether or not that experiment on a real highway was appropriate, given the very real potential of danger (including the truck that almost hit Greenberg). A third concern is over the reality of the threat, given that Greenberg was driving a car owned by the hackers, that they had the ability to touch previously (i.e. the “remote” part of the hack sounds scary, but it’s less scary if hackers have to get into your car first).

However, the part that I wanted to focus on is related to a discussion we were just having a few weeks ago, in which General Motors (which was not the target of this particular hack) claimed that any sort of tinkering with their software, such as to discover these kinds of security holes, should be considered copyright infringement, thanks to Section 1201 of the DMCA. Section 1201, also known as the anti-circumvention provision, says circumventing “technological protection measures” (TPMs) — even for reasons that have nothing to do with copyright — should be deemed copyright infringement and subject to all the statutory damages (up to $150k per violation!) that copyright allows. Some have been pushing for an exemption for things like security researchers tinkering with new connected car systems to make sure they’re safe. And GM and other automakers have said “no way.” GM’s argument is, more or less, that the company would prefer to put its head in the sand, and not have security researchers help it discover security flaws in its systems — leaving only malicious attackers to find those.

While proponents such as Electronic Frontier Foundation characterize the exemption as merely allowing the vehicle owners to ?tinker? with their vehicles ?in a decades-old tradition of mechanical curiosity and self-reliance,? if granted, the proposed exemption could introduce safety and security issues as well as facilitate violation of various laws designed specifically to regulate the modern car, including emissions, fuel economy, and vehicle safety regulations.

Of course, copyright is not the right law to be relying on if you think that tinkering with your software could lead to safety problems. Instead, it seems to be the law that automakers are relying on to try to hide some of the security vulnerabilities in their cars.

The Association of Global Automakers goes even further with its argument, basically saying that since they already let security researchers of their own choosing do research, no one else should be able to do that research also:

Automobile manufacturers are not adverse to external input and have a long and symbiotic history with aftermarket businesses and others, but are justifiably unwilling to risk public safety, security, and environmental wellness by compromising quality controls and oversight. Moreover, the exemption is unnecessary given that automobile manufacturers already provide access to their valuable copyrighted materials for the precise purposes proposed. By allowing every automobile owner to access and copy automotive software in the name of research, the proposed exemption undermines existing research efforts and, ultimately, wrests control of such research from those in the best position to actually improve the security and safety of our automobiles: the automobile manufacturers and their suppliers, who have the utmost responsibility to ensure that vehicles are safe and secure. The very real risk that ostensibly legitimate research unwittingly undermines vehicle security by serving as a guidebook to software vulnerabilities that enables or even accelerates illicit hacking and malicious modifications to automotive software weighs heavily against the proposed exemption. The balance of benefit versus detriment, in view of all factors involved, simply dictates against the proposed exemption.

In short, since security researchers might find a really serious hole in our software that might put lives in danger, we’re much better off using copyright law to make sure no one’s even looking for such a hole. Are they serious? Wouldn’t it be much better to give people incentives to find these kinds of security flaws so the automakers can fix them rather than relying on security-by-head-in-the-sand?

Finally, the Alliance of Automobile Manufacturers also opposed the exemption for some fairly bizarre reasons, claiming that it would magically free up researchers to disclose how a vulnerability works without first informing the manufacturer:

By arguing that the current legal landscape is too treacherous for independent researchers, proponents are in effect seeking to be freed from existing statutory constraints that are biased in favor of prudent and responsible practices ? such as managing disclosure of security vulnerabilities to minimize the risk of legal violations and exploitation of those vulnerabilities by bad actors ? to protect the safety and security of members of the public. For instance, under the proposed exemption, researchers who publish detailed analyses of vulnerabilities before sharing their findings with manufacturers would nonetheless benefit from a blanket exemption to circumvention liability, even though such premature publication could dramatically increase the risk of such harmful exploitations.

This is bullshit. There is nothing in removing the liability for circumvention that changes industry best practices of first alerting the manufacturer. That would still be standard practice. What it would do, however, is stop those manufacturers from responding by threatening a ridiculous copyright infringement lawsuit instead of realizing they need to fix a real problem in their systems. And if the automakers don’t think such threats happen, we’ve got plenty of examples to send their way.

If the automakers are serious about wanting to make sure their cars on the road are safe, they should be encouraging this kind of research (though perhaps not on actual highways… ). But the fact that copyright law is blocking some of this kind of research is a real travesty.





Filed Under: , , , , , , ,
Companies: chrysler, gm

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Car Hack Demonstrates Why Security Researchers Shouldn't Have To Worry About Copyright In Exposing Weaknesses”

Subscribe: RSS Leave a comment
39 Comments
Josh in CharlotteNC (profile) says:

Public disclosure (or at least the threat of it) is the only way to put pressure on companies to fix security holes in software, including software in cars.

Let’s not forget that these same 2 security researchers put on a demonstration on a Toyota Prius and a Ford Escape at Defcon in 2013. At the time, it required a wired connection to the diagnostic port. The automakers ignored it and said their systems were secure.

As to the threat concern, yes, these guys did have physical access to the Jeep used. But they are also able to scan the network using a burner phone on Sprint’s network that UConnect uses to locate other cars running the same software all over the place. The same vulnerable software that they can exploit remotely.

That One Guy (profile) says:

You made the bed...

For instance, under the proposed exemption, researchers who publish detailed analyses of vulnerabilities before sharing their findings with manufacturers would nonetheless benefit from a blanket exemption to circumvention liability, even though such premature publication could dramatically increase the risk of such harmful exploitations.

Well perhaps if so many companies didn’t respond to people trying to be ‘nice’ by telling them about vulnerabilities first with lawsuits and threats of them, more people might be willing to do so. As it stands, only a fool tells a company about a security issue now, the smart ones publish it anonymously and publicly.

Anonymous Coward says:

Re: You made the bed...

As it stands, only a fool tells a company about a security issue now, the smart ones publish it anonymously and publicly.

There’s also the option that some researchers took in 2008: make the vendor sign an NDA. “Molnar says that the team pre-briefed browser makers, including Microsoft and the Mozilla Foundation, on their exploit. But the researchers put them under NDA, for fear that if word got out about their efforts, legal pressure would be brought to bear to suppress their planned talk in Berlin. Molnar says Microsoft warned Verisign that the company should stop using MD5.”

Jeremy Lyman (profile) says:

Re: You made the bed...

Exactly. Your plan for getting people to “first inform the manufacturer” is to swear you’ll fully prosecute anyone who admits to testing? That’s just a recipe for anonymously published 0-days popping up all over the Internet.

Start a bounty program and make people want to help you. Exploits are going to be found. Period. It’s your choice how you’ll be informed about them.

lars626 (profile) says:

Security?

Scenario:
1. Man annoys his neighbor, who has serious anger management issues.
2. Angry neighbor hacks into his new car because manufacturer failed to proactively upgrade known security flaw.
3. Man begins to back out of his driveway but hits the brakes when he sees a school bus on the street.
4. Brakes do not function due to the angry neighbors’ hack and he T-bones the bus.
5. Children are injured, some seriously.
6. Bus driver says he saw the brake lights come on but the car did not slow down.
7. Investigation discovers the hack and the perpetrator.
8. Parent sue angry neighbor, who has few assets, and the manufacturer. Lawyers find during discovery that manufacturer was aware of the problem but decided not to fix it.
9. County Attorney tries to determine if criminal charges could apply to the case and if so who to charge.

Andrew D. Todd (user link) says:

Re: Re: Re:2 Security?

Well, I don’t know about that. There have been some recent cases of collisions between trains and automobiles (and other road vehicles), in which the gas tank of the automobile was ruptured, and burning fuel made its way into the trains’ passenger cars. I believe there was one case in New York where a train was being operated in push mode, with the locomotive at the rear, and the engineer driving by remote control from the front vestibule of the front coach. They collided with a SUV. The engineer was killed in the ensuring fire, and several passengers were burned.

There was a case out in Nevada, in which a fuel tank truck collided with a tran at a grade crossing. It did a substantial amount of damage to a sleeping car, but the casualties were not very high.

Andrew D. Todd (user link) says:

Re: Re: Re:4 Security?

Well, you might have a situation in which the back end of the (front-wheel-drive) car sort of climbs the side of the bus, and pushes in at the bus windows. Something straight out of a demolition derby, in short.

When I first heard about the Lac Megantic railroad accident, I was pretty well baffled, because I had not known that it was possible to operate train brakes in that fashion. It was not a customary way of operating train brakes, nor one which is recommended, but a weird expedient dreamed up as a means of saving small sums of money. Of course the result was that forty-three people were killed, and a major portion of the town burnt out.. Ah, well, as my Human Factors Engineering professor said, many years ago, “you can make something foolproof, but you can’t make it damm-foolproof!”

Mason Wheeler (profile) says:

Sigh. So much fail coming from the manufacturers here.

if granted, the proposed exemption could introduce safety and security issues as well as facilitate violation of various laws designed specifically to regulate the modern car, including emissions, fuel economy, and vehicle safety regulations.

Yeah, you know what the beautiful thing about there already being laws against this stuff that they’re pointing out there are laws against? The fact that there are already laws against it! So that’s already covered and they don’t need copyright abuse to handle cases of people trying to do stuff like that.

By allowing every automobile owner to access and copy automotive software in the name of research, the proposed exemption undermines existing research efforts and, ultimately, wrests control of such research from those in the best position to actually improve the security and safety of our automobiles: the automobile manufacturers and their suppliers, who have the utmost responsibility to ensure that vehicles are safe and secure.

If we were talking about manufactured physical goods, such as a car, I would agree. But we’re not; we’re talking about the software in the car, and fixing bugs in software does not work that way. Decades of experience shows exactly the opposite, as succinctly summed up by Eric Raymond in what he calls Linus’s Law: “given enough eyeballs, all bugs are shallow.” Or in other words, the more independent people you have looking at a problem, the more likely it will be that the solution will be obvious to one of them, and thus the faster it will get fixed.

Anonymous Coward says:

Re: Re:

“Or in other words, the more independent people you have looking at a problem, the more likely it will be that the solution will be obvious to one of them, and thus the faster it will get fixed.”

That is IF anyone LOOKS AT THE SOURCE CODE in the first place. Open source just ain’t what it used to be.

Modern package management has spoiled people rotten

A lot of admins just take drop the binary package in place, install warnings be damned, never to upgrade it unless their boss presses them to.

Just think of the OpenSSL bugs. In fact I’d argue that there are more “bad guy” eyeballs peering over the code of major security packages than “good guy” ones.

Mason Wheeler (profile) says:

Re: Re: Re:

Yeah, it’s easy to “just think of” the OpenSSL bugs, because they’re about all there is to think of when you’re looking for counter-examples. They’re the one major case that’s come to light in the past decade or so. You know what you haven’t heard about? All the thousands of open source projects that haven’t had serious problems like that, because the process works when people actually use it. But OpenSSL didn’t; it could be a case study in how not to run an Open Source project.

nasch (profile) says:

Re: Re:

By allowing every automobile owner to access and copy automotive software in the name of research, the proposed exemption undermines existing research efforts and, ultimately, wrests control of such research from those in the best position to actually improve the security and safety of our automobiles: the automobile manufacturers and their suppliers, who have the utmost responsibility to ensure that vehicles are safe and secure.

It’s a really bizarre claim. Are they saying that manufacturers and suppliers can’t do security research until they’re sure nobody else is doing it? “Wrests control”? I guess in the sense that they wouldn’t be the only ones doing the research, so they wouldn’t have control over all research efforts. But then they don’t go on to explain what the problem with that is. Not in any way that makes sense at least.

Anonymous Coward says:

I hate the blame game

Really?

Bad guys, whomever they are, whatever their motives are or whatever their affiliations are will *DO BAD STUFF* and figure out how to do it. It called resources. They do not care about laws.

Researchers or just the general public continue to point out stupidity, or some would say greed for not staying the course to solidify products, especially interconnected products. These companies should be using well founded current security *AND* polices for security.

I say let research move forward and be free from tortuous prosecution and continue to disclose the stupidity from organizations that refuse to do better.

All peoples will be better from these efforts.

If you release a shitty product that can hurt someone, fix it, or better yet educate yourself not to release it in the first place.

Does anyone really believe that *ANY* major car manufacture doesn’t have a team that said, well, you know, this is a bad idea? Engineers and a lot of us regular folks are not idiots to these facts. $$$$.

The merits of when to hold companies responsible and then harder issue about punishment without reprieve is where I fear we will never get to. But that is another rant.

Roger Strong (profile) says:

By GM’s reasoning AshleyMadison is correct in saying that their data is secure, since they’ve issued DMCA takedowns to everyone who posted the leaked database.

Comcast’s top lobbyist David Cohen can’t possibly be holding $2,700 per plate fundraising dinners for Washington politicians, since bribery and influence peddling are illegal.

And those 9/11 truthers must be on to something, as it’s impossible to fly jetliners into buildings without violating a few laws.

Anonymous Coward says:

We have seen example after example of companies owning software ignoring security issues. Only after it is made public appears to be the single driving force to get them interested in doing something about it. Instead we’ve seen the attempt to DMCA they way out of it, trying to remove the data from the internet. Others take the path of wanting to sue researchers for daring to reveal those limitations.

Then there are cases like Microsoft, purposely delaying patches in order to allow the NSA more time to use unsecured holes in software.

All of this goes back to no one having any sort of nudge factor short of public dumping to get the manufacturer to actually address flaws.

orbitalinsertion (profile) says:

wut?

sample extract of the repetitive stupid:

By allowing every automobile owner to access and copy automotive software in the name of research, the proposed exemption undermines existing research efforts and, ultimately, wrests control of such research from those in the best position to actually improve the security and safety of our automobiles: the automobile manufacturers and their suppliers, who have the utmost responsibility to ensure that vehicles are safe and secure.

And how has that been working so far? You keep saying this, but everyone else seems to find the vulnerabilities. Your putative security teams need help. Have some for free, morons.

By arguing that the current legal landscape is too treacherous for independent researchers, proponents are in effect seeking to be freed from existing statutory constraints that are biased in favor of prudent and responsible practices – such as managing disclosure of security vulnerabilities to minimize the risk of legal violations and exploitation of those vulnerabilities by bad actors – to protect the safety and security of members of the public.

Bad actors do not give a fuck about copyright or other law. R U srs here? GTFO.

Anonymous Coward says:

Re: Re:

Excuse me there mister … you seem to be using logic to determine a course of action. This is not permitted and you know it.

The design of metal objects weighing over a ton traveling at over 65 miles an hour should not be subject to any sort of logic intended to limit their potential for catastrophic destruction, this is simply insane – ok?

nasch (profile) says:

Re: Re:

What will it take for the automotive (and other companies) to learn that hiding their failures, which inevitably come out, is worse than coming clean in the first place.

If they haven’t learned by now…. every time it comes up, the calculus is, do we go public and definitely take a hit, or try to keep it secret and maybe get away with it? THIS TIME guys, we will succeed in keeping it a secret.

Anonymous Coward says:

There is even a bigger hole in this model

Software, all software, eventually falls out of support. So what happens when a 5 or 10 year old car hits the end-of-life support for its software and no more patches are applied? Yea, maybe the car is secure for some period of time, but eventually support will be dropped and then hackers will have a field day with older vehicles.

ht says:

Nothing new on this side

The head in the sand approach be the automotive industry is not new.

The engineers of the Ford Bronco said if the car was 10cm wider it would be substantially more stable, but they got overruled.
Then over decades unsafe cars were sold that would flip over on bends at relatively low speeds.

The only way to fix this is by simply not buying from them. If they dont want to fix the bugs on the software… just hit them where it hurts, and buy a nice toyota or something like that.

John Fenderson (profile) says:

Re: Section 1201 is Like Gun Control

“only stops the law abiding people, and does not stop the criminals from hacking the car software.”

And it doesn’t stop law-abiding people. Non-criminal* hackers will still be hacking the software for the same reasons they always do.

*excluding that breaking this particular law technically makes them “criminals”.

nasch (profile) says:

Re: FFS

Another edge case that would be very unlikely in a low-speed collision. And dash cams would be a terrible source of meaningful evidence since the ones that are easiest to find are the ones with spectacular events. Those are generally the exception, not the rule. The thousands or millions of videos showing boring minor fender benders are never seen.

wec says:

I come back to the understanding that the car company would build as safe a car as possible and once bought they have no responsibility for any changes made by the owner. I seem to recall in my younger days of all the changes younger drivers would make to their cars (street rods) and the manufacturer had no responsibility for any accidents that would happen that was connected to these changes by the owner.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...