Feds provide legal loophole to hacking IoT devices

It was an especially happy Thanksgiving for security researchers, thanks to what they have called long-overdue exemptions to the Digital Millennium Copyright Act (DMCA).

Those exemptions, which took effect Oct. 28, provide a two-year window allowing “good-faith” researchers to break into the software that controls most consumer and commercial Internet of Things (IoT) devices – those used in everything from “smart” homes to smartphones, cars, medical devices, voting machines and more – without violating copyright laws.

It protects researchers from penalties that could be imposed under Section 1201 of the DCMA, which forbids unlocking software without the consent of the manufacturer and the copyright owner.

Exactly how happy they, and government regulators, will be two years from now remains to be seen, however. It is not as if it is now open season on IoT software.

There are exemptions to the exemptions – they don’t include things like critical infrastructure, airplanes and major hospital equipment – and they come with tight restrictions. Among them:

• The research has to be for security or repair purposes only;
• The product being investigated must have been lawfully acquired;
• The research has to be done in a safe environment, so techniques used to hack or otherwise compromise a product are not released into the wild;
• The research cannot violate other laws.

And the two-year window amounts to two-thirds of a loaf, in the view of the Electronic Freedom Foundation (EFF). In a blog post on the day the exemptions took effect, EFF staff attorney Kit Walsh noted that they would have begun a year earlier and run for three years, had not the US Copyright Office and Librarian of Congress, “unlawfully and pointlessly delayed their implementation.”

The delay, she wrote, was due to opponents’ claims that lifting the restrictions even temporarily would lead to, “a host of unlawful and undesirable activity, from auto theft, to spying, to safety violations and destruction of the environment.”

Walsh contended that those complaints were not credible and weren’t even under the purview of the librarian or head of the Copyright Office. “The one-year delay, then, was not only a violation of law, not only pointless, but actively counterproductive,” she wrote.

While she didn’t name the officials, she noted they had both recently “departed.” The most recent Acting Librarian of Congress was David S. Mao, who left this past Sept. 14 when the new librarian, Carla Hayden, took office. The former register of copyrights was Maria Pallante, who left on Oct. 21.

Despite the delay and the restrictions, there is some optimism that the two-year window will be good for all interested parties – researchers, developers, manufacturers and especially consumers.

More security testing of products, “ideally will lead to enhanced cooperation between researchers and vendors that ultimately protects individual and business users,” said Harley Geiger, director of public policy at Rapid7.

Sam Curry, chief product officer at Cybereason, said the exemptions are especially important – and overdue – when it comes to auto safety.

“One of the founding tenets of security is that secret methodologies don’t work,” he said. “The more open and transparent the mechanics of what we do, the better from a security perspective.”

With modern cars having become, “a massively complex connection of computers and networks and protocols that is assembled extremely quickly and with potentially massive implications and potential to do harm,” Curry argued that it will take, “a community of experts who by default will have more people and more depth than any individual company can bring to bear,” to find and fix software flaws and vulnerabilities that could threaten the physical safety as well as convenience of drivers.

He said auto manufacturers should encourage, rather than try to block, such research. “Microsoft learned this lesson. Oracle learned this lesson. EMC learned this lesson. Why not Ford, BMW and Toyota?” he asked.

Walsh, while she saw no excuse for the implementation delay, told CSO that one of the most positive things about the new exemptions is that, in the case of vehicles, they cover both research into software security flaws and, “diagnosis, repair or lawful modification.”

That, she added, doesn’t mean that a researcher can create modifications to vehicle software and then sell it on the open market. “The exemptions do not permit ‘trafficking’ in any technology,” she said. “They do not allow the sharing of security research tools for circumventing access controls, they do not allow sharing of a tool for jailbreaking your car to make modifications.”

But, she said, owners will now be able to tweak elements of their vehicles that, for example, would allow them to run efficiently in extreme climates such as northern Alaska.

[ ALSO ON CSO: Security and the Internet of Things – are we repeating history? ]

For the exemptions to work – and to possibly become permanent – experts agree that there will have to be cooperation between researchers and those on the developer/manufacturer side.

If researchers, in effect, play “gotcha” with manufacturers and publicize flaws without giving manufacturers time to correct them, that obviously could create opposition to continuing the exemptions.

Geiger said he believes most researchers would act in good faith, but agreed, “there will always be outliers. We encourage the security research community as a whole to represent itself in the best light, in part because irresponsible actions could invoke backlash,” he said.

Geiger said his firm’s policy is first to notify the vendor of a vulnerability, wait 15 days before notifying US CERT (Computer Emergency Readiness Team) and then a minimum of another 45 days before making it public.

Curry said even if there are a few rogues, the overall benefit to the IoT industry – especially auto manufacturers – will be positive. “Car companies should leap at the opportunity to be safer and more usable,” he said. “Their IP (intellectual property) is not in danger from security researchers. The people who will reverse engineer for IP theft are already going to do that, and they aren’t security researchers.”

Whatever the results of the next two years, Walsh said EFF is prepared to fight to maintain the exemptions. She said the “rulemaking” cycle for Section 1201 is three years, so the next deliberation on it will be conducted from 2017 to 2018, with a final rule issued at the end.

“There is no presumption that existing exemptions will be renewed,” she said. “Proponents must fight for them and prove the need afresh each cycle.”

Geiger said he is hopeful that the exemptions will become permanent. Even if there are some abuses, “we don’t think that a broad circumvention ban under copyright law is the right mechanism to restrain questionable behavior,” he said.