Car Hack Demonstrates Why Security Researchers Shouldn't Have To Worry About Copyright In Exposing Weaknesses
from the copyright-where-it-doesn't-belong dept
So, by now you’ve heard the story of how Wired reporter Andy Greenberg allowed two car hackers to hack into a car that he was driving, remotely, while he was on a highway. The story is getting plenty of well-deserved attention, with some people raising a variety of concerns. The most obvious concern is the “holy hell, that seems scary, we should improve car security.” And that’s true. A second level of concern is over whether or not that experiment on a real highway was appropriate, given the very real potential of danger (including the truck that almost hit Greenberg). A third concern is over the reality of the threat, given that Greenberg was driving a car owned by the hackers, that they had the ability to touch previously (i.e. the “remote” part of the hack sounds scary, but it’s less scary if hackers have to get into your car first).
However, the part that I wanted to focus on is related to a discussion we were just having a few weeks ago, in which General Motors (which was not the target of this particular hack) claimed that any sort of tinkering with their software, such as to discover these kinds of security holes, should be considered copyright infringement, thanks to Section 1201 of the DMCA. Section 1201, also known as the anti-circumvention provision, says circumventing “technological protection measures” (TPMs) — even for reasons that have nothing to do with copyright — should be deemed copyright infringement and subject to all the statutory damages (up to $150k per violation!) that copyright allows. Some have been pushing for an exemption for things like security researchers tinkering with new connected car systems to make sure they’re safe. And GM and other automakers have said “no way.” GM’s argument is, more or less, that the company would prefer to put its head in the sand, and not have security researchers help it discover security flaws in its systems — leaving only malicious attackers to find those.
While proponents such as Electronic Frontier Foundation characterize the exemption as merely allowing the vehicle owners to ?tinker? with their vehicles ?in a decades-old tradition of mechanical curiosity and self-reliance,? if granted, the proposed exemption could introduce safety and security issues as well as facilitate violation of various laws designed specifically to regulate the modern car, including emissions, fuel economy, and vehicle safety regulations.
Of course, copyright is not the right law to be relying on if you think that tinkering with your software could lead to safety problems. Instead, it seems to be the law that automakers are relying on to try to hide some of the security vulnerabilities in their cars.
The Association of Global Automakers goes even further with its argument, basically saying that since they already let security researchers of their own choosing do research, no one else should be able to do that research also:
Automobile manufacturers are not adverse to external input and have a long and symbiotic history with aftermarket businesses and others, but are justifiably unwilling to risk public safety, security, and environmental wellness by compromising quality controls and oversight. Moreover, the exemption is unnecessary given that automobile manufacturers already provide access to their valuable copyrighted materials for the precise purposes proposed. By allowing every automobile owner to access and copy automotive software in the name of research, the proposed exemption undermines existing research efforts and, ultimately, wrests control of such research from those in the best position to actually improve the security and safety of our automobiles: the automobile manufacturers and their suppliers, who have the utmost responsibility to ensure that vehicles are safe and secure. The very real risk that ostensibly legitimate research unwittingly undermines vehicle security by serving as a guidebook to software vulnerabilities that enables or even accelerates illicit hacking and malicious modifications to automotive software weighs heavily against the proposed exemption. The balance of benefit versus detriment, in view of all factors involved, simply dictates against the proposed exemption.
In short, since security researchers might find a really serious hole in our software that might put lives in danger, we’re much better off using copyright law to make sure no one’s even looking for such a hole. Are they serious? Wouldn’t it be much better to give people incentives to find these kinds of security flaws so the automakers can fix them rather than relying on security-by-head-in-the-sand?
Finally, the Alliance of Automobile Manufacturers also opposed the exemption for some fairly bizarre reasons, claiming that it would magically free up researchers to disclose how a vulnerability works without first informing the manufacturer:
By arguing that the current legal landscape is too treacherous for independent researchers, proponents are in effect seeking to be freed from existing statutory constraints that are biased in favor of prudent and responsible practices ? such as managing disclosure of security vulnerabilities to minimize the risk of legal violations and exploitation of those vulnerabilities by bad actors ? to protect the safety and security of members of the public. For instance, under the proposed exemption, researchers who publish detailed analyses of vulnerabilities before sharing their findings with manufacturers would nonetheless benefit from a blanket exemption to circumvention liability, even though such premature publication could dramatically increase the risk of such harmful exploitations.
This is bullshit. There is nothing in removing the liability for circumvention that changes industry best practices of first alerting the manufacturer. That would still be standard practice. What it would do, however, is stop those manufacturers from responding by threatening a ridiculous copyright infringement lawsuit instead of realizing they need to fix a real problem in their systems. And if the automakers don’t think such threats happen, we’ve got plenty of examples to send their way.
If the automakers are serious about wanting to make sure their cars on the road are safe, they should be encouraging this kind of research (though perhaps not on actual highways… ). But the fact that copyright law is blocking some of this kind of research is a real travesty.
Filed Under: 1201, anti-circumvention, automotive, car, copyright, dmca, hack, hackers
Companies: chrysler, gm
Comments on “Car Hack Demonstrates Why Security Researchers Shouldn't Have To Worry About Copyright In Exposing Weaknesses”
Public disclosure (or at least the threat of it) is the only way to put pressure on companies to fix security holes in software, including software in cars.
Let’s not forget that these same 2 security researchers put on a demonstration on a Toyota Prius and a Ford Escape at Defcon in 2013. At the time, it required a wired connection to the diagnostic port. The automakers ignored it and said their systems were secure.
As to the threat concern, yes, these guys did have physical access to the Jeep used. But they are also able to scan the network using a burner phone on Sprint’s network that UConnect uses to locate other cars running the same software all over the place. The same vulnerable software that they can exploit remotely.
You made the bed...
For instance, under the proposed exemption, researchers who publish detailed analyses of vulnerabilities before sharing their findings with manufacturers would nonetheless benefit from a blanket exemption to circumvention liability, even though such premature publication could dramatically increase the risk of such harmful exploitations.
Well perhaps if so many companies didn’t respond to people trying to be ‘nice’ by telling them about vulnerabilities first with lawsuits and threats of them, more people might be willing to do so. As it stands, only a fool tells a company about a security issue now, the smart ones publish it anonymously and publicly.
Re: You made the bed...
There’s also the option that some researchers took in 2008: make the vendor sign an NDA. “Molnar says that the team pre-briefed browser makers, including Microsoft and the Mozilla Foundation, on their exploit. But the researchers put them under NDA, for fear that if word got out about their efforts, legal pressure would be brought to bear to suppress their planned talk in Berlin. Molnar says Microsoft warned Verisign that the company should stop using MD5.”
Re: You made the bed...
Exactly. Your plan for getting people to “first inform the manufacturer” is to swear you’ll fully prosecute anyone who admits to testing? That’s just a recipe for anonymously published 0-days popping up all over the Internet.
Start a bounty program and make people want to help you. Exploits are going to be found. Period. It’s your choice how you’ll be informed about them.
Security?
Scenario:
1. Man annoys his neighbor, who has serious anger management issues.
2. Angry neighbor hacks into his new car because manufacturer failed to proactively upgrade known security flaw.
3. Man begins to back out of his driveway but hits the brakes when he sees a school bus on the street.
4. Brakes do not function due to the angry neighbors’ hack and he T-bones the bus.
5. Children are injured, some seriously.
6. Bus driver says he saw the brake lights come on but the car did not slow down.
7. Investigation discovers the hack and the perpetrator.
8. Parent sue angry neighbor, who has few assets, and the manufacturer. Lawyers find during discovery that manufacturer was aware of the problem but decided not to fix it.
9. County Attorney tries to determine if criminal charges could apply to the case and if so who to charge.
Re: Security?
Thanks to copyright law, this scenario will never happen.
Re: Re: Security?
Thanks to laws of physics, this scenario will never happen. If a car hit a school bus at backing-out-of-driveway speeds (or even at highway speeds,) the children inside would almost certainly not be injured because of buses’ extremely sturdy construction.
Re: Re: Re: Security?
If a car hit a school bus at backing-out-of-driveway speeds (or even at highway speeds,) the children inside would almost certainly not be injured because of buses’ extremely sturdy construction.
Not to mention enormous mass advantage.
Re: Re: Re:2 Security?
Well, I don’t know about that. There have been some recent cases of collisions between trains and automobiles (and other road vehicles), in which the gas tank of the automobile was ruptured, and burning fuel made its way into the trains’ passenger cars. I believe there was one case in New York where a train was being operated in push mode, with the locomotive at the rear, and the engineer driving by remote control from the front vestibule of the front coach. They collided with a SUV. The engineer was killed in the ensuring fire, and several passengers were burned.
There was a case out in Nevada, in which a fuel tank truck collided with a tran at a grade crossing. It did a substantial amount of damage to a sleeping car, but the casualties were not very high.
Re: Re: Re:3 Security?
Obviously it’s possible for a fire to affect the bus, but I think that probably falls into the “almost certainly” category. Slowly back a car into a school bus 1000 times and how many times do you think the bus would catch fire?
Re: Re: Re:4 Security?
Well, you might have a situation in which the back end of the (front-wheel-drive) car sort of climbs the side of the bus, and pushes in at the bus windows. Something straight out of a demolition derby, in short.
When I first heard about the Lac Megantic railroad accident, I was pretty well baffled, because I had not known that it was possible to operate train brakes in that fashion. It was not a customary way of operating train brakes, nor one which is recommended, but a weird expedient dreamed up as a means of saving small sums of money. Of course the result was that forty-three people were killed, and a major portion of the town burnt out.. Ah, well, as my Human Factors Engineering professor said, many years ago, “you can make something foolproof, but you can’t make it damm-foolproof!”
Sigh. So much fail coming from the manufacturers here.
Yeah, you know what the beautiful thing about there already being laws against this stuff that they’re pointing out there are laws against? The fact that there are already laws against it! So that’s already covered and they don’t need copyright abuse to handle cases of people trying to do stuff like that.
If we were talking about manufactured physical goods, such as a car, I would agree. But we’re not; we’re talking about the software in the car, and fixing bugs in software does not work that way. Decades of experience shows exactly the opposite, as succinctly summed up by Eric Raymond in what he calls Linus’s Law: “given enough eyeballs, all bugs are shallow.” Or in other words, the more independent people you have looking at a problem, the more likely it will be that the solution will be obvious to one of them, and thus the faster it will get fixed.
Re: Re:
That is IF anyone LOOKS AT THE SOURCE CODE in the first place. Open source just ain’t what it used to be.
Modern package management has spoiled people rotten
A lot of admins just take drop the binary package in place, install warnings be damned, never to upgrade it unless their boss presses them to.
Just think of the OpenSSL bugs. In fact I’d argue that there are more “bad guy” eyeballs peering over the code of major security packages than “good guy” ones.
Re: Re: Re:
Yeah, it’s easy to “just think of” the OpenSSL bugs, because they’re about all there is to think of when you’re looking for counter-examples. They’re the one major case that’s come to light in the past decade or so. You know what you haven’t heard about? All the thousands of open source projects that haven’t had serious problems like that, because the process works when people actually use it. But OpenSSL didn’t; it could be a case study in how not to run an Open Source project.
Re: Re:
By allowing every automobile owner to access and copy automotive software in the name of research, the proposed exemption undermines existing research efforts and, ultimately, wrests control of such research from those in the best position to actually improve the security and safety of our automobiles: the automobile manufacturers and their suppliers, who have the utmost responsibility to ensure that vehicles are safe and secure.
It’s a really bizarre claim. Are they saying that manufacturers and suppliers can’t do security research until they’re sure nobody else is doing it? “Wrests control”? I guess in the sense that they wouldn’t be the only ones doing the research, so they wouldn’t have control over all research efforts. But then they don’t go on to explain what the problem with that is. Not in any way that makes sense at least.
I hate the blame game
Really?
Bad guys, whomever they are, whatever their motives are or whatever their affiliations are will *DO BAD STUFF* and figure out how to do it. It called resources. They do not care about laws.
Researchers or just the general public continue to point out stupidity, or some would say greed for not staying the course to solidify products, especially interconnected products. These companies should be using well founded current security *AND* polices for security.
I say let research move forward and be free from tortuous prosecution and continue to disclose the stupidity from organizations that refuse to do better.
All peoples will be better from these efforts.
If you release a shitty product that can hurt someone, fix it, or better yet educate yourself not to release it in the first place.
Does anyone really believe that *ANY* major car manufacture doesn’t have a team that said, well, you know, this is a bad idea? Engineers and a lot of us regular folks are not idiots to these facts. $$$$.
The merits of when to hold companies responsible and then harder issue about punishment without reprieve is where I fear we will never get to. But that is another rant.
Only if you "get" it
Only those who “get” the Internet understand the value the white hat.
Never has it been argued that car companies “get” the Internet.
Ditto airliner manufacturers.
By GM’s reasoning AshleyMadison is correct in saying that their data is secure, since they’ve issued DMCA takedowns to everyone who posted the leaked database.
Comcast’s top lobbyist David Cohen can’t possibly be holding $2,700 per plate fundraising dinners for Washington politicians, since bribery and influence peddling are illegal.
And those 9/11 truthers must be on to something, as it’s impossible to fly jetliners into buildings without violating a few laws.
We have seen example after example of companies owning software ignoring security issues. Only after it is made public appears to be the single driving force to get them interested in doing something about it. Instead we’ve seen the attempt to DMCA they way out of it, trying to remove the data from the internet. Others take the path of wanting to sue researchers for daring to reveal those limitations.
Then there are cases like Microsoft, purposely delaying patches in order to allow the NSA more time to use unsecured holes in software.
All of this goes back to no one having any sort of nudge factor short of public dumping to get the manufacturer to actually address flaws.
wut?
sample extract of the repetitive stupid:
And how has that been working so far? You keep saying this, but everyone else seems to find the vulnerabilities. Your putative security teams need help. Have some for free, morons.
Bad actors do not give a fuck about copyright or other law. R U srs here? GTFO.
To GM
Hackers don’t bother to worry about violations of copyright, and the DMCA won’t stop them from hacking stuff. You are idiots, and until you start giving people the means to protect themselves when using your (their) vehicles, then don’t expect me to invest any of my hard-earned $$ in them!
Here’s an idea. Don’t put anything of importance in a car that can be controlled via the internet. Air gap the important stuff. This will especially be needed for self-driving cars. They have to be self-contained as much as possible to prevent this sort of thing on a mass scale.
Re: Re:
Excuse me there mister … you seem to be using logic to determine a course of action. This is not permitted and you know it.
The design of metal objects weighing over a ton traveling at over 65 miles an hour should not be subject to any sort of logic intended to limit their potential for catastrophic destruction, this is simply insane – ok?
Re: Re:
Don’t put anything of importance in a car that can be controlled via the internet.
Forget internet, don’t let it be controlled by any remote means at all.
What will it take for the automotive (and other companies) to learn that hiding their failures, which inevitably come out, is worse than coming clean in the first place.
They can get all kinds of free quality assurance testing, but seem to prefer to pay in the courtroom because they can put off the payment of a decade or so.
Re: Re:
What will it take for the automotive (and other companies) to learn that hiding their failures, which inevitably come out, is worse than coming clean in the first place.
If they haven’t learned by now…. every time it comes up, the calculus is, do we go public and definitely take a hit, or try to keep it secret and maybe get away with it? THIS TIME guys, we will succeed in keeping it a secret.
Related to this, Fiat Chrysler instructs their dealers to activate these systems before a new car leaves the lot. The end user isn’t always the one who “accepts” the license agreement so no contract exists.
Ok, so you admit you are fully liable for any damage that a security flaw in your software may cause, including psychological. No? then let people help you find such flaws.
Could the driver turn off the wireless features of the car, like we can with our computers? If so, those wireless car drivers can go on-line only when necessary…
Any car mechanics can tell you the many low-tech ways to sabotage vehicles. While the wired article is interesting, it just fuels gratuitous paranoia.
There is even a bigger hole in this model
Software, all software, eventually falls out of support. So what happens when a 5 or 10 year old car hits the end-of-life support for its software and no more patches are applied? Yea, maybe the car is secure for some period of time, but eventually support will be dropped and then hackers will have a field day with older vehicles.
Re: There is even a bigger hole in this model
I suspect that car manufacturers consider this a feature, not a bug.
Just wait until the first driverless car bomb then they will be falling over themselves to have people finding their security vulnerabilities for them.
Nothing new on this side
The head in the sand approach be the automotive industry is not new.
The engineers of the Ford Bronco said if the car was 10cm wider it would be substantially more stable, but they got overruled.
Then over decades unsafe cars were sold that would flip over on bends at relatively low speeds.
The only way to fix this is by simply not buying from them. If they dont want to fix the bugs on the software… just hit them where it hurts, and buy a nice toyota or something like that.
How can Section 1201 of the DMCA be even remotely interpreted as “promoting the Progress of Science and useful Arts”?
Section 1201 is Like Gun Control
The device circumvention prohibition only stops the law abiding people, and does not stop the criminals from hacking the car software.
So your choice, customers and researchers where your the first to know, or we all get surprised by the bad guys.
Re: Section 1201 is Like Gun Control
“only stops the law abiding people, and does not stop the criminals from hacking the car software.”
And it doesn’t stop law-abiding people. Non-criminal* hackers will still be hacking the software for the same reasons they always do.
*excluding that breaking this particular law technically makes them “criminals”.
FFS
If that car hits a front wheel on the bus, it could easily take out the steering linkage. Now you have an out of control bus veering into oncoming traffic, flipping into a ditch, or worse.
Go watch some dash cam videos already…
Re: FFS
Another edge case that would be very unlikely in a low-speed collision. And dash cams would be a terrible source of meaningful evidence since the ones that are easiest to find are the ones with spectacular events. Those are generally the exception, not the rule. The thousands or millions of videos showing boring minor fender benders are never seen.
I come back to the understanding that the car company would build as safe a car as possible and once bought they have no responsibility for any changes made by the owner. I seem to recall in my younger days of all the changes younger drivers would make to their cars (street rods) and the manufacturer had no responsibility for any accidents that would happen that was connected to these changes by the owner.