The Library of Congress issued new exemptions allowing researchers to hack a car's internal software. The new rule is one of many exemptions to the Digital Millennium Copyright Act, also making it legal for users to hack a smart TV, access medical devices, modify a video game, or jailbreak a smartphone.
Auto manufacturers fought attempts to make it legal to hack a car's internal software, as did both the U.S. Department of Transportation and the Environmental Protection Agency.
However, the aftermath of the Volkswagen emissions testing scandal – in which it was discovered that the auto manufacturer hacked its own vehicles to ensure that they would perform better on emissions test – was finally enough to elicit a reaction from regulators.
The exemption allowing for hacking automobiles' internal software for “good faith security research” was based on a request sent to the Librarian of Congress by the Electronic Frontier Foundation (EFF).
While researchers are pleased with the automotive software exception, concerns remain surrounding the time frame of this exception, which will go into effect “no earlier than 12 months after the effective date of this regulation,” as the ruling stated.
Chris Valasek, the security researcher who along with Charlie Miller hacked a Jeep Cherokee in July, was disappointed by the delay. “This isn't a scene from 'The Wire' where the drug dealers can call ‘time out' for nine months," he told SCMagazine.com. “The attackers and researchers are still out there working to exploit these vulnerabilities.” Valasek joined Uber in August.
Indeed, they are. Last week, a Jaguar XFR was stolen from a New Zealand auto dealership by a thief using an electronic device to hack the vehicle's keyless entry system.
Last month, Kathryn Thomas, the Department of Transportation's general counsel, sent a letter to the Library of Congress urging against the automobile software exemptions.
Had the DOT's suggestion been implemented, it would have created a nightmare of red tape mandating that researchers embark on a lengthy process of cutting through red tape, trying to convince corporations to fix their vulnerabilities, and asking regulators to take action when companies won't.
The request asked the LOC to consider limiting the ability of researchers from disclosing security gaps until “adequate time for responsive actions to be formulated and executed before broader disclosures are made.” Cynics might be excused for wondering what the DOT considers “adequate time.”
For example, when Valasek and Miller discovered the Jeep Cherokee vulnerability, the researchers contacted Chrysler to inform the automaker about the vulnerability they discovered. “They actually knew about this problem even before we did,” he told SCMagazine.com. Despite an ongoing conversation between Chrysler and the researchers that dragged on for nine months, the company was unable to fix the problem. Then, as soon as went public with their exploit, Chrysler quickly created and released a patch.
There is, of course, no motivator like the prospect of customers' ire.
Compare this to an exploit discovered by a team of researchers at University of California at San Diego and the University of Washington. The researchers didn't name the car or manufacturer, but instead shared their findings privately with the manufacturer (it has since been unveiled that the vehicle was General Motors' 2009 Chevy Impala). Five years later, GM created a patch.
Last week, the House Energy and Commerce Committee met to consider automotive safety reforms that would make it illegal to hack vehicles. The proposed legislation is sponsored by Rep. Michael C. Burgess, M.D. (R-Texas), chairman of the Commerce, Manufacturing, and Trade subcommittee.
At this time, it is unclear how the House Energy and Commerce Committee will react to the LOC's auto software exception. Rep. Burgess and The Energy & Commerce Committee press secretary were both unable to be reached for comment.
It is already illegal to hack someone else's vehicle, said EFF Staff Attorney Kit Walsh. He told SCMagazine.com via email that it is important “to make sure that the legitimate research and tinkering protected by the exemptions isn't made illegal by some new rule pushed by the auto manufacturers.”
“I don't see how anyone benefits – other than the auto manufacturers' brands – when you don't announce these vulnerabilities in a timely manner,” said Valasek. “You want these to get fixed in an appropriate amount of time.”UPDATE: A Congressional staffer told SCMagazine.com the automotive safety bill under consideration by the House Energy and Commerce Committee does not overlap with The Library of Congress exemptions. The staffer said the committee does not have the jurisdiction to change criminal or copyright law, but would like to see additional civil penalties enacted for hacking vehicles.
CORRECTION: The following quote was modified: “The attackers and researchers are still out there working to exploit these vulnerabilities.”