The Librarian of Congress recently announced exemptions to the Digital Millennium Copyright Act (DMCA) that now make it legal to circumvent specific technological measures that control access to copyrighted works, including software on DVDs, Smart TVs, and, of most interest to me, automobiles. Drivers should be happy with this announcement, despite the protests from automakers, the EPA, and the Department of Transportation (DOT). This exemption lets security researchers uncover vulnerabilities in automobiles and lets auto makers fix these problems before anyone is affected.
Securing any system from hackers is complex, and this is especially true for cars. The more researchers you have looking for problems in cars, the better chance you have of finding them before the bad guys. Most of the biggest names in IT, including Google, Microsoft, and Facebook, embrace external research, offering thousands of dollars in “bug bounties.” There’s no reason that auto makers shouldn’t do the same.
Activities conducted under the exemptions must still comply with other applicable laws, so as not to introduce public health, safety, and environmental concerns. For example, users still can’t legally modify their car’s system to increase performance if these modifications increase vehicle emissions and thus violate the Clean Air Act. This provision should satisfy the objections of the EPA and DOT toward this exception, although catching violations will admittedly be difficult.
What do the auto makers think of the DMCA and bug bounty programs? In a recent survey of more than 500 auto makers and suppliers, the Ponemon Institute found that respondents were nearly even split (43 percent vs. 42 percent) as to whether “white hat hackers” should be subject to the DMCA. Of those who thought the DMCA shouldn’t apply to white hats, only 22 percent thought white hats should “be encouraged to test the security of automotive software.”
Right now, car makers seem to be saying “no, thank you” to white hat scrutiny. Fortunately, this ruling by the Library of Congress will allow researchers to scour the automotive applications for vulnerabilities, with or without the blessing of the automotive industry. The end result will be safer vehicles for everyone.
To learn more about the Ponemon survey, attend the webcast Car Cybersecurity: What do Automakers Really Think? on Thursday, November 12, 2015 at 1:00 PM (EST).
For the past two years, Gene Carter has been the Director of Product Management for the Embedded Security Business Unit at Security Innovation. Carter has spent the past 20 years in embedded and automotive product management roles for NXP Semiconductors, Philips Semiconductors, and Coto Technology. He holds an MBA from the University of Southern California’s Marshall School of Business and a BSc in Electrical Engineering from Tufts University.