When you drive a car off the dealer’s lot, you own the whole vehicle, right? For decades, car owners have popped the hood and crawled under the car to do their own maintenance; and for those mechanically inclined, even make modifications to improve performance or handling. However, in an era where a car is increasingly controlled by software, the right to tinker with your vehicle has been called into question. After all, software is often sold under a license and the end user doesn’t actually own the code. This means there is a lot of uncertainty about to what extent the public can modify the software embedded in a car.
Today the Library of Congress brought a bit more clarity to the situation by granting exemptions from the Digital Millennium Copyright Act (DMCA) that would enable the public to delve into the embedded systems and software in their vehicles for “good faith security research” and “lawful modification.” This was a much anticipated decision that captured the attention of everyone from the auto industry to the cybersecurity research community.
How did we get here?
Section 1201 of the DMCA makes it illegal to circumvent access controls and technical protection measures. In 1998, Congress ostensibly intended for this provision to stop content pirates from defeating digital rights management (DRM) and other content access restrictions restrictions on copyrighted works (i.e. stopping people from breaking encryption on CDs and DVDs). However, Section 1201 isn’t limited to just CDs and DVDs—it applies any bit of protected software. Whether intentional or not, Congress wound up giving rights holders and and manufacturers complete veto power over any examination of their code—any interested party would need permission to avoid being in violation of the DMCA. Critics argue that in practice, the DMCA has actually chilled a variety of legitimate activities that require breaking DRM, such as in academic research.
Petitions for Exemptions
Once every three years, the Librarian of Congress, through the Copyright Office, hears requests from the public on whether there are any new classes of works that will be exempt from section 1201’s prohibition. Last October, the Librarian considered a number of classes eligible for exemption, including software that controls automobiles. Since modern automobiles are controlled by a mixture of software, microprocessors, and computers (known in the auto industry as electronic control units, or ECUs), the DMCA could have potentially protected or limited access to the software and logic on those ECUs. However, many repairs require access to the software, as does research into vehicle safety. Petitioners, such as the Electronic Frontier Foundation, argued that when auto manufacturers deploy technology (i.e. encryption) to prevent access to the code, that can transform an act of repair or research into a DMCA violation. The EFF concluded that only persons authorized by the vehicle manufacturer could effectively perform repairs, and independent audits of vehicle safety and security would take place under a legal cloud, if at all.
Black Hat and VW’s defeat devices
Access to the underlying code that runs a car came to light this past summer when two well-known independent security researchers, Charlie Miller and Chris Valasek, discovered a vulnerability in a Jeep Grand Cherokee. Presenting their research at Black Hat 2015, the two demonstrated how they were able to exploit that vulnerability and remotely take over full command and control of the vehicle. While vehicle cybersecurity vulnerabilities have been previously researched and discovered, and the results have widely disseminated, Miller and Valise’s definitely brought the issue of automotive cybersecurity into the forefront of public awareness.
In another high profile case, researchers at West Virginia University found that Volkswagen had installed special defeat software to control the vehicles’ pollution-control systems to run cleanly during emissions testing, but allowed the vehicles emit higher levels of pollution during normal daily operations.
With today’s announcement, the U.S. Copyright Office has ensured that important legitimate research into a vehicle’s embedded systems and software can continue without the threat of legal action.
Don’t forget to follow SemiWiki on LinkedIn HERE…Thank you for your support!Share this post via: