Fear of lawsuits chills car hack research

Getty Images

Regulatory agencies are trying to use copyright law to crack down on dangerous tampering with automobile computers, sparking fears that they will stymie needed cybersecurity research.

As Internet-connected cars proliferate on the roads, so too do the opportunities for hackers to uncover and possibly exploit software security flaws — for good and bad.

Concerns about who should and shouldn’t have access to vehicle software came to a head this summer when “white hat hackers” exploited a vulnerability and took control of a Jeep's steering, brakes and transmission.

The hackers demoed the stunt live on the highway, sparking concerns about how researchers go about disclosing vulnerabilities to manufacturers and the public.

Critics — including car manufacturers — suggest that researchers who go public with their findings both recklessly expose vulnerabilities to the bad guys and give manufacturers no time to resolve concerns.

Others say silencing researchers has dangerous implications for both public safety and national security.

“The enemy of security is not a security researcher who wants to report a bug,” said Katie Moussouris, Chief Policy Officer at vulnerability management firm Hacker One.

“The enemy of security is nondisclosure of the vulnerabilities, because then there’s nothing you can do about them.”

In the case of the Jeep hack, the researchers worked with parent company Chrysler for nine months leading up to their stunt on the highway. The manufacturer quietly released a patch during that time, but criticized the hackers for publicizing their work.

“Under no circumstances does [Fiat Chrysler of America] condone or believe it’s appropriate to disclose ‘how-to information’ that would potentially encourage, or help enable hackers to gain unauthorized and unlawful access to vehicle systems,” the company said in a statement.

“We appreciate the contributions of cybersecurity advocates to augment the industry’s understanding of potential vulnerabilities. However, we caution advocates that in the pursuit of improved public safety they not, in fact, compromise public safety.”

Last month, the Department of Transportation joined a chorus of agencies petitioning the U.S. Copyright Office to stop researchers from circumventing protected technology.

“The Department is concerned that there may be circumstances in which security researchers may not fully appreciate the potential safety ramifications of their security circumvention acts and may not fully understand the logistical and practical limitations associated with potential remedial actions that may become necessary,” DOT wrote in a letter to the Copyright Office.

Critics characterize the letter as a knee-jerk reaction to the Jeep hack.

The Copyright Office is mulling an exemption to a provision of the so-called Digital Millennium Copyright Act (DCMA) that prohibits anyone from circumventing a technological measure that controls access to copyrighted work — like vehicle software.

The law already includes one exemption for good-faith hackers: They can proceed with research if they have permission from the vendor, but that’s not necessarily a given.

Researchers say some manufacturers still view security vulnerabilities as a public relations risk, rather than an inevitability.

Some companies have taken a proactive approach to white-hat hackers, offering hefty “bug bounties” to researchers that uncover and resolve security flaws.

Tesla pays rewards ranging from $25 to $10,000 for disclosures, with a couple of caveats. The manufacturer asks that hackers give it “a reasonable time to correct the issue before making any information public.”

The DOT acknowledges that good-faith research “presents the potential benefit of promoting collaboration in identifying security vulnerabilities.” The department says its concerns could be addressed by placing limitations on public disclosures of security vulnerabilities, rather than banning any research outright.

One possible resolution, according to the DOT, is for researchers to be protected under the copyright law if they disclose their findings only to regulators or potentially affected parties.

Critics say this approach silos security analysts, effectively cutting them off from the community collaboration that is a part of academic research, while doing nothing to stop hackers who operate outside of the law from sharing their findings.

“The issue with any prohibition on security research is that you’re only stopping good researchers that follow the law in one country,” said Kevin Mahaffey, chief technology officer of the mobile security company Lookout. “That’s a very small subset of security researchers in the world.”

The DOT’s proposal would also rely on manufacturers to be quick responders to threat disclosures, something not all researchers trust them to be.

“There have been instances where a researcher had in fact told a manufacturer and the manufacturer had not addressed the vulnerability,” Erik Stallman, general counsel at the Center for Democracy and Technology, told The Hill.

Automakers say they are vigilant about security concerns. The Alliance of Automobile Manufacturers, the major industry group, recently announced it had created a hub that would allow companies to swap data on cyber threats.

Eventually, the group says, telecommunications and technology companies will hopefully participate in the hub.

The hacking debate comes as the auto industry is struggling to reestablish trust in the wake of damning revelations about Volkswagen’s proprietary software.

Last month, the EPA accused the German automaker of including software in some diesel vehicles that gamed emissions requirements, making it look as if the cars were complying with federal standards when in fact they were not.

The DOT also suggests that any copyright law exemption for security researchers should require that they give vendors enough time to respond before they go public with their findings.

But security experts say rather than limiting disclosures, the better approach would be to create a better system for reporting.

Across the security industry, there is an accepted standard for disclosures to manufacturers, but it’s far from codified and still leaves researchers uncertain as to whether reporting their work will open them up to litigation.

Fear of legal action, experts say, can chill needed research while more malicious hackers continue hunting for software holes unfettered.

“There are statutory exemptions for security testing but their exact limits are unclear,” Stallman said.

“What’s getting in the way of needed cybersecurity research is uncertainty about what is and is not permissible. That’s a big problem for researchers, people who fund the research and the institutions that employ them.”