Cybersecurity researchers and others in the public have the right to tinker with software in vehicles for “good-faith security research” under a new exemption authorized by the librarian of Congress on Tuesday. The exemption, which was opposed by the auto industry, comes after the Volkswagen “defeat device” scandal and after two researchers proved it was possible to take remote control of a moving Jeep Grand Cherokee.
The Electronic Frontier Foundation (EFF) previously filed a request to include an exemption for software access under Section 1201 of the Digital Millennium Copyright Act, or DMCA. Section 1201 previously allowed vehicle manufacturers to threaten researchers with legal action for modifying a car’s software, regardless of whether the research was well-intentioned. Now car owners can adjust software in cars as long as it’s a “lawful modification.”
While the EFF expressed dismay that the decision doesn’t go into effect for a year, the cybersecurity research community praised the ruling. Not only does this decision mean researchers will be able to expose safety vulnerabilities, it’s probably going to save a lot of people a lot of money.
“I don’t see how the Library of Congress wouldn’t agree that the exemption language as proposed by the EFF isn’t appropriate,” said John Ellis, a technologist and the founder of Ellis & Associates, which advises businesses on automotive and software issues. “This is a money game. Locking people out, shutting stuff off, that’s a money game.”
An example of that is a world where all the technology on the car belongs to the original equipment manufacturer. A car owner could conceivably be punished for fixing the car himself, or taking it to a mechanic who is not approved by the original manufacturer. Even buying a cheaper part from another country and bringing it to an approved mechanic would be against the law, and it’s possible that part wouldn’t work anyway.
“That’s exactly what happened in the printing industry,” Ellis said. “The newest thing is that inkjets are geocoded, meaning you can’t put a cartridge from the United Kingdom into a printer in the U.S. They’re doing that to ensure price controls on the ink, and they can do that because the technology is available to them and it hasn’t been deemed illegal.”
The librarian of Congress entertains proposals for exemptions to the DMCA every three years or so. In this case, the government’s decision applies to a “personal automobile, commercial motor vehicle or mechanized agricultural vehicle.” The decision also made it legal to jailbreak smartphones and tablets, as well as edit abandoned video games.
John Deere and General Motors were the most prominent opponents of the proposed DMCA exemption, essentially saying customers own the steel in their machines but are licensing the software.
The exemption comes five months after two researchers proved that with the right experience and some work, an attacker could exploit vulnerabilities in a Jeep to the point of bringing it to a halt on the highway. Don’t forget the software code embedded in several 2009-15 Volkswagen models the German company used to cheat emissions tests.
“This ‘access control’ rule is supposed to protect against unlawful copyright. But as we’ve seen in the recent Volkswagen scandal … it can be used instead to hide wrongdoing hidden in computer code,” EFF staff attorney Kit Walsh wrote after the decision Tuesday.
“The yearlong delay in implementing the exemptions, though, is disappointing and unjustified,” Walsh added. “The VW smog tests and a long run of security vulnerabilities have shown researchers and drivers need the exemptions now.”