The U.S. Copyright Office recently removed restrictions that hindered IoT security researchers. Digital Millennium Copyright Act (DMCA) restrictions prevented researchers from reverse engineering copyrighted software. The same was true for cars, voting machines, “IoT” devices, and similar devices.
Government opinions on the topic were scattered across the playing field. But the Army recently allowed hackers to hack the Pentagon and the results were promising. Officials recommended reaching out to the private sector for security tests. Time and money, in the end, would be saved. Times have changed. The State Department, though, just failed their own security test. And since many officials approved the “Hack the Army” program; the State Department could be next.
Still, security researchers, for the most part, were behind the change. The longstanding argument involved malicious hackers. Bad actors have proven their willingness to circumvent hacking laws to cause damage. Yet, white hat hackers, for instance, distanced themselves from the scene.
“Obviously, adversaries don’t abide by regulations, so their ability to reverse engineer and figure out how to get into a device and find ways to exfiltrate data has been successful,” said Anthony James, CMO with research firm TrapX.
In terms of opening up new opportunities for researchers, this is only good for the industry. As an industry we wait for an attacker to exploit a vulnerability that they have the time, resources and energy to discover. This allows researchers to be more proactive when it comes to building defenses.
The U.S. Copyright Office gave researchers an exemption to the DMCA Section 1201. This exemption created a “legal loophole” to the “prohibition against circumvention of technological measures that effectively control access to copyrighted works.” Researchers, before the exemption, faced penalties imposed by Section 1201. They were unable to “unlock software” without consent from the manufacturer.
The government made tight restrictions pertaining to the ethical aspects of hacking. IoT devices, smartphones, cars, medical devices, voting machines, etc. were Federally allowed. But the government made it clear that critical infrastructure hacking was not permitted. Airplanes and major hospitals were explicitly restricted prohibited in the new exemption. Other ground-rules were set too:
- The research has to be for security or repair purposes only
- The product being investigated must have been lawfully acquired
- The research has to be done in a safe environment, so techniques used to hack or otherwise compromise a product are not released into the wild
- The research cannot violate other laws
“In addition, researchers faced a ‘good-faith restriction’ that if deemed in violation of, researchers could still face prosecution under the Computer Fraud and Abuse Act,” said Craig Young, researcher at Tripwire.
Kit Walsh from the Electronic Freedom Foundation:
It doesn’t mean that a researcher can create modifications to vehicle software. And then sell it on the open market. The exemptions do not permit ‘trafficking’ in any technology.
They do not allow the sharing of security research tools for circumventing access controls, they do not allow sharing of a tool for jailbreaking your car to make modifications.
Harley Geiger from Rapid7—the company behind Metasploit— believed researchers would act in good faith.
“We encourage the security research community as a whole to represent itself in the best light in part because irresponsible actions could invoke backlash,” he said.