Modern field guide to security and privacy

The legal exemption making life easier for ethical hackers

An exemption to the Digital Millennium Copyright Act allows hackers to conduct good will research into medical devices, automobiles, and other internet-connected devices without threat of lawsuits from manufacturers. 

|
Arnd Wiegmann/REUTERS
An employee sits inside a virtual reality connected car cockpit built by Segula Technologies during the first press day ahead of the 85th International Motor Show in Geneva March 3, 2015.

Cybersecurity researcher Brian Knopf specializes in hunting for vulnerabilities and flaws inside connected devices and wireless gadgets. 

So when his wife, Sarah, contemplated whether to have doctors implant a neurostimulator in her back designed to treat chronic pain issues, she wanted him to hack it first. 

Mrs. Knopf had safety concerns about the device, about the size of a large LEGO block, and wanted reassurances that its remote charger was tamper-proof. But there was little Mr. Knopf, or any other outside security researcher, could do to test the resilience of the device without risking a lawsuits from manufacturer or potential fines.

For more than a decade, the Digital Millennium Copyright Act (DMCA) criminalized unauthorized research on medical devices, as well as many other consumer products that run on software such as cars and television sets. But in October, the Library of Congress initiated a three-year exemption to the DMCA allowing ethical hackers such as Knopf to perform "good-faith security research" on medical devices and many other wireless and internet-connected electronics. 

"Most of us are not people who are looking to cause harm. We're trying to understand how to make things better," says Knopf, director of security research for the tech firm Neustar. "You're taking a bunch of inquisitive people and shutting them down and scaring them with laws meant to prosecute criminals."

Photo by Michael Bonfigli/The Christian Science Monitor
Security researcher Brian Knopf spoke at the Security of Things Forum in Washington on Oct. 27.

As a result of the exemption, researchers like him can begin investigating devices such as the neurostimulator that Sarah Knopf eventually had doctors implant in her back, despite her initial worries. And many see scouring for software flaws as an act of public service in our increasingly connected Digital Age.

A flaw in medical equipment, said Knopf, "could crash the device, it could trigger the electricity, it could kill the electricity." And malfunctions or security breaches may not only damage the device, but also put the users at risk. "It's someone's health and safety."

Cybersecurity experts have long complained that the growing number of connected and wireless medical devices on the market present serious risks for patients without additional research and analysis of the underlying software.

For instance, in 2013, security researcher Billy Rios found vulnerabilities in web-connected infusion pumps that could allow attackers to manipulate dosages. The US healthcare system Essentia Health also found that many Bluetooth-enabled defibrillators and X-ray machines were rife with software vulnerabilities

"We're not going to run out of reasons to do security testing," says Katie Moussouris, chief executive officer of Luta Security, a company that helps governments and large organizations start vulnerability disclosure programs and bug bounties. The DMCA exemption, she says "is essentially saying, we're now able to shine the sunlight of disinfectant on devices we weren't able to touch before."

And though it's hard to pin down just how many researchers will now be able to tinker with cars, medical devices, and other gadgets without concerns of legal reprisal, some advocates of the change think the DMCA revision will help continue an uptick in white hat security research.

"It allows security researchers acting responsibly to independently unlock devices without the consent of the software manufacturer, such as if they purchased the device, as long as they’re doing it in safe and controlled conditions," says Harley Geiger, director of public policy at the cybersecurity firm Rapid7. "It will make independent security research clearer from a legal liability point of view."

The Food and Drug Administration (FDA), which supported the DMCA exemptions for medical device research, recently pressed medical device makers to fix software flaws in their products. The pressure came after the cybersecurity firm MedSec revealed a range of security flaws in pacemakers and other devices developed by St. Jude Medical (the company denied the existence of those software flaws).

"It's not research for research's sake," said Suzanne Schwartz, the associate director for science and strategic partnerships at the FDA's Center for Devices and Radiological Health, at a recent Passcode event in Washington. "We're talking about research that's going on for the betterment of these devices."

It's unclear just how many researchers are taking advantage of the exemptions, or whether any serious vulnerabilities have been discovered in medical devices or other connected electronics. 

And cybersecurity researcher Craig Smith pointed out the exemption doesn't just benefit professionals and cybersecurity firms. It'll protect anyone who wants to poke around on everyday products such as cars that run on software, said Mr. Smith, author of "Car Hacker's Handbook," an illustrated guidebook that depicts the digital inner workings of modern cars.

Now, he can freely pursue his latest project, dubbed "CANiverse," a reference to a vehicular Controller Area Network (CAN) that allow in-car devices to communicate with each other. He's setting out to create a kind of marauder's map for modern car tinkerers hoping to suss out software flaws in the electronic systems that allow different parts of a car – the engine, airbags, and transmission systems – to communicate with each other.

The auto industry is "going from a mechanical to a software industry," says Smith. Projects like his are all about "being able to reverse engineer and understand the equipment."

Security Culture

This journalism empowers people to understand the bigger picture of cybersecurity as it connects to some of the most personal parts of their lives: their job, their education, the evolving digital culture around them, and the technology they use on a day-to-day basis. As part of the Monitor’s overarching commitment to chronicling human progress, we see these very human issues within cybersecurity to be critical and overlooked parts of the conversation.

This initiative is generously supported by

  • Northrop Grumman
  • ISC
You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.

QR Code to The legal exemption making life easier for ethical hackers
Read this article in
https://www.csmonitor.com/World/Passcode/Security-culture/2016/1207/The-legal-exemption-making-life-easier-for-ethical-hackers
QR Code to Subscription page
Start your subscription today
https://www.csmonitor.com/subscribe