Jeep hackers broke DMCA, says EFF, and that's stupid

Security by obscurity never works

It's pretty obvious really: the Electronic Frontier Foundation (EFF) has pointed out that the researchers responsible for the now-infamous “Jeep hack” broke America's Digital Millennium Copyright Act (DMCA).

Similarly obvious, they say, is that such research should be legal if Detroit wants to avoid creating the cyber-Pinto.

Over the years, the EFF – and many others – have believed the auto industry is using the DMCA to wrap motor vehicle computer systems in a veil of secrecy.

As the foundation notes in this piece, it has already sought an exemption from DMCA Section 1201 for researchers testing vehicle security.

It's probably fair to say that until quite recently, car-makers cared more about the dealer market in keeping their software secret. That way, dealer repair shops have a built-in advantage over independent mechanics (or, horror of horrors, home mechanics) – and the effort to wrap the market in the DMCA has gone on for at least a decade.

However, as software has reached further into safety-critical systems, bug-driven recalls have afflicted Ford, Toyota, and Range Rover – in this month alone.

The Jeep-hack has given the EFF's push new impetus. Charlie Miller and Chris Valasek demonstrated the old assumption that safety-critical systems are no longer air-gapped from the rest of the vehicle network – and that change is what the EFF hopes will get the Librarian of Congress to heed its pleas for a Section 1201 exemption.

The EFF notes that as recently as February, auto-makers still believed their own grasp of security was sufficient, something that didn't impress Democratic Senator Ed Markey.

A second exemption the EFF seeks would get cars treated as platforms, in that people would be able to install after-market software (for example to better secure their wheels against malicious attacks). ®


Biting the hand that feeds IT © 1998–2017