Meet the Internet of big, lethal Things

Silicon Valley’s desire to open up the software that controls heavy vehicles has come under criticism from industry experts.

This week the Electronic Frontier Foundation (EFF) renewed its call for the legal protection that manufacturers use to safeguard automotive software to be relaxed.

For three years, farm machinery maker John Deere has found itself in a fight against the EFF, Silicon Valley’s most reliable proxy group, over the right to control its own intellectual property. Auto manufacturers use a variety of legal mechanisms to stop people tinkering with their gear willy nilly, and one of them is copyright.

Last year the US Copyright Office recommended that “computer programs that operate … motorized land vehicles would also receive a limited exemption” for “good faith research.”

So the Digital Millennium Copyright Act permits tinkering with permission, but the EFF is fighting for “permissionless innovation.” It isn’t happy that copyright exemptions for vehicles only apply for a narrow range of uses, such as research.

For its part, John Deere argued that: “Individual vehicle owners do not have the technical resources to provide safe, reliable and lawful software for repair, diagnosis, or some dubious ‘aftermarket personalisation, modification or other improvement’ that is not directed towards repair or diagnosis of the vehicle.”

That’s not enough for the EFF, which wants all copyright protection on vehicles blown wide open. Here's a foundation-inspired WiReD headline on the subject from last year:

Deere noted that the reasons the hobbyists cited included “modify their engine controllers”, “race on private courses” and “cap the speed when they lend the car to their teenage children.”

“Vehicle software will be subject to contamination from the repair or modification efforts of individual vehicle owners, the vast majority of whom do not have the programming or technical competence in the full range of applicable federal regulations and industry standards,” they stated, adding that opening a vehicle up to viruses and malware is also not a good idea.

But it isn’t merely about saving people from themselves. A hobbyist doesn’t tinker in a vacuum. Much agricultural machinery is connected to the internet, and a internet connected heavy vehicle that can be controlled remotely can be controlled remotely by a bad guy, too.

Ken Tindell, CTO of automative security startup Canis Automotive Labs, pinpointed the problem:

“As usual the ‘right to tinker’ is being twisted in an ideological battle," he told us via email.

"What are being talked about here are mechatronic systems, not general purpose computers. There is a tight coupling between a mechanical system, electronics and embedded software: they are whole systems with real world mechanical consequences for failure that cross into product liability and even safety.

“No manufacturer or insurer should have to assume liability for an engine broken by borked software, or a vehicle that suddenly drove into a bunch of pedestrians because the owner's lashed up open source self-driving system went crazy. It’s hard enough to engineer safety critical software in the presence of things like sensor failure, but to also take into account tampering by amateurs (who frequently refer to CAN frames as 'packets' and CAN identifiers as 'addresses') is almost impossible.

“And that’s before we talk of malefactors asserting the ‘right to tinker’ with the software in someone else’s internet-connected car. Unlike 3D printed guns, downloading warez to run in an Arduino board duct taped to a CAN bus controlling two tons of speeding metal really does have the potential to kill.”

The EFF may not have seen Ken’s helpful guide to securing your internet connected vehicle so with his permission we reproduce it here:

If someone wants to tinker with a vehicle, Ken suggested, they are completely free to develop their own electronics and software to do so, provided they engineer their system to the relevant safety standards and obtain the necessary certification and insurance when used in the presence of people who could be injured by a malfunction.

The European Court of Justice ruled in 2014 that any vehicle, even on private land, must be insured, given the potential to cause injury.

As we saw in Nice in July, and Berlin this week, a heavy vehicle can cause horrific human casualties. Readers are invited to imagine what a hacker could do with one. ®

Bootnote

Ironically, the EFF claim that in defending its software, John Deere is somehow restricting property rights. “Ownership of personal property isn’t just for big companies”, this week’s blog post asserts. Property ownership is both a legal and a human right - but few people have done more over two decades to strip digital property rights from the individual than the EFF, and their corporate sponsors in Silicon Valley.