White hat hackers are ethical hackers or security expert who penetrate systems in good faith—usually to test for gaps and flaws.
A new rule, largely thanks to the petitions by the Electronic Frontiers Foundation (EFF), affords some exemptions to the Digital Millennium Copyright Act (DMCA). The new rule called "Exemption to Prohibition on Circumvention of Copyright Protection Systems for Access Control Technologies" was made effective October 28, 2015 but a one-year implementation wait was enforced to allow ample time for other agencies to adapt and respond. That means since October 28, 2016 white hat hackers have been and are now able to test for flaws in car software without fear of reprisal under reasonable conditions.
The DMCA had already allowed for white hat hacking provided that security researchers had prior permission from the vendors. Now it is allowed as long as the owner of the vehicle itself grants full permission to the hacker, and if the activity and testing is done in a controlled environment where the safety of other people or property is not at risk.
Among exemptions for security research into areas such as medical devices, cell phones, and video games, the EFF petitioned for Proposed Class 22 allowing “Circumvention of Technological Protection Measures (TPMs) protecting computer programs that control the functioning of a motorized land vehicle for the purpose of researching the security or safety of such vehicles.”
The US Copyright Office listed opposition to Proposed Class 22 as coming from companies such as Global Automakers, Auto Alliance, GM, John Deere, and MEMA. Among those exhibiting reservation was also the Department of Transportation (DOT).
“The Department is concerned that there may be circumstances in which security researchers may not fully appreciate the potential safety ramifications of their security circumvention acts and may not fully understand the logistical and practical limitations associated with potential remedial actions that may become necessary,” the DOT expressed in a letter to the office.
WIRED magazine collaborated with security experts back in 2013 to commandeer a Ford Escape and Toyota Prius from the backseat with a laptop. In 2015 they remotely killed a Jeep Cherokee on a highway, proving their ability to wirelessly disable its engine, cut and control braking, and track it in a disquieting show of surveillance. This prompted Chrysler to offer software updates via USB to customers who voluntarily asked for a patch.
Tesla has been offering bounties to hackers that find bugs in their automotive software. The monetary award is given as long as the information is disclosed to Tesla in secret, allowing the company to take necessary measures without additional press-related headaches.
Meanwhile, proposed legislation in the form of Senate Bill 927 aims to make it illegal to do any hacking of cars in Michigan stating, “A person shall not intentionally access or cause access to be made to an electronic system of a motor vehicle to willfully destroy, damage, impair, alter, or gain unauthorized control of the motor vehicle.” Policy and security experts warn against legislative language that stifles innovation and discourages beneficial research.
There has been a debate ongoing the past several of years between security firms and car manufacturers. On one hand white hat hacking is invaluable and necessary to ensuring security and safety within automotive software. On the other, it is maintained that exposing sensitive information can potentially give malevolent hackers unauthorized advantage—as well as causing public relations storms.
“In this final rule, the Librarian of Congress adopts exemptions to the provision of the Digital Millennium Copyright Act (“DMCA”) that prohibits circumvention of technological measures that control access to copyrighted works, codified in section 1201(a)(1) of title 17 of the United States Code. As required under the statute, the Register of Copyrights, following a public proceeding, submitted a Recommendation concerning proposed exemptions to the Librarian of Congress. After careful consideration, the Librarian adopts final regulations based upon the Register's Recommendation,” the US Copyright Office stated