Car hackingResearching cyber vulnerabilities in computer-controlled cars may violate copyright law

Published 30 October 2015

The advent of computer controlled, Internet-capable vehicles is offering fertile new ground to hackers. Groups of “white hat” hackers have already demonstrated the vulnerabilities inherent in the new cars’ computer systems – by taking control over a car from ten miles away. One problem in addressing the issue is that the control software is proprietary, and is owned by the developers, and researching it to uncover flaws may be a violation of copyright laws.

With development of the interconnected, network-based environment that is commonly used in the current data handling environment, came an unexpected threat. The massive collection of records and computer-based operations management kept by commercial, government agencies, and public utilities were a boon to these organization. As power and capacity of these systems grew, more and more data was stored in remote “server farms.”

With the advent of the World Wide Web, and the media it could carry, businesses could now advertise and present their wares, and purchases could be made online.

However, practically no thought was given to security. Highly skilled hackers devised ways to breach what minimal security there was, and were able access databases. These records were now available, and could be used for criminal purposes.

Gradually, systems were hardened, and with greater security, only the elite few hackers were able to find and take advantage of vulnerabilities.

Now, with the advent of computer controlled, Internet-capable vehicles, fertile new ground has been made available to hackers.

A short time ago, a group of “white hat” hackers gave a demonstration of the vulnerabilities inherent in the new cars’ computer systems. From a distance of up to ten miles, they were able to take control of an auto’s control systems. Once achieved, they were able to disable the brakes, gain control of the steering, and force the engine to run faster, or to shut down completely.

Clearly, there is a need for research into the software used in these vehicles, in order to locate and “patch” vulnerabilities. The true problem, the Hill reports, is that the control software is proprietary, and is owned by the developers, and researching it to uncover flaws may be a violation of copyright laws.

Regulators are considering using such protection of intellectual property to attempt control access to the control software.

In the case of the aforementioned vehicle hack, researchers worked with Chrysler for nine months to harden the control software. During this time, the company quietly released a patch to close these vulnerabilities. But the company was highly critical of the researchers disclosing and demonstrating what they had found.

The Department of Transportation, in a letter to the Copyright Office, wrote that “The Department is concerned that there may be circumstances in which security researchers may not fully appreciate the potential safety ramifications of their security circumvention acts and may not fully understand the logistical and practical limitations associated with potential remedial actions that may become necessary.”

Researchers maintain that many companies view the research results as a public relations risk, or may be slow in responding to the findings. Other companies take a more direct approach by offering bounties to the hackers that can locate bugs within the software.

There are several remedies to the dilemma, all of them dependent on researchers complying with the law. It does not, however, resolve the matter of unethical, or “black hat” hackers that operate outside the law.

For them, there is now a whole new realm to explore. They will scour the software, searching for the hacker’s “Holy Grail,” a zero-day defect.

The zero-day defect is an unknown vulnerability in the software that has not previously been discovered and patched. This defect will provide access to the control systems for as long as the exploit is undetected.

This is a problem yet to be resolved by regulators, but it does not address the work of unethical hackers.