Go ahead and hack your car, that’s fine now. Go ahead and hack the Department of Defense, that’s okay too under new policies. This doesn’t mean you have a license to do unlimited badness; it means the US authorities have finally become more welcoming to research efforts to uncover bugs that could potentially create holes for the bad guys. You won’t get sued (unless you do something of epic stupidity). It wasn’t always this way.
For years, auto enthusiasts have customized their cars for better performance. Nowadays, those same cars are driven by computers that control everything. But until recently, laws technically prohibited them from adjusting fuel management, for example, to increase performance. Why? The manufacturers argued they were hacking software the manufacturers own and that the car owners only have a license to use. It was a sort of DRM (Digital Rights Management) for the car you bought. This meant you may own the car and have a right to modify it, but you couldn’t legally touch the software that ran it all.
“UNTIL RECENTLY, YOU HAD THE RIGHT TO MODIFY A CAR THAT YOU OWNED, BUT YOU COULDN’T LEGALLY TOUCH THE SOFTWARE THAT RAN IT.”Not so anymore. This came to a head in recent years when tractor owners attempted to modify the computer software on their high-priced farming machines and fell afoul of the manufacturer’s attorneys. The manufacturer argued the tractor owners only had a license to use under certain conditions, but not to modify. The owners argued the software didn’t do what they wanted, and limited the use of the vehicle they purchased. Some went elsewhere and bought competing equipment. Some kept hacking.
It’s hard to imagine a band of rogue farmers slinking around the farm with hacked laptops bent on doing evil deeds though. They just wanted their tractors to work as they thought was necessary.
The jumping off point – legally – were laws that sought to keep copyright infringers from stealing works like music. So, too, the automotive manufacturers jumped on the legal bandwagon to hopefully prevent people from modifying their cars and tractors, possibly causing problems. But what applies to music seems clumsy at best when applied to hacking the rest of the software that drives your life (and tractor).
But then researchers who were working for the good guys couldn’t really expose flaws without fear of reprisal. By far, the majority of people looking for flaws in their own equipment were not interested in harming their own equipment or themselves. They wanted to improve things. But they also didn’t want to get sued while doing good deeds, so the motivation to help was low.
But what about the bad guys? The scammers – an ever-present threat – were free to test as much as they liked. And without researchers trying to help, millions of potential threat vectors wouldn’t be tested or responsibly disclosed, resulting in millions of potential attacks that could hamper devices in droves.
Increasingly, progressive software companies welcome researchers, and even add to the interest by offering rewards for willing researchers bent on uncovering flaws. These “bug bounty” programs have been amazingly successful, sometimes helping the software companies uncover hundreds of flaws before they are exploited.
Not so much with the car manufacturers. Until now, you were unlikely to receive a warm welcome if you reported a flaw in the software that runs your car, and you just might get a legal letter. But now some manufacturers are relaxing that approach by rolling out bug submission processes. Basically, companies like General Motors are now enlisting your help as a researcher. That’s great news for us all.
Hacking the Fed
If you were nervous about hacking your car, you were mortified to hack the U.S. Government (unless you’re a scammer, then it might be your day job). Auto manufacturers might send nasty letters, but probably not black vans to haul you off. Not so with the government. Notoriously devoid of a sense of humor, the fed doesn’t take kindly to exploit attempts which you feel are really interesting and novel. Until now.
Seemingly, the bug bounty wisdom has shined its light on the Fed. What’s the result? If you abide by their rules of engagement, you can fix holes for the greater good that will help protect us all. That’s not to say their efforts are perfect, and you should just go nuts and port scan the whole government and start hammering, but if you exercise some modicum of common sense (and maybe read the rules of engagement), they want to hear from you.
The U.S. Army does too. Seems the word is getting around that not only can this help to keep us all safe, you may also show up on their radar as a researcher interested in helping the Army, and not ending up in the crosshairs of a very large adversary in the process.
It’s a welcome respite from the draconian views of only a few years ago, when it felt like taking your life in your own hands if you endeavored to explore the world for vulnerabilities and report them. How’s it working? At least one auto manufacturer is reporting hundreds of flaws discovered, which they then can fix, and all without hiring a raft of expensive (and difficult to find and hire) researchers. Is it a perfect system? No. But nothing is. It is, however, a good start and a nice gesture to the community. So now you can come clean about hacking your car, even if it runs much worse since you started.