White Hat Hackers Fight For Legal Reform

  /     /     /  
Publicated : 22/11/2024   Category : security


White Hat Hackers Fight For Legal Reform


Security researchers petition to update digital intellectual property and copyright protection laws that limit their work in finding and revealing security bugs.



Billy Rios has discovered
major security holes in TSA passenger-screening equipment
at US airport checkpoints as well as in medical equipment, and often shares his findings with the US Department of Homeland Security and the Food and Drug Administration. But Rios almost always faces the affected product vendors general counsel in a delicate legal dance that serves as a chilling reminder of the looming legal risks security researchers face just for doing their jobs.
Legal is always on the table… This stuff happens all the time, more than people realize, behind the scenes, says Rios, who is director of threat intelligence at Qualys. A lot of times researchers put themselves at risk as an individual when they disclose their findings, he says.
The legal implications of good hackers hacking into increasingly networked and vulnerable consumer products is intensifying. The Digital Millennium Copyright Act (DMCA) and the Computer Fraud and Abuse Act (CFAA) often pose a gray area for security research, and companies in the consumer space that traditionally have had little or no interaction with security researchers often dont understand the difference between a good hacker and a nefarious one.
You dont want researchers to be prosecuted as if they were a hacker using exploits to exploit companies or networks or to steal IP [intellectual property]. These are two totally different things, Rios says. The legislation we have, or the regulatory body that takes a look at this, needs to understand that. Right now, the way a lot of these laws are [written and interpreted], theres no distinction.
Jay Radcliffe, a security researcher who has found security weaknesses in insulin pumps, had to curb his research for fear of legal action. Radcliffe says he was advised to steer clear of the firmware and operating system of embedded devices when he first began digging into the security of his own Medtronic insulin pump. Radcliff, who is a diabetic, initially went to the Electronic Frontier Foundation (EFF) for some legal advice while hacking the device as an independent researcher and was told he could only go so far without facing possible legal problems. They [the EFF] said there are some things in the DCMA that could [send me] to jail if I investigated them, says Radcliffe, who joined Rapid7 this summer as a senior security consultant. So I said Im not going to look at any of that.
He focused his white-hat hacking instead on weaknesses in wireless access to the pumps. So I only had about 30% of the attack surface that I was able to do research on, he says.
Radcliffe, who says he has been threatened with legal action before, and his company Rapid7 are part of a group of security researchers and supporters who are now petitioning the White House for reforms to the DMCA and the CFAA. The security researchers
in their petition
are calling for solid legal protection so they can more effectively and thoroughly find security weaknesses in consumer devices and systems.
While responsible companies cooperate with the technical community and the public to improve the safety of code, others do not. They instead try to prevent researchers and others from sharing safety research, threatening criminal and civil actions under the Digital Millennium Copyright Act and the Computer Fraud and Abuse Act, the petition reads in part. Reform the DMCA and CFAA to unlock and encourage research about potentially dangerous safety and security weaknesses in software.
Andrea Matwyshyn, law professor and advocate for cyber safety who helped craft the petition, says, as with any technology policy issue, it will require a long-term conversation and dialogue with legislators and regulators. Its not going to be a quick fix, Matwyshyn says. The coalition hopes to help advance regulatory changes, namely, under an exemption section under DCMA. Thats one avenue where perhaps things could be clarified and improved and recalibrated to balance consumer and IP protections, she says.
More long-term, a statutory fix by Congress is another way to address this. There are many ways to improve this situation to give researchers greater certainty. Whether its path one or path two isnt as important as the end result is: to have a climate thats researcher-friendly so consumers have better access to information about the security and safety of products they buy or use, for example.
Researchers sometimes are forced to dial back their research for fear of legal ramifications. One of the reasons you dont see a lot of breaking into medical devices and the power grid… because there are armies of lawyers and the risk is too great. Its slowed down research and had a chilling effect, Radcliffe says.
But the stakes have never been higher for finding security flaws before the bad guys do, as consumer products with public safety ramifications are increasingly networked -- cars, medical devices, TSA checkpoint screening equipment, satellite ground terminal equipment, and home alarm and automation systems. Those are the pacemakers, insulin pumps, vehicles, and carry-on baggage scanners that consumers use and operate, but some of these consumer industries are more seasoned in cyber security issues than others, and not all companies understand the difference between a white-hat and a black-hat hacker.
[Public safety issues bubble to the top in security flaw revelations. Read
Internet Of Things Security Reaches Tipping Point
.]
Not every researcher who reverse-engineers or tests consumer products for security flaws faces actual legal threats, however. Cesar Cerrudo, CTO at IOActive, which has researchers who specialize in car hacking, satellite terminal hacking, and smart traffic systems hacking, says his team hasnt faced any legal hurdles thus far. Luckily, we havent had legal threats from vendors. We consult with our legal department before doing anything that could cause problems, but there is always the possibility to get sued, and bad laws or badly interpreted laws can put in jail the wrong people for stupid things, Cerrudo says.
IOActive researchers often struggle to acquire the consumer equipment they want to test, however, he says. The only limitation we are having is that some devices are very difficult to get, and while we are almost sure they are vulnerable and being used in critical infrastructure, we cant get them, says Cerrudo, who adds that he has not yet studied the details of the petition effort.
Cerrudo and Qualyss Rios say they draw the line at hacking a live production system on the Internet. Trying to hack systems and devices on production would be crazy and illegal no matter [if] you want to prove it has security issues, Cerrudo says. At the same time, running an Internet scan or pointing to a security flaw in a website shouldnt be illegal.
No one has ever warned Rios off of any of his research parameters, he says. But he also has set his own boundaries, which comes with tradeoffs: I have a personal boundary -- not to test that exploit against a live system on the Net or anything like that. But, that leaves a gap in some of my knowledge.
Craig Smith, CEO and founder of Theia Labs, says he is careful when it comes to releasing a hacking tool -- especially if its a personal project hes working on that isnt part of his day job. The key is making it clear the tool is a freebie or is relatively generic when it comes to hacking a car or other feature, for example, says Smith, who has signed the online petition.
I do a lot of traditional penetration-testing and reversing… on the side, he says. If Im not hired for that, I have to be more careful of the potential for legal action by the affected vendor.
The other issue to weigh as a researcher, he says, is whether its really worth exposing a flaw if it wont ever get fixed and publicizing it may do more harm to the public than good. Maybe the [flawed] firmware cant be updated, for example, so whats the appropriate way to deal with this? How can you work with these companies to make it better?
He says legal threats dont ever stop him from researching a product, but they do at times influence whether he publishes his findings. Companies not well-versed in security research could take the legal route, he says. The knee-jerk is to come after you. You have to think about that, says Smith, who says hed like to see DCMA eliminated altogether someday.
Piracy is already against the law, he says.
Meanwhile, Rapid7, which has spearheaded the petition, also has formed
the Coalition for Security Research
 to promote security research amid the explosion of the Internet of Things and connected consumer products. The mission of the Coalition for Security Research is to protect and promote security research to make businesses and individuals safer, a summary of the group says. Rapid7 is reaching out for members to join the group.

Last News

▸ There are plenty of online tools for reporting bugs. ◂
Discovered: 23/12/2024
Category: security

▸ 27 Million South Koreans Hit by Online Gaming Theft. ◂
Discovered: 23/12/2024
Category: security

▸ Homeland Security Background Checks Breach Raises Concerns. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
White Hat Hackers Fight For Legal Reform