Security researchers Charlie Miller and Chris Valasek have once again exposed automobile security flaws that allow attackers to take over a vehicle’s crucial systems. In their latest work, they learned how an attacker could remotely control a car over the Internet.
Vehicle manufacturers dismissed prior warnings about flawed security by claiming [PDF] that the exploits relied on physical access to the car. But it has long been known that vehicles’ wireless systems (such as Bluetooth) contain vulnerabilities that would allow a malicious hacker to gain access to critical vehicle functions.
Miller and Valasek took it one step further, revealing one dramatic way that drivers have been left vulnerable in manufacturers’ race to connect vehicles to the Internet. This particular vulnerability relates to Chrysler’s Uconnect system, but it would be naive to imagine that no other vehicles have similar vulnerabilities.
One major reason that serious vulnerabilities have gone undisclosed and unfixed is that laws like Section 1201 of the Digital Millennium Copyright Act chill independent security research. That’s why we filed for an exemption to Section 1201 that would specifically protect security and safety research on vehicle software from DMCA liability. The automakers showed up in force to oppose it (including the “Auto Alliance” trade group, of which Fiat Chrysler is a member), arguing that there was no need for independent security research and that they had the legal right to shut it down – even when researchers only look at code on vehicles they own. We think Miller, Valasek, and other researchers have amply shown the need for independent vehicle security research.
We also asked for a second DMCA exemption for vehicle software, one that would allow competition in the vehicle software space (as well as repairs and customization). If that exemption is granted, an alternative software provider could enter the market to secure your vehicle and you might decide you have more faith in them than in the original manufacturer (or they might offer better functionality, or they might protect your privacy against invasive data collection by auto manufacturers). We would at least see the possibility of competition leading to better practices and spurring innovation among manufacturers.
The Librarian of Congress will issue a final rule this Fall and we are hopeful that he will grant exemptions that bring greater legal certainty to important research and remove Section 1201 as a barrier to innovation, competition, and user choice.