The modern automobile, say cybersecurity experts, is not a car with a computer in it. It’s a computer with four wheels and a motor. To prove the point, hackers have been breaking into cars’ software, remotely shutting off engines, tracking riders, and disabling brakes.
Yet lifting the digital hood of your own vehicle to see the car’s source code, make modifications, or build better diagnostic tools is a potential crime today. Under an industry-driven interpretation of The Digital Millennium Copyright Act, it’s illegal to touch (or even look at) virtually anything in your cars’ software. Car companies, and federal agencies, have threatened legal action against anyone, even security researchers who disclose vulnerabilities to automakers, from examining or modifying a car’s software.
“The DMCA has given companies a legal hammer to prevent transparency in the way those devices work,” said Kit Walsh, a staff attorney the Electronic Frontier Foundation (EFF). That’s led to a chilling effect on people who want to improve, customize or better secure modern vehicles (it’s unclear how much it has deterred malicious hackers).
Now the federal government has granted a petition, over industry objections, giving car owners clear legal protection to fiddle with their own cars. On Oct. 28, exemptions to Section 1201 of the DMC will explicitly protect the right to examine your vehicle’s code, reprogram its computer, and make repairs or modifications. The exemptions “allow the diagnosis, repair or lawful modification of a vehicle function” (p 39, pdf) as well as “good-faith security research” (p 44, pdf) so long as it doesn’t interfere with the entertainment and wireless communication systems–to avoid illegal media downloading.
There are some caveats. The exception is temporary. Proponents such as EFF will need to convince federal regulators to renew the exemption every three years. Vehicle owners must also make modifications themselves, rather than use a third-party, so you’re on the hook for rogue vehicles or changes that lead to accidents.
Most automobile companies came out swinging against the provisions in their public comments (pdf), but Tesla didn’t oppose the law. The company gives security researchers up to $10,000 as a bug bounty to uncover (and discreetly disclose) security flaws. When a team from the security firm Lookout commandeered software in a Tesla Model S to open windows, unlock doors, and cut power to the car, Tesla rolled out a software patch wirelessly, reports Wired. After Tesla owner Jason Hughes hacked his Tesla’s operating system and the company initially blocked his attempts, CEO Elon Musk reversed the decision and offered praise.
The EFF is now in a long-term battle to repeal the DMCA. “We’re suing the government [to establish] that the law is a violation of the First Amendment because of its infringement on fair use, as well as security research,” said Walsh. “If that’s a success, then the landscape will change significantly.”
For now, the organization is fending off companies’ efforts to strip vehicle owners of newfound hacking rights in the fine print of user agreements, a common practice in other industries. ”We haven’t had that battle yet,” said Walsh. “That’s a fight I’m eager to have, and it’s coming.”