The legal exemption making life easier for ethical hackers

Cybersecurity researcher Brian Knopf specializes in hunting for vulnerabilities and flaws inside connected devices and wireless gadgets. 

So when his wife, Sarah, contemplated whether to have doctors implant a neurostimulator in her back designed to treat chronic pain issues, she wanted him to hack it first. 

Mrs. Knopf had safety concerns about the device, about the size of a large LEGO block, and wanted reassurances that its remote charger was tamper-proof. But there was little Mr. Knopf, or any other outside security researcher, could do to test the resilience of the device without risking a lawsuits from manufacturer or potential fines.

For more than a decade, the Digital Millennium Copyright Act (DMCA) criminalized unauthorized research on medical devices, as well as many other consumer products that run on software such as cars and television sets. But in October, the Library of Congress initiated a three-year exemption to the DMCA allowing ethical hackers such as Knopf to perform "good-faith security research" on medical devices and many other wireless and internet-connected electronics. 

"Most of us are not people who are looking to cause harm. We're trying to understand how to make things better," says Knopf, director of security research for the tech firm Neustar. "You're taking a bunch of inquisitive people and shutting them down and scaring them with laws meant to prosecute criminals."

Photo by Michael Bonfigli/The Christian Science Monitor

Security researcher Brian Knopf spoke at the Security of Things Forum in Washington on Oct. 27.

As a result of the exemption, researchers like him can begin investigating devices such as the neurostimulator that Sarah Knopf eventually had doctors implant in her back, despite her initial worries. And many see scouring for software flaws as an act of public service in our increasingly connected Digital Age.

A flaw in medical equipment, said Knopf, "could crash the device, it could trigger the electricity, it could kill the electricity." And malfunctions or security breaches may not only damage the device, but also put the users at risk. "It's someone's health and safety."

Cybersecurity experts have long complained that the growing number of connected and wireless medical devices on the market present serious risks for patients without additional research and analysis of the underlying software.

For instance, in 2013, security researcher Billy Rios found vulnerabilities in web-connected infusion pumps that could allow attackers to manipulate dosages. The US healthcare system Essentia Health also found that many Bluetooth-enabled defibrillators and X-ray machines were rife with software vulnerabilities. 

"We're not going to run out of reasons to do security testing," says Katie Moussouris, chief executive officer of Luta Security, a company that helps governments and large organizations start vulnerability disclosure programs and bug bounties. The DMCA exemption, she says "is essentially saying, we're now able to shine the sunlight of disinfectant on devices we weren't able to touch before."

And though it's hard to pin down just how many researchers will now be able to tinker with cars, medical devices, and other gadgets without concerns of legal reprisal, some advocates of the change think the DMCA revision will help continue an uptick in white hat security research.

"It allows security researchers acting responsibly to independently unlock devices without the consent of the software manufacturer, such as if they purchased the device, as long as they’re doing it in safe and controlled conditions," says Harley Geiger, director of public policy at the cybersecurity firm Rapid7. "It will make independent security research clearer from a legal liability point of view."

The Food and Drug Administration (FDA), which supported the DMCA exemptions for medical device research, recently pressed medical device makers to fix software flaws in their products. The pressure came after the cybersecurity firm MedSec revealed a range of security flaws in pacemakers and other devices developed by St. Jude Medical (the company denied the existence of those software flaws).

"It's not research for research's sake," said Suzanne Schwartz, the associate director for science and strategic partnerships at the FDA's Center for Devices and Radiological Health, at a recent Passcode event in Washington. "We're talking about research that's going on for the betterment of these devices."

It's unclear just how many researchers are taking advantage of the exemptions, or whether any serious vulnerabilities have been discovered in medical devices or other connected electronics. 

And cybersecurity researcher Craig Smith pointed out the exemption doesn't just benefit professionals and cybersecurity firms. It'll protect anyone who wants to poke around on everyday products such as cars that run on software, said Mr. Smith, author of "Car Hacker's Handbook," an illustrated guidebook that depicts the digital inner workings of modern cars.

Now, he can freely pursue his latest project, dubbed "CANiverse," a reference to a vehicular Controller Area Network (CAN) that allow in-car devices to communicate with each other. He's setting out to create a kind of marauder's map for modern car tinkerers hoping to suss out software flaws in the electronic systems that allow different parts of a car – the engine, airbags, and transmission systems – to communicate with each other.

The auto industry is "going from a mechanical to a software industry," says Smith. Projects like his are all about "being able to reverse engineer and understand the equipment."