“Good-faith” car hacking and mobile device “jailbreaking” are now on their way to becoming legal in the U.S. The Library of Congress’ triennial exemptions to the anti-circumvention rules within the Digital Copyright Millennium Act (DCMA), released on October 27th. Among the exemptions to section 1201 of the DCMA are allowances for “good-faith” testing of vehicular computer systems for the identification and correction of vulnerabilities.
Regulators also “lifted a cloud of uncertainty”, according to Wired, as they announced it was lawful to hack or “jailbreak” an iPhone, saying there was “no basis for copyright law to assist Apple on protecting its restrictive business model”. This also applies to Android devices.
The necessity of jailbreaking is a different question, though.
Let’s take a look at the car hacking problem first.
Hacking for life
Apparently the regulators took heed to this summer’s groundbreaking publications regarding remote car hacking, performed by the seasoned stars of the trade, Charlie Miller and Chris Valasek.
For years, they studied cars’ on-board systems, discovered the vulnerabilities therein, and demonstrated the possibility of malicious exploitation. Earlier this year they successfully performed a remote car takeover, using a zero-day exploit they developed to obtain the wireless control over the onboard system of a Jeep Cherokee – via the Web.
Described appropriately as “an automaker’s nightmare” the code allows hackers to send commands through the Jeep’s entertainment system “to its dashboard functions, steering, brakes, and transmission, all from a laptop that may be across the country.”
It was “a legendary fail” for the car maker not to separate the infotainment system from the life-critical dashboard functions, thus making the car-hacking nightmare scenario a grim reality.
What do the DMCA exemptions have to do with it? The short answer is that now security research of the automobiles’ on-board systems is legal (apparently, before it was not entirely).
The longer answer: the automakers no longer have a legal ground to suppress the security research of the on-board systems and/or sharing the data acquired thereby. In other words, they can’t send a cease-and-desist letter to a security researcher dissecting their (faulty) software, based on DMCA clauses.
This new regulation thus becomes a wake-up call to automakers: they will have hard times hiding their deficiencies in on-board software. However, the law itself will come in effect in a year, so they have some time to get their software in shape and fix the mistakes.
These “smart”, more or less, internet-enabled cars are clearly an “emanation” of automakers’ marketing departments. A common business logic demands that in order to stay ahead of competitors, a company should make new offers to the consumers on a regular basis, hence “smartening” the cars. However, as Eugene Kaspersky wrote, “Throughout the auto industry there’s a tendency – still today! – to view all the computerized tech on cars as something separate, mysterious, faddy (yep!) and not really car-like, so no one high up in the industry has a genuine desire to ‘get their hands dirty’ with it; therefore, the brains applied to it are chronically insufficient to make the tech secure”.
But there are lives depending on whether security becomes more important than marketing – and in a very literal sense.
Jailbreaking – legal, probably not smart
Jailbreaking is another problem. And a very different one – fortunately, there are no life threatening conditions, unless the smartphone is integrated into some critical system (hopefully, occurrences as such are extremely rare, if any).
However, smartphones may be used as an entry point for infiltrating the business infrastructure, unless they are protected.
With iOS devices, Apple’s restrictive policy provided an extra security layer: with the App Store being the only source of software for the un-jailbroken devices, malicious apps are an extreme rarity there. Most of the iOS malware observed by Kaspersky Lab’s experts so far only infected jailbroken devices. Some of it also made use of additional rights on the jailbroken devices, thus becoming undeletable.
All in all, mobile malware grows in number all the time, so voluntarily decreasing devices’ security levels doesn’t look reasonable; moreover, the device itself can become a security hole within a business network.
It’s better to think twice before proceeding with a jailbreak.
“In general it is far more difficult to protect a device if it is jailbroken. No security vendor will be able to close all the holes and vulnerabilities that you expose by jailbreaking your device. Our software would have to use unofficial APIs and, even then it would still be nearly impossible to control all existing vulnerabilities in jailbroken devices. To cut a long story short: jailbroken devices can hardly be protected from malware attacks,” says Roman Unuchek, Kaspersky Lab’s Senior Malware Analyst. “As the volume of mobile malware has risen massively in recent years it does not make sense to use an unprotected device. Jailbreaking is not a good option.”