Friday, October 16, 2015

The DOT in the Digital Age

Here’s a challenge. What do the following numbers mean/represent?

0101010001110010011101010110001101101011011010010110111001100111
54 72 75 63 6b 69 6e 67

To most people, the above numbers are nothing more than a series of 1s and 0s and random numbers and letters. To a hacker, that is the binary and hexadecimal code translation for “Trucking.” Binary and hexadecimal codes are two of several types of codes used to write computer programs. They are as unique as the series of words used in a novel to tell a story. Like a novel, codes are protected by copyright laws. Unlike works of fiction, they are meant to be kept a secret.

In the 21st century, nearly every vehicle function is propelled via computer systems. Those systems are driven by various codes that tell them what to do. If anyone discovers what the codes are for a particular function, that person could manipulate said function. One can see why these scripts that look like hieroglyphics to us need to be protected.

Currently, the U.S. Copyright Office is in the middle of a rulemaking that exempts computer programs in vehicles from copyright laws. This is nothing new as such exemptions are revisited every three years. The latest rulemaking just extends the exemption. However, the U.S. Department of Transportation is now opposing the extended exemption for the next three years.

In a letter dated Sept. 9, 2015, the DOT expressed concern over two classes of security software that the proposed rulemaking would allow owners of a vehicle to circumvent. Those two classes are:
  • Proposed Class 21 – would allow circumvention of security software that protects computer programs that control the functions of vehicles “for purposes of lawful diagnosis and repair” and the ability to personalize and modify a vehicle – i.e., fix and tinker with a vehicle.
  • Proposed Class 22 – would allow circumvention of security software that protects computer programs that control the functions of vehicles for the sake of researching security and safety, as was the case with the publication of the Chrysler Jeep hack.

In other words, anyone can manipulate the programming of a vehicle’s computer system for modifying their own vehicle or for researching the vulnerabilities of the software.

Why would the DOT protest against these exemptions?

Responding to Class 21, Kathryn B. Thomson, DOT General Counsel, noted in the letter that modifying vehicle software could pose major safety risks. Tinkering with computer programs within the vehicle could lead to disabling key features that keep the vehicle safe, including collision mitigation systems.

In regards to circumventing security software for the sake of researching safety and security, the DOT was concerned over the “timing and nature” of public disclosure. Although Thomson stated in the letter that the DOT recognizes the benefits of hackers acting in good faith, she pointed out issues with researchers not realizing the safety, logistical and practical ramifications of their publications.

Back in July, two security researchers who specialize in hacking vehicles took control of a Jeep Cherokee from 10 miles away. The two took advantage of a software flaw that shut down the engine. You can read all about it in the Wired report. Weeks later, Chrysler recalled 1.4 million vehicles.

It’s worth noting that security researchers Charlie Miller and Chris Valasek disclosed information to Fiat Chrysler in October 2014, according to the research paper. On July 16, 2015, Chrysler released a patch for the issue. The Wired.com article revealing the information to the public was not released until July 21, 2015. No sensitive information was made available to the public before it was safe to do so.

Then why is the DOT against the publication of codes in research? Perhaps Miller and Valasek’s damaging report was another black mark on the reputation of the DOT and manufacturers. After all, millions of cars were recalled and two senators proposed legislation that addresses the issue.

If the DOT succeeds and vehicle computer codes are protected from research publication, then research much like the one conducted to reveal the Jeep flaw could remain hidden from the public. That’s a problem. Public exposure and outcry yield positive results when governments, agencies and corporations screw up.

If a child steals from the cookie jar and no one knows, the child will continue to do it. If the child steals a cookie from the jar and he has to wear a shirt that says “thief” on it, the child will probably stop stealing. Miller and Valasek plastered a scarlet letter on Fiat Chrysler, and the manufacturer responded. Do we trust corporations and governments to do the right thing behind closed doors?

I do not, and that is why these copyright exemptions exist. The DOT’s argument is not without merit, but the consequences are a slippery slope to silencing whistleblowers. A compromise is feasible, but if the DOT is unwilling to negotiate, I would question its motives.