How Bad Digital Law Makes Your Toaster Deadly
NEW YORK — Copyright law virtually guarantees that we'll see nightmare scenarios involving Internet of Things (IoT) devices, technology expert Cory Doctorow told the audience at the O'Reilly Security Conference here today (Nov. 2).
Credit: Marcus Mesa Sam Wordley/Shutterstock
That's because the Digital Millennium Copyright Act (DMCA) of 1998 forbids security researchers from disclosing software flaws in a commercial device without permission from the device's manufacturer, Doctorow said; the law even forbids the owner of a computerized device from fixing it himself or herself.
Someone who found vulnerabilities in the same IoT devices that were hijacked to disable large parts of the web Oct. 21 might not be able to talk about those flaws without risking a lawsuit or criminal prosecution.
"This is why the Internet of Things dumpster fire has been allowed to rage," Doctorow said, and why "a couple of dumdums running a crappy crimeware company" were able to knock security blogger Brian Krebs' website offline on Sept. 20, using the same malware that crippled the internet a month later.
"We are gonna be fighting this fire for a long time," Doctorow said, unless the abusive use of the DMCA by device makers stops.
Perhaps the best example of DMCA abuse concerned John Deere tractors. In 2015, Deere & Co. argued that under the copyright law, only it had the right to repair its own agricultural equipment, which is now heavily computerized.
Farmers whose Deere tractors broke down couldn't fix the tractors themselves, or have independent tractor mechanics take a look — instead, they'd have to take them to Deere authorized service centers.
That's like having to take your Chevy to the dealership for every single repair — and indeed, General Motors also argued in 2015 argued that under the DMCA, its customers were obligated to do exactly that if the repairs involved the car's computer systems.
Both GM and Deere were fighting proposed exemptions to the DMCA that would permit non-authorized repairs. In the long run, both sides scored half a victory. A partial exemption granted by the Librarian of Congress means that until 2019, owners can tinker with the software on their own cars or tractors, but third parties such as independent mechanics cannot.
That's a long way from the original intent of the DMCA. Among other things, the law enshrined a concept called digital right management, or DRM. It extended software-copyright laws to Hollywood studios and Japanese video-game makers, who wanted to both combat piracy and control how particular DVDs or games could be played.
DVD players had specialized software that refused to play content from the wrong part of the world, and Sega's Dreamcast gaming console had software wouldn't play game discs that weren't pressed by Sega. Tinkering with that software was made illegal by the DMCA. (Both the DVD and Dreamcast DRM systems were quickly bypassed anyway.)
But now, all kinds of everyday objects, from motor vehicles to refrigerators to thermostats to toasters, contain software. The DMCA has become a handy way for manufacturers of those machines and devices to try to create a monopoly or, at least, to enable what economists call "rent-seeking" — capturing a market to stifle competition and escape market pressures to keep prices low.
"Every CEO has dreamed of this situation: 'If only it were illegal to frustrate my business model,'" Doctorow said. The DMCA, he argued, makes it so "you can convert your commercial preference into an ironclad legal right."
And that business model, he said, has spread to IoT devices. A small Chinese manufacturer may not threaten to sue you if you discover and publicize a flaw about your smart toaster, but a multinational conglomerate might.
"You are not the owner of that property any more. They are," he said, adding that we're getting close to the time when there's "a dishwasher that won't wash third-party dishes."
But, Doctorow said, large-scale attacks like the one last month aren't his greatest worry about the inability to tinker with IoT devices.
"The real risk comes when these devices that are designed to treat their owners as attackers," he said, "are used to attack their owners."
Doctorow cited some recent cases of IoT devices turning on their users: the webcam hijacking and attempted extortion of Cassidy Wolf, Miss Teen USA 2013; the famous remote hijacking of a Jeep Grand Cherokee by security researchers; and the numerous examples of baby monitors being taken over by hackers.
"The DMCA prevents us from learning there's something wrong with these products until it's too late," Doctorow said.
(To be fair, the Jeep hijackers told Fiat Chrysler about the flaws they found, without asking the company's permission first, and the company had a patch ready when the attack was disclosed. But the company might have had a pretty strong case had it decided to sue instead.)
To Doctorow, the solution is simple and commonsense. "Devices need to obey their owners, not their makers," he said. "And security facts should always be legal to disclose."