The recently enacted exemptions to the Digital Millennium Copyright Act that allow security researchers to hack into software that controls Internet of Things devices without breaking copyright laws is long overdue, Cybereason Chief Product Officer Sam Curry told CSO Online. The exemptions are especially important for auto safety, he said.
It takes a community to find and fix vulnerabilities in connected cars
Curry noted that modern cars are “a massively complex connection of computers and networks and protocols that is assembled extremely quickly and with potentially massive implications and potential to do harm.” Locating and repairing software flaws that could impact vehicle and drive safety requires “a community of experts who by default will have more people and more depth than any individual company can bring to bear,” he told the news site.
Auto makers shouldn’t discourage this behavior, Curry said, adding that tech companies now support good faith research. “Microsoft learned this lesson. Oracle learned this lesson. EMC learned this lesson. Why not Ford, BMW and Toyota?” he said.
Researchers don’t want your intellectual property
The overall benefits to the device makers - particularly auto manufacturers - outweigh any concerns companies may have over outliers who won’t conduct their research in good faith or steal intellectual property. “Car companies should leap at the opportunity to be safer and more usable. Their IP [intellectual property] is not in danger from security researchers. The people who will reverse engineer for IP theft are already going to do that, and they aren’t security researchers.” Curry said.
With security research, “the more open and transparent the mechanics of what we do, the better from a security perspective,” he said. Conducting research in the shadows isn’t beneficial. “One of the founding tenets of security is that secret methodologies don’t work.”
