How Copyright Laws are Turning the Internet of Things into a National Security Risk: Part I
For years now, the Electronic Frontier Foundation (EFF) and its spokespersons have fought for the ability of device owners to legally jailbreak owned devices in order to properly secure them from potential threat or outside manipulation. Never has this discussion been more germane than today as the devices most people carry now connect to the “Internet of Things,” meaning that the Internet is no longer an avenue of communication but rather a collection of items intertwined via a connection to the Internet. Everything from the machine that brews our morning cup of coffee, the thermostat in our homes, to the insulin pumps that keep loved ones alive can now be connected to the Internet and controlled remotely. The frightening reality is that the Internet of Things opens new attack vectors for bad actors to disrupt or disable our way of life.
One of the main components why these vulnerabilities exist is current security protocols and laws protecting Digital Rights Management (DRM). DRMs on products essentially mandate that purchased items can only receive updates in the field of security from the vendor; anyone who attempts to “jailbreak” or circumvent vendor-controlled security updates can be punished with extensive fines or even prison sentences. Essentially, the things we buy could be seen as never truly owned, but rather borrowed for a fee from vendors who will always have some level of user-control over the items in question.
Also, the loopholes that DRMs create in product security – and perhaps control – allow for external manipulation of these products by potential governing entities, such as loan providers for motor vehicles or energy companies who enter legal agreements with home-thermostat producers.
At DefCon 23, security researcher and EFF spokesperson Cory Doctorow discussed the serious threats to general device security based on current DRM laws and the legal ramifications associated with security research on Internet-connectable devices.
During his talk, Doctorow gave multiple examples of how technology, no matter how advanced or simple, was essentially coming out of its box already vulnerable and susceptible to outside-control. One case study, in particular, discussed the inability for security researchers to legally gain access and perform a penetration test of the operating systems of various software of commercial aircraft and how this can create a single, yet significant point of failure that could lead to an external attack. And unlike professional security researchers, those who might wish to bring down a commercial aircraft, whose operating systems requires a complete system reboot only once every 248 days for software patching, don’t need to worry about the legality of their actions. 
The main argument about DRM is that its parent legislation, the Digital Millennium Copyright Act (DMCA), was created in a world unlike the web-enabled one we live in today. Established in 2000 as part of two treaty agreements in 1996 from the World Intellectual Property Organization, the DMCA reads very antiquated in its approach to the legality of “jailbreaking” systems for security improvement, as the agreement was created to solely combat piracy and distribution of copyrighted software.
But how does this battle between owner’s rights and copyright law pertain to matters of national security?
Besides the aforementioned scenario of cyber attacks to unpatched aircraft software, the medical device industry and its researchers have now agreed that cyber attacks against devices within hospitals occur far more frequently. On Darkreading.com, security researcher Billy Rios noted that attacks on medical devices such as x-ray and MRI machines are now common place. However, it isn’t the machines, themselves, that offer a large threat to attack, but the devices that share a network connection with these machines.
Hospital computer systems and machines containing a multitude of viruses and malware, including the Zeus and Citadel Trojans, sit on the same networks as insulin pumps, pacemakers and pain-management devices with wifi connections. Remote attackers could easily exploit an unpatched device waiting for a software update as a way to enter a large medical center’s networks and launch a far more lethal cyber attack.
Doctorow notes that roughly 40 percent of wifi-enabled medical devices on the market today are vulnerable to a remote attack. Imagine an attacker issuing a denial of service attack on an entire medical ward’s vital monitoring systems or sending a reboot command for an entire cardiology wing’s worth of wifi-connected pacemaker devices. Essentially, why bomb a hospital when you can take control of devices in the building and cause the same loss of life?
In part two of this series, we will take a look at how copyright laws pose additional risks to consumers and the trajectory we should consider as the Internet of Things becomes broader.
This post was written by Casey Moles, Government Analyst with Thomson Reuters.