It’s Finally Legal to Hack Your Own Devices (Even Your Car)

It’s Finally Legal to Hack Your Own Devices (Even Your Car)(wired.com)

154 points by _isus 9 years ago | 17 comments

wyldfire 9 years ago |

From [1] : "(ii) For purposes of this exemption, “good-faith security research” means accessing a computer program solely for purposes of good-faith testing, investigation and/or correction of a security flaw or vulnerability, where such activity is carried out in a controlled environment designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices or machines on which the computer program operates, or those who use such devices or machines, and is not used or maintained in a manner that facilitates copyright infringement."

So it seems like it's all going to be gauged in how the material is presented/hosted. The way I read it is "disclose the details of the bug and source, ok. but once you start hosting an executable like './rootmysystem' or './disable_copy_prot' then you're entering the grey area." (Or rather the decision would probably be made based on whether your website looks like one that encourages or promotes infringement versus one that promotes security.

[1] https://www.federalregister.gov/documents/2015/10/28/2015-27...

sctb 9 years ago |

Previous discussion: https://news.ycombinator.com/item?id=12826946

6stringmerc 9 years ago |

Neat. I like the exemption in principle, and the "Good Faith" condition will probably be the lynch pin that gets tested in court cases if they come up. What is Good Faith in security research is not necessarily - I don't think - a settled issue. Especially in light of the CFAA still on the books. I'd appreciate more and more clarity coming through (and augmentations to existing law to make them better) over time.

I wonder how the EFF will respond to this, because I recall one of their lawsuits (major?) is about DMCA exemption for security research (Plaintiff 1) but also violating DMCA in a for-profit-enterprise (Bunny).

sschueller 9 years ago |

Can't they still restrict you? For example Tesla could prevent you from connecting to their network and being able to use super chargers if you in any way 'hack' your car.

jasonkostempski 9 years ago | |

yeah, but it's best not to buy a car that connects to any type of network for any purpose.

kakarot 9 years ago | | |

I agree, but I feel that in our lifetime this will essentially become impossible, if not downright illegal under the premise of road safety.

Shivetya 9 years ago |

so not much has truly changed, this is a simple limited time reprieve. based on wording can you give permission for another party to work on hardware you have? As in, can a manufacturer still declare that an end user cannot grant access to another under the idea that the other party does not own the device and as such is not legally allowed to work on it?

gr3yh47 9 years ago |

Legal minds of HN: would the Sony vs Hotz case have been thrown out if this provision was in place at the time?

raw23 9 years ago | |

Not a lawyer, but i couldn't see why it wouldn't be thrown out.

Hotz just reversed and found an exploit on his local machine. Seems to be exactly what these provisions are covering.

0x0539 9 years ago | |

Nope. Wired presents this as if its a blanket exception for everything, its not.

http://ifixit.org/blog/7475/repair-coalition-wins-exemptions... is a bit more clear on the types of things that will be allowed under this.

As for the specifics of jailbreaking:

"The Register also confirmed that the exemption for gamers should not extend to jailbreaking of console software because such jailbreaking is strongly associated with video game piracy."

https://www.federalregister.gov/documents/2015/10/28/2015-27...

rajangdavis 9 years ago |

Out of curiosity, can this apply to SaaS products at all? It seems like the provisions are relaxed in general.

I am curious if I could use this to reverse engineer a product that isn't hardware AND does not have explicit provisions saying that I am not allowed to reverse engineer the software.

inlined 9 years ago |

I wonder if this new freedom to do security research can help us discover vulnerabilities in our IoT devices before they're used in another massive DDoS.

thesmok 9 years ago | |

The vulnerabilities in IP cameras and routers were publicly known long before the latest massive DDOS. But the manufacturers and users of those devices did not care, and they still don't.

yifanlu 9 years ago |

Can someone point me to the actual ruling? The only one I can find was from last year (2015). Has it even been ruled this year yet?

Kapow 9 years ago | |

The ruling was in 2015, there was a year delay before it came into effect.

mgrennan 9 years ago |

Time to through down on the IOTs.

benmcnelly 9 years ago | |

I would, but I have terrible follow threw.