You Can Legally Hack Your Own Car, Pacemaker, or Smartphone Now

Earlier this year, we ran a story about how even possessions as personal as one's car or tractor, or insulin pump could not be legally hacked by the owner, but those constraints are things of the past now. From a report on Wired: Last Friday, a new exemption to the decades-old law known as the Digital Millennium Copyright Act quietly kicked in, carving out protections for Americans to hack their own devices without fear that the DMCA's ban on circumventing protections on copyrighted systems would allow manufacturers to sue themt (Editor's note: the website may block users who use adblocking tools. Here's an alternate source). One exemption, crucially, will allow new forms of security research on those consumer devices. Another allows for the digital repair of vehicles. Together, the security community and DIYers are hoping those protections, which were enacted by the Library of Congress's Copyright Office in October of 2015 but delayed a full year, will spark a new era of benevolent hacking for both research and repair. "This is a tremendously important improvement for consumer protection," says Andrea Matwyshyn, a professor of law and computer science at Northeastern University. "The Copyright Office has demonstrated that it understands our changed technological reality, that in every aspect of consumers' lives, we rely on code," says Matwyshyn, who argued for the exemptions last year. For now, the exemptions are limited to a two-year trial period. And the security research exemption in particular only applies to what the Copyright Office calls "good-faith" testing, "in a controlled environment designed to avoid any harm to individuals or to the public." As Matwyshyn puts it, "We're not talking about testing your neighbor's pacemaker while it's implanted. We're talking about a controlled lab and a device owned by the researcher."

About damn time!

[houstonbofh]

Of course it will be interesting to watch the challenges to this. Just because the law says you can, it does not mean the companies will let you...

Re:

[Oswald McWeany]

Nor does it mean you won't be held liable. If you hack your Tesla auto-pilot and it drives you into a market full of screaming people. You're liable not Tesla.

Re:About damn time!

[zlives]

you are liable even if you don't hack it.

Re:

[networkBoy]

AFAIK that has not been tested...
but if you had hacked the Tesla it is a much more obvious conclusion.

Re:

[zlives]

according to Tesla, https://www.tesla.com/videos/e... [tesla.com]

"While truly driverless cars are still a few years away, Tesla Autopilot functions like the systems that airplane pilots use when conditions are clear. The driver is still responsible for, and ultimately in control of, the car."

Re:

[SlaveToTheGrind]

Well if Tesla says they're not liable for product malfunctions, that's the end of it. /sarc

Re:

[zlives]

just noting their stand, the validity of their liability is what the court system is for, however since the laws have not changed, you the driver (non driver) is still held to be responsible for now.

Re:

[Anonymous Coward]

not if you can show it to be a manufacturer fault

Re:

[SlaveToTheGrind]

since the laws have not changed, you the driver (non driver) is still held to be responsible for now.

What current laws preclude manufacturer liability in the event of an accident due to a manufacturing or design defect?

Ok, ok, that was a rhetorical question. There's actually an entire body of law built around exactly the opposite proposition. It's called, aptly enough, "product liability" law. You can read some commentary by actual product liability lawyers on the allocation of liability for self-driving cars here [law360.com].

Re:

[zlives]

yes this is true, but in this particular case, when the manufacturer is saying its not autopilot in practice, you are still held liable till a jury puts the burden solely on the manufacturer. and if the jury decides that you should have listened to the manufacturer and not believed autopilot to be autopilot then you are still held liable.

Re:

[FatdogHaiku]

I think you are liable even if they don't scream.

I think you are also liable to scream...
I think you should for appearances sake anyway...
Laughing maniacally is right out...

Re:

[uncqual]

If the people in the market were screaming, they must have seen me and it's their responsibility to get out of the way of my Tesla -- just like bicyclists and ICE powered cars are expected to do.

Re:

[MachineShedFred]

There won't be any challenges, they just won't sue you under the DMCA.

They'll still void any warranty you may have and either refuse to work on it, or just fuck you bigtime if anything goes wrong that's even remotely connected to the "hack".

Re:About damn time!

[mrchaotica]

There won't be any challenges, they just won't sue you under the DMCA.

That's a victory!

They'll still void any warranty you may have and either refuse to work on it, or just fuck you bigtime if anything goes wrong that's even remotely connected to the "hack".

No, that's what the Magnuson-Moss Warranty Act is for. In order to void your warranty, the burden of proof is on them to show that your modifications caused the problem.

Re:

[MachineShedFred]

While technically correct, they will still win that battle in anything but an actual legal judgement. They have lawyers and plenty of resources and time, while you have a broken car, a job you have to go to, and rent / mortgage to pay. And you probably don't have the retainer for a lawyer's time to fight the kind of asshat company that would have used the DMCA to sue you yesterday, but can't today.

Re:

[houstonbofh]

There won't be any challenges, they just won't sue you under the DMCA.

They'll still void any warranty you may have and either refuse to work on it, or just fuck you bigtime if anything goes wrong that's even remotely connected to the "hack".

Right now, everything I own that this is subject to is out of warranty. Do you replace everything when the warranty expires?

Re:

[RockDoctor]

Do you replace everything when the warranty expires?

I certainly don't. In fact, I can't think of anything that I've ever replaced when the warranty has expired, because the warranty has expired.

I'm not even sure that could be a rational decision. Costs-wise, if it's still working, but the warranty has expired, then you continue to use it until it fails, and then assess the cost of repair. Possibly, if it's a leased or rented bit of equipment and the warranty expires, then it would become rational to say to

Re:

[bluefoxlucid]

Actually, I've already got one: a pacemaker is a medical device, and altering its code changes it, thus is verboten. This is a good thing: every time a medical device's firmware changes, it needs re-certification, so they can't just load new shit into their devices and sell them as if they were already FDA-approved and tested to perform their function correctly. It's also a bad thing, because device makers don't update code so as to avoid recertification; we really need a strict-audit process to allow u

Re:

[SolemnLord]

Actually, I've already got one: a pacemaker is a medical device, and altering its code changes it, thus is verboten.

The article mentions that the exemption is mainly focused on researchers in laboratory conditions. It's unlikely that anyone's planning to alter the code on their (or anyone's) pacemaker, but this opens up avenues for further research and analysis. If we're lucky, it could feed back into the device maker's coding processes, and speed up testing, meaning more (certified) updates. Public betas for pacemakers, as it were.

But as you pointed out, there's a hell of a lot of paperwork involved with the FDA alre

Re:

[R3d M3rcury]

It's unlikely that anyone's planning to alter the code on their (or anyone's) pacemaker [...]

At least not without testing it on Dick Cheney first...

Re: About damn time!

[bestweasel]

He has a heart?

Re:

[phantomfive]

Actually, I've already got one: a pacemaker is a medical device, and altering its code changes it, thus is verboten. This is a good thing: every time a medical device's firmware changes, it needs re-certification, so they can't just load new shit into their devices and sell them as if they were already FDA-approved and tested to perform their function correctly.

FDA certification means nothing. I've seen dreadful code approved by the FDA.

Re:

[sjames]

The FDA's interest is in the device being marketed. If you're an idiot and want to play with your own pacemaker, they have no say in it. There is also the more likely case of a security researcher testing an un-implanted pacemaker.

They have no authority over personal use at all. If you want to make your own custom drug in the bathtub, they can't stop you as long as you don't market it.

Re:

[PolygamousRanchKid]

So you can hack if you are doing "security research" on it or are "fixing it." Won't the companies just say, "You are not a recognized Security Researcher!" Or even better, "You are not allowed to fix it . . . because it is not broken!"

VW's firmware wasn't broken . . . it did what it was designed to do . . . cheat on emissions tests. Of course, the US EPA sees it differently . . . but is there an EPA law anywhere that you cannot cheat on emission tests . . . ?

Of course, VW has lost the trust of its cus

Re:

[c]

Just because the law says you can, it does not mean the companies will let you...

Given the security track record of automakers, medical device manufacturers and (to a somewhat lesser degree) smartphone OEM's, I think it'll be a while before we need to worry about that.

Re:

[arglebargle_xiv]

It's OK, once the TPPA comes into force the door will be closed again. It's not as if the corporates don't have a plan B for this. And C. And D as well, just in case.

Re:

[Methadras]

I wonder if this law precludes voiding the warranties if you do alter your devices.

Re:

[KingBenny]

let you ? as far as i know the pigfarm paper law overrides EULAs and any kind of contract even after you actually sign it in virgin blood like ... i once had a landlord who actually put in the agreement that he had the right to come in when i wasnt there even if i signed it he still did not since its prohibited by pigfarm paper law so, if the courts say this im afraid companies can say that all they want

What about running the software to talk to the car

[Joe_Dragon]

What about running the software to talk to the car?

Can they make an DMCA clam on it?

Re:

[bobbied]

If you develop it all yourself and keep it private, you will be golden, transferring it to somebody else or using it on somebody else's car is not so good.

Re:

[Joe_Dragon]

ok then what about posting that software / info on the web can they use the DMCA on that?

Can they use the DMCA to stop jiffy lube form using the dealer only reset change oil light code?

Re:

[Bigjeff5]

Posting software that works around software protections can still get you in trouble with the DMCA, even if it's 100% your own code. This was tested the very first time someone managed to figure out the DVD encryption scheme and published his software.

Re:

[KingMotley]

It wasn't the software that got him into trouble, it was the decryption key.

Re:

[antdude]

Will there be pearls in these DMCA clams?

Awesome! I've been waiting to hack my packemaker!

[whopis]

I hear it is really easy to overclock them.

Just update this regist-aaaaaarrrrghhhhh

Re:

[shadowp157]

Now all they need is insecure wireless access!

With default passwords of course.

Re:

[Solandri]

Not sure why pacemakers were given as an example. Aside from carriers locking down smartphones, the place this will affect most of the public is in printers with stupid kill-switches if they detect a non-authentic (i.e. 3rd party without the 1000x price markup) ink or toner cartridge.

Re:Awesome! I've been waiting to hack my packemake

[networkBoy]

I'll bite:
Because Pacemakers (and the related implanted defibrillators) are something that independent security research on is a good thing.
Up till now, however, anyone hacking these for research could be sued under DMCA.

Another good effect:
Voting machines! (Assuming you manage to legally acquire one).

Re:

[RockDoctor]

Voting machines! (Assuming you manage to legally acquire one).

Is there a law preventing one from buying a voting machine?

Say that I run ... let's say, the Student's Union (managing the pub, laundry, band practice room, and cafe) of Smallsville University (dedicated to the memory of Derek Smalls [wikipedia.org]) ... and I approach Diebold (I may remember the name wrongly) to buy a voting machine for conducting our Union's internal democracy, then they'd turn me away citing [law number and section, of year].

Diebold may ch

Re:

[Obfuscant]

And I'm working on my insulin pump right now. Get rid of the fascist government-mandated performance limitations and I'll be able to do 90 to 0 in ten seconds (mg/dL). Woo hoo!

Re:

[zlives]

now you have done your daily cardio,

Decades old?!

[Calydor]

The DMCA is not decades old yet. It was enacted in 1998, and while it does pull together two sets of treaties from 1996, the DMCA itself is ONLY 18 years old.

Re: Decades old?!

[Anonymous Coward]

Cue unsavoury sex jokes

Re:Decades old?!

[Anonymous Coward]

I believe it was technically 'passed' in 1998 but was actually 'enacted' (went into effect) a few months into 2000, because of fears that the DMCA (hence the term 'millennium' in the name) would impact the Y2K issues that needed addressed.

People in the know were afraid that DMCA would block Y2K fixes that were needed. (they were right to worry about this, but not right enough to realize 'wait why are we passing a law that we already know has major issues... ohh wait... thank you for the donation MPAA, RIAA, etc)

Re:

[Anonymous Coward]

Not in the US, but it is very much old enough to fuck you.

Re:

[CastrTroy]

So is it not accurate to say the DMCA is 1.8 decades old?

Re:

[Dog-Cow]

In which Universe would that not be an accurate thing to say?

EPA rules?

[HornWumpus]

I bet if I put the good code back into a diesel VW ECU someone will be butthurt.

Re:

[bobbied]

Perhaps, but it won't be VW causing the pain... It will be the big guy EPA we call "tiny" taking advantage of you and your rabbit.

Re:

[HornWumpus]

You realize the old code passes smog checks?

I don't believe OBD2 even has a check version# function. Even if it does that will be easily hacked up to version FFFF.

The truth is: I wouldn't drive a water cooled VW if you paid me. I might make a side business of making diesel VWs run better again, than sell them. The problem would be how do you tell prospective customers you've unfucked the ECU without drawing heat.

There just isn't enough money in it for me, could just Creative commons a project (torren

Re:

[PPH]

You realize the old code passes smog checks?

Right. But only during the smog check.

Re:

[HornWumpus]

You're not disagreeing.

Re:

[PPH]

Not disagreeing. But the point of the law was not just to pass smog tests. It was to reduce emissions below some mandated level during all operating conditions.

Re:

[HornWumpus]

Fucking law abider.

Re:

[HornWumpus]

I don't drive a VW. I drive a THUMPING V8 that takes about 30 hours of work every time I have to smog it.

Keep that sweet butthurt flowing, makes me want to buy a pre-smog diesel truck so I can roll coal on you.

Kickstarter for source code and tools for my car?

[cliffjumper222]

Could someone do a kickstarter to open up my car's SW and create dev tools for it? I have a 2015 Subraru Outback with EyeSight and I've already taken into the shop for two SW bug updates (one affected braking). I won't necessarily change anything, but it'd be good to have a look see. I'd also like an assessment of the SW quality level from someone knowledgeable in automotive programming. I could imagine a new kind of car review site that will take car code and run it through non-real time simulations and perform quality assessments just like other parts of the car are reviewed.

Re:

[HornWumpus]

Google 'Subaru ECU tuning'. Not everything you want, but mostly.

The laws against this, haven't been stopping anyone. Thank dog for racers.

Re:

[Archfeld]

I've got a friend who works for Mitchel1, who has been assisting me in that kind of endeavor for quite a while now. Aftermarket modified chips that allow for some impressive performance upgrades for weekend racers. The only caveat is they won't come close to passing certification and have to be swapped out for smog testing and such. I'd love to find a group capable of creating a board that could hold multiple chips and allow for dynamic switching.

Re:

[zlives]

doesn't APR still allow for this?

Re:

[HornWumpus]

4 program switch out boards were common back in the day when you had to physically change out chips (for Ford Mustangs anyhow).

These days you just reflash the bad code before the smog check, then fix it again after passing.

Not all tunes will necessarily make the car fail smog.

Re:

[HornWumpus]

Heretic. Burn him!

You can pass smog with a cam, but you'll need to adjust the maps. Cams don't trip the visual inspection, being buried pretty deep, neither do oversize injectors.

Do you go around looking at cars and thinking they all need GeoMetro 3 cylinder engines? I think GeoMetros need mice* myself.

* Mouse = small block chevy V8, Rat = Big block chevy V8

Re:

[Sloppy]

That would be illegal. If you happened to somehow magically have that software, the Librarian of Congress just made it legal for you to use it. Writing ("manufacturing") the software remains illegal, as does trafficking in it, marketing it or offering it to the public.

The problem isn't fixed until DMCA is repealed. LoC can't undo the injustice.

Everyone please remember to vote more Republicrats into Congress next week, in order to prevent freedom from breaking out. Evil depends on you. (just kidding, I know

What about consoles?

[Anonymous Coward]

I know millions of pissed off playstation owners who would like to turn their systems back into homebrew linux boxes.

John Deere

[PPH]

We're coming after you next!

Calling Doctor Corey...

[karlandtanya]

http://www.salon.com/2002/08/2... [salon.com]

Sorry about the autoplay crap, but that's where he published it.
Here's another link if you prefer
http://will.tip.dhappy.org/blo... [dhappy.org]

Re:

[sydbarrett74]

Hopefully these exemptions will open the door to further challenges in court. As more and more people see the ludicrous degree to which the deck is stacked against consumers and the general welfare, things will slowly change through legal precedents and changed laws. One of the effects of this presidential election is that a majority of people realise the emperor has no clothes -- the lies (i.e., the Washington Consensus signed onto by both political parties) they've had shoved down their throats for decade

Map Updates for Car Nav Systems!

[Mike Van Pelt]

I would love to be able to update the maps in my car's navigation system (2008 vintage) but not at Toyota's price: More than the price of two (2) brand new Garmins with included lifetime map updates. For a single DVD with one (1) map update.

Mostly, I just use my phone these days; Google Maps is always up to date, and I can download maps so I don't need to worry about cell coverage in the middle of nowhere.

Re:

[gumbi west]

Usually you can get last year's used for about 1/2 the cost. I can't imagine that much changes from year to year. Well, traffic updates do.

Stupid Tom Tom in my Mazda

[jriding]

Now maybe I can finally fix the Voice only option when the car is moving. Stupid Tom Tom is broken enough with out having to figure out what I am saying.

Great news.

[AndyKron]

This is huge, great news, and I'll take this opportunity to say "fuck Apple" while I'm at it.

... to sue themt (Editor's note:

[PJ6]

Include a note, but don't call yourself an editor.

Why the delay?

[manu0601]

those protections, which were enacted by the Library of Congress's Copyright Office in October of 2015 but delayed a full year

What caused this one year delay?

yay for personal property rights !

[KingBenny]

back in the days in communist korea there once was ....