Charlie Miller DMCA statement

1. Hello. My name is Dr. Charlie Miller and I’m a computer security researcher who for the last three years has been specializing in the security of vehicles. I’d like to tell you a little about the history of independent security research into the security of vehicles. It started back in 2010 when researchers from the University of Washington and the University of California San Diego explored the idea of what an attacker could do if they could inject messages into the CAN bus of a vehicle. I should digress a bit and explain that in modern automobiles, there are 30-50 different small computers called ECUs. These computers each have a role to play in the functioning of the vehicle and individually perform such tasks as as controlling the emergency brake or displaying the speed or controlling the transmission. They all talk to each other and share data with each other. A typical means to do this is via the CAN bus. Anyway, the actual data sent between ECUs is proprietary and varies from manufacturer to manufacturer, but these researchers showed that if they could send messages on this bus, they could force the vehicle to perform certain safety critical actions. These included actions such as locking up the brakes, making the brakes not work, stopping the engine, etc. Definitely not things you want your car doing without your consent.
2.  
3. This research was very interesting but received widespread criticism because people said there wasn’t a way for an attacker to inject these types of messages without close physical access to the vehicle, and with that types of access, they could just cut a cable or do some other destructive action. The next year, these same research groups showed that they could remotely perform the same attacks. By reverse engineering the code in some important ECU’s, they identified several vulnerabilities in the vehicle, for example in the Bluetooth stack and the Cellular components (think on-star) that allowed them to inject CAN messages into a vulnerable vehicle from anywhere in the country. As they showed earlier, this meant they could follow this by remotely lock up the brakes on these vehicles or cause other safety critical failures without the driver doing anything and from many miles away. Ironically, the vehicle they looked at and identified these critical flaws in was made by General Motors, who is here today saying that these researchers should not have been allowed to look at the code that was running on their vehicle. I, for one, am glad these researchers identified these vulnerabilities and subsequently got them fixed by GM.
4.  
5. Shortly thereafter, in 2012, my friend Chris Valasek and I received a grant from DARPA to produce a library of tools that would aid in continuing automotive research and reduce the barrier of entry to new researchers into this field. We got a second DARPA grant specifically designed around reducing the cost of vehicle security research to encourage folks like us to dig in and find vulnerabilities in modern vehicles, making them safer for everyone. During this time, we found many of the same findings as the UW and UCSB researchers had found. Namely, we showed that in the two cars we looked at, a Ford and a Toyota, that an attacker capable of injecting CAN messages could control such things as the brakes, speedometer, locks, horn, etc. We expanded on the previous research to show that even the steering could be controlled by the attacker. This addition was possible because cars had evolved since the previous research to include features like automatic parallel parking and lane keep assist which necessitated the steering ECU accept commands over the CAN bus. As new technology is added to vehicles, new attacks become possible. The response from the automotive industry, again, was to point out that these attacks were only possible because we had physical access to the vehicles in order to inject the messages onto the bus. Just like the UW and UCSB researchers, we continued our research and plan to present our most recent research this summer that shows vulnerabilities in the firmware of some ECUs of the vehicle that can allow us to remotely inject CAN messages. This means that, again, we could remotely control things like braking and steering in vulnerable vehicles from many miles away without the driver doing anything. In order to conduct this research required us to extract firmware from critical ECUs to examine it to look for these vulnerabilities. I should also point out that the tools we made are being used by a number of researchers interested in car research, including those at the National Highway Traffic Safety Administration.
6.  
7. I’m here today to ask for an exemption to the DMCA to cover the case of security research of automobiles. It is a societal safety issue that the vehicles that we use are safe and that we can depend on them to be safe from attack. As the academic research groups and Chris and I have shown, currently this is not the case. The vehicles being produced by manufacturers are not safe from remote exploitation. This scares me but what really scares me are laws that won’t allow me to look at the code that my automobile runs to determine whether it is safe, look for vulnerabilities, see how it is designed around safety, or even build compatible devices to add safety features. Hiding away this safety critical code from observation will not solve the problem and we cannot wait for the benevolent manufacturers to do the right thing and produce safe cars. They need help and the DMCA prevents people like me from helping them. I know many researchers who won’t participate in this field due to the legal murkiness around car security research.
8.  
9. I should add that I’m not necessarily judging the cybersecurity practices of automobile manufacturers. Very smart engineers at Microsoft and Google still don’t know how to make an attack-proof web browser. Every month, these companies produce patches to fix up security flaws in their products. Nobody knows how to write perfect code. So I don’t expect automobile manufacturers to produce perfect cars, but what I do want is the ability to evaluate their safety and security features for myself. I want as many researchers as possible to be looking at this code, finding flaws, suggesting patches, and improving it. I want to be able to trust the safety of my vehicle and the only way I can do that is to look at it myself.