Although it is completely forbidden to sell sets of tools to do this, its distribution remains a legally grey matter
Digital forensics specialists from the International Institute of Cyber Security Report that the US Copyright Office has just solved that it is valid for American citizens to alter Digital Rights Management (access control technology used by copyright holders to limit the use of digital media or devices to unauthorized persons or equipment) to modify multiple household and personal devices during the process of repair or modification of such devices.
The mechanisms implemented by the manufacturers to block repairs or unauthorized changes, such as firmware code that disable third-party replacements, can be legally bypassed to correct or modify smartphones, tablets, smartwatches, routers and other wireless access points and personal digital assistants. This ruling is even extended to cars, trucks and tractors.
So far, manufacturers had tried to block unofficial repairs for various reasons; in part to prevent people from making dubious replacements or implementing backdoors, but to a greater extent to ensure that customers will have to invest in costly manufacturer-supported services. Digital Rights Management (DRM) is also used to ensure that people use only official printer ink cartridges or ground coffee beans on specific machines.
According to specialists in digital forensics from the International Institute of Cyber Security, bypassing these restrictions could cause manufacturers to launch deliberately blocked devices, accusations of copyright infringements, and trials, because DRM is protected by the Digital Millennium Copyright Act (DMCA).
These new rules came into force in the United States on Sunday, October 28.
Still, be careful with these new measures
Although any user can develop the software or hardware tools needed to alter the DRM, no one is allowed to sell or seemingly distribute this kind of tools. Therefore, anyone can pay for one of these services, but those who make them cannot share the method used.
“The ruling only granted exemptions from use, but not tool exemptions”, says Cory Doctorow, a digital forensics specialist. The expert believes that this ruling could cause people to download malware or other malicious software that is impersonating such tools to alter the DRM.
“This means people will end up downloading illegal tools. If there is not going to be a legal market for these tools, the user is at risk of suffering a cyberattack. Without knowing it, people might be adding very damaging malware variants to their systems”.
Even if someone reveals a method to alter the DRM and distributes it as free or open source material, this could be taken as an abusive use. Distributing a toolkit to alter DRM seems to be a gray area in legislation.
“This prohibition may also extend to open source tools; the new rules are written quite broadly”, said Mitch Elzol, a legal specialist. “The law says it is illegal to trade these tools, including their manufacture and sale, but it could also refer to teaching about the use and elaboration of these tools”.
The situation is the same for researchers in cybersecurity. While this new regulatory framework allows for product testing, they may not be allowed to share the results of their research, thereby limiting the number of studies that may be published.
Working as a cyber security solutions architect, Alisa focuses on bug bounty and network security. Before joining us she held a cyber security researcher positions within a variety of cyber security start-ups. She also experience in different industry domains like finance, healthcare and consumer products.