DRM Security Concerns | Who does the IoT Obey?

I saw this video of a keynote speech given at the O`Reilly Security Conference in October 2016. Cory Doctorow gives a compelling talk about the thorny issues surrounding DRM and security research, privacy violations, and private property abuses.

Watch the video (32 min):

DRM and DMCA

Central to the talk is the concept of Digital Rights Management (DRM) as defined in the Digital Millennium Copyright Act (DMCA). DRM is software that restricts access control to technology involving copyrighted works. These controls aim to deter the use, tampering, and distribution of systems in ways the manufacturer deems inappropriate. DMCA was passed in 1998 with the key focus to deter the circumvention of copyright protection systems i.e. DRM. Any attempt to bypass DRM even for lawful purposes is against the rules. As a result, steep civil and criminal penalties can be issued for 1st offenses.

Read the law and pay special attention to Section 1201 (text / pdf).

Example: Blu-ray / DVD discs and players. Legally purchasing a disc and playing it in a different region is illegal. Producers of the content force Blu-ray manufacturers to implement region checks for their copyrighted materials. Therefore it is literally a felony to bypass DRM to watch a movie on a non-region player device. Companies abuse copyright law to strengthen their business model.

Video Highlights

If you don’t have time to watch the speech right here is the TL;DR.
Cory gives examples of various abuses with DRM:

  • HP Printers
    • OfficeJet printers were pushed DRM via security update
    • Update contained hidden counter to determine when toner would be no longer usable and to reject any 3rd party printer cartridge
    • HP reaches into your home and makes changes to your property
    • HP hid signing keys in the chip with the product?!
  • SkyLink Garage Door Openers
    • Started to implement DRM into their garage door openers
    • Prevented 3rd party clickers from being used (attempted)
  • Lexmark Printers
    • Recorded toner levels / rejected new cartridges from other vendors
  • Sony Rootkits
    • Mid 2000s attempt to protect copyright material
    • DMCA prevents security researchers from doing their work because
      • Known vulnerabilities cannot be disclosed to the public
      • Exploitations won’t be discovered until it is too late

The central theme is in his title: Security and Feudalism – Own or be Pwned. Relevant here is the separation between those who own things and those who rent from them. Feudalism was like this – lords (manufacturers) ruled over peasants (consumers) use of lawfully acquired products.

Conclusions

Key points:

  • DRM treats people who lawfully acquire property as the adversary and works against their wishes
  • Incidents of security by obscurity abound – poor design with dangerous implications
    • Malware can join unnoticed (ex. Sony Rootkit)
    • DRM design treats the customer like an adversary
  • IoT amplifies the issue because software like this is omnipresent
    • DRM is in places we never thought to find it
    • Intelligence (software) is in everything now – and so is DRM

We should respond to the current state:

  1. Devices obey their owners – the default should be to follow user instructions
  2. Security facts should be legal to disclose – security by obscurity must end

Read about the referenced court case that EFF is taking up as mentioned in the video:

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.