Security bods gagged using DMCA on eve of wireless key vuln reveal

Updated Researchers at IOActive have been slapped with a DMCA (Digital Millennium Copyright Act) gagging order a day before they planned to release information about security vulnerabilities in the kit of an as-yet unidentified vendor*.

A redacted version of the legal notice – posted on Google+ – has reignited the long standing debate about security vulnerability disclosure. The legal notice was issued by San Francisco lawyers Jones Day.

"To assert the DMCA there would have to be a credible case that IOActive has/is seeking to circumvent the protections on a copyrighted work. I think that's a hard case to make," said Matthew Green, in a series of updates to his Twitter account.

The DMCA, which became law in 1998, revised US copyright law and criminalised the circumvention of digital rights management technology. Sony Computer Entertainment infamously used the DMCA to sue George Hotz in a bid to suppress a PlayStation 3 console jailbreak back in 2011.

A decade earlier Russian programmer Dmitry Sklyarov was arrested for alleged infringement of the DMCA on the eve of plans to present research on stripping DRM controls from e-books at Def Con. The statute has been invoked by a small number of IT vendors since but has largely fallen out of fashion until the latest flareup.

IOActive is leading research house looking into vulnerabilities in SCADA kit, internet of Things devices and much more. An IOActive spokesman told El Reg that it was working with its legal team on putting together a response. We'll update this story as and when we hear more. ®

Updated to add

* We're told the vendor is wireless key-lock maker CyberLock – a full disclosure of the vulnerabilities in its CyberKey product can be found here, dated April 30 [PDF].