Does anti-piracy software on video games open security risks on users' computers?

Halderman will soon ask the federal government for official permission so that he, along with other researchers, can safely study the question, and so that consumers can take necessary steps to protect their computers.

Halderman is an assistant professor in the University of Michigan's Department of Electrical Engineering and Computer Science. At a hearing on May 7 in Washington, D.C., he will petition the U.S. Copyright Office for a three-year exemption from the Digital Millennium Copyright Act. The exemption would apply to all researchers and consumers, not just to Halderman.

"In the computer security community, we're interested in how digital rights management software impacts the security of consumers' personal computers," Halderman said.

"We have growing reason to suspect the software tends to create security problems. The Digital Millennium Copyright Act has had a chilling effect on our ability to investigate and test systems to find out what's really going on and protect users from any defects. The threat of lawsuits under the ambiguous law makes researchers shy away from studying these risky systems. This is the chief impetus for my petition."

Because the act prohibits tampering with copy protection, researchers like Halderman could run afoul of it as they investigate and suggest repairs for any problems. Such research could invite lawsuits. Halderman knows this first hand.

In 2003, SunnComm Technologies threatened to sue him after he discovered that the company's new digital rights management (often shortened to DRM) software was defective and easy to circumvent. The software was designed to bar CD buyers from copying songs and uploading them to the Internet. Halderman found that simply holding the shift key while inserting the CD into the computer prevented the computer from running the software, and gave users access to the audio files.

Halderman continued to study similar copy protection products. In 2005, he and other researchers found that copy-protected music CDs sold by Sony BMG installed software that opened major security holes in users' computers. In response to this concern, Sony released a patch that uninstalled the program, but Halderman discovered that the patch actually unlocked another way in for hackers.

Halderman is now petitioning the Copyright Office for two variances: one targeting digital rights management in video games that harms users' computers, and another targeting dangerous copy protection more broadly. The exemptions would enable researchers to test, investigate, and repair vulnerabilities in such software, and it would allow consumers to protect their computers by taking necessary corrective action.

If the Copyright Office grants these requests, Halderman plans to study the antipiracy software on Spore, a best-selling video game in which players control the evolution of a species. When installed on a computer, Spore installs a digital rights management program called SecuROM, which was developed by Sony. Some video game users have claimed that SecuROM disables critical security measures such as firewalls and antivirus software, opening their PCs to viruses, spyware, and other malware.

Three class-action suits have been filed on behalf of those who say they've been negatively affected by SecuROM in the video games Mass Effect, Spore, and Spore Creature Creator. Sony maintains that the program is safe, but Halderman worries that it has not been rigorously studied.

"In the larger context, security concerns of this type have a way of affecting everyone, not just those who experience security breaches or use media with digital rights management," Halderman said. "We all face inconvenience and risk when attackers use compromised systems to send spam and hijack machines to hide their tracks, for example."

Provided by University of Michigan (news : web)