WASHINGTON, D.C. — On the same day WIRED magazine posted an article and an accompaning video showing two hackers take control of a Jeep Cherokee using a cell signal and the vehicle’s entertainment system, two U.S. Senators introduced legislation that would direct the National Highway Traffic Safety Administration (NHTSA) and the Federal Trade Commission (FTC) to establish standards to secure cars and protect drivers’ privacy.
Championed by Senators Richard Blumenthal (D-Conn.) and Edward J. Markey (D-Mass.), the Security and Privacy in Your Car Act, or SPY Car, would also establish a rating system — or “cyber dashboard” — that informs consumers about how well the vehicle protects their security and privacy beyond minimum standards, among other things.
“Drivers shouldn’t have to choose between being connected and being protected,” said Sen. Markey. “We need clear rules of the road that protect cars from hackers and American families from data trackers. This legislation will set minimum standards and transparency rules to protect the data, security and privacy of drivers in the modern age of increasingly connected vehicles.”
While the WIRED article and video served as a nice backdrop for the proposed legislation, Markey has been raising concerns about vehicle hacking since he released a report last year titled, “Tracking & Hacking: Security & Privacy Gaps Put American Drivers at Risk.” It showed that only two of the 16 car companies had developed any capability to detect and respond to a hacking attack in real time. The report also noted that most customers aren’t aware that their information is being collected and sent to third parties.
The senators’ proposal would ask NHTSA to establish standards that would require vehicle OEMs to equip vehicles with reasonable measures to protect against hacking attacks, including isolating critical software systems. The two lawmakers also want the agencies to ensure that all collected information is secured to prevent unwanted access. They also want the NHTSA to require that OEMs equip vehicles with technology that can detect, report and stop hacking attempts in real time.
Additionally, the two lawmakers want the FTC to develop privacy standards for the collection, transmission, retention and use of the driving data collected. They also want the FTC to begin requiring that vehicle OEMs allow consumers to opt out of the data collection and retention without losing access to key features. Their legislation would ask the FTC to prohibit vehicle OEMs to use the data collected for marketing purposes without permission from consumers.
“Rushing to roll out the next big thing, automakers have left cars unlocked to hackers and data-trackers,” said Sen. Blumenthal. “This common-sense legislation protects the public against cybercriminals who exploit exciting advances in technology like self-driving and wireless connected cars. Federal law must provide minimum standards and safeguards that keep hackers out of drivers’ private data lanes.”
In a video attached to the WIRED article, writer Andy Greenberg is shown driving along a St. Louis highway while hackers Charlie Miller and Chris Valasek assume control of different components, including the vehicle’s entertainment system, climate control system, brakes, steering wheel and accelerator. The hackers were even able to turn off the Jeep, leaving Greenberg unable to pull off the highway safely. The hackers also prevented Greenberg from turning on the hazard lights to warn other drivers.
While the two hackers deemed the Jeep Cherokee the most “hackable” vehicle they tested, they noted that Cadillac and Infiniti vehicles were also vulnerable. The two men plan to publish the details of their hack at the upcoming Black Hat conference in Las Vegas.
This wasn't the first time Miller and Valasek have demonstrated their hacking abilities. In a 2013 article published by Forbes, the duo demonstrated the ability to hack a Prius through the vehicle’s diagnostic port. But because they required a physical connection to access the vehicle, their ability to hack vehicles appeared limited.
Analysts at Kelly Blue Book and Autotrader weigh in on the WIRED story, noting that it reinforced the need for automakers to stay on top of cybersecurity.
“Technology offers a wide range of enhanced convenience for today’s new vehicle buyers, but it also offers the increasing potential for unauthorized access and control,” said Senior Analyst Karl Brauer. “Cyber-security is still a relatively new area of specialization for automakers, but it’s one they need to take seriously to ensure they are ahead of the curve.”
One analyst felt that this demonstration might cause people to be more cautious about autonomous vehicles. “Autotrader studies show that consumers are not ready to make the full jump to autonomous cars — in fact, 65% of those surveyed by Autotrader said they were dangerous,” said Michelle Krebs, another senior analyst at Autotrader. “This incident involving the hacked Jeep may only reinforce that notion further.”