The Security and Privacy in Your Car Act would establish new federal standards that better protect vehicles from remote takeovers by hackers and other breaches that expose their driving data. Introduced by Sen. Ed Markey (D-Mass.) and Sen. Richard Blumenthal (D-Conn.), the bill would also compel automakers to develop a rating system that lets car buyers know how the anti-hacking technology in one car measures up against the competition.
"Rushing to roll out the next big thing, automakers have left cars unlocked to hackers and data trackers," Blumenthal said. "This common-sense legislation protects the public against cyber criminals who exploit exciting advances in technology like self-driving and wireless connected cars."
His comments came hours after Mark Rosekind, administrator of the National Highway Traffic Safety Administration, issued the agency's most recent report on its efforts to thwart cyber attacks in vehicles. Speaking at a conference on the autonomous vehicles, he said, "We know these systems will become targets for bad actors. They're a threat to privacy, safety, and public acceptance. We must reassure drivers their vehicles are secure from thieves and anyone else."
As if on cue, cyber-security researchers Chris Valasek and Charlie Miller released details of their latest findings Tuesday, in which they demonstrated they could remotely access and manipulate a 2014 Jeep Cherokee through a security flaw in the Sprint cellular connection to the vehicle's UConnect infotainment system. Through that connection, they controlled safety-critical vehicle functions like braking and transmission function.
The most frightening part of their research may not be the commandeering of the controls themselves, but the remote nature of the attack. Sitting in his home in Pittsburgh, Valasek manipulated the controls of Miller's Jeep as it traveled along a highway near St. Louis. They'll provide more details on their research at the DefCon conference in August.
Markey raised the possibility of such remote attacks in a report critical of the auto industry's readiness to prevent such attacks issued in February. That report concluded only two manufacturers out of 16 surveyed had the capability to respond to a real-time infiltration.
"Drivers shouldn't have to choose between being connected and being protected," Markey said Tuesday. "We need clear rules of the road that protect cars from hackers and American families from data trackers. This legislation will set minimum standards and transparency rules to protect the data, security and privacy of drivers in the modern age of increasingly connected vehicles."
His legislation would ensure all access points in the car are equipped with "reasonable" measures to protect against hackers, including the isolation of critical software systems. It would also mandate that vehicles come equipped with technology that can detect, report and stop hacking attempts in real time.
Should it become law, the agencies responsible for implementing the standards would be the Federal Trade Commission and NHTSA. Rosekind said NHTSA is examining the scope of cyber vulnerabilities in vehicles. The agency opened the Electronic Systems Safety Research division to investigate potential problems in 2012, and Rosekind indicated the scope of the division's responsibilities will grow as a vehicle-to-vehicle communication system develops and autonomous technology proliferates.
He said the latest NHTSA report on cyber security details "our assessment of various threat factors and how we're looking to meet those threats. Lots of people are aware those challenges exist, but few people are aware of what NHTSA and others are doing."